The use of smartphones, tablets and other mobile devices among the working population is now commonplace. With an increasing number of employees using their personal mobile devices for work use, Mackrell Turner Garrett Corporate Solicitor Maung Aye looks at the most recent warning issued by the Information Commissioner’s Office (ICO)…

Recent surveys carried by YouGov this year have shown the increasing trend for individuals to use their personal mobile devices for work purposes. Its Consumerisation of IT report in the earlier part of 2013 showed that 31 per cent of senior managers used personal smartphones for work purposes while only 23 per cent of businesses have a Bring Your Own Device (BYOD) policy.

The most recent survey carried out by YouGov between 27 February and 1 March 2013, which was commissioned by the ICO, revealed that 47 per cent of all UK adults now use their personal smart phone, laptop or tablet computer for work purposes, with this trend steadily increasing.

Where businesses have previously taken a somewhat laissez faire approach to their employees on this matter, several recent cases have highlighted the need for businesses to take a more formal approach, with the adoption of specific BYOD policies as part of their general data protection policies.

Anyone who processes personal information must comply with the eight data protection principles set out in Schedule 1 to the Data Protection Act (DPA):

  • personal data shall be processed fairly and lawfully
  • personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
  • personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
  • personal data shall be accurate and, where necessary, kept up to date
  • personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
  • personal data shall be processed in accordance with the rights of data subjects under the DPA
  • appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
  • personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

The ICO can take a wide range of actions against data controllers for serious breaches of the data protection principles. These include issuing monetary penalties of up to £500,000, prosecuting those who commit criminal offences under the DPA and serving enforcement notices and “stop now’” orders.

The ICO recently found that the Royal Veterinary College (RVC) breached the seventh principle of the DPA in December 2012 when a member of staff lost a personal camera. The camera contained a memory card with photos of the passports of six job applicants. At the time, the RVC had no policies or guidance dealing with how employees should look after work-related information stored on personal devices.

Since the data breach was relatively small, the RVC avoided any monetary penalty; instead, the ICO agreed for the RVC to undertake to provide mandatory, supervised training to all RVC staff whose role involves processing personal data. It also undertook to implement physical security measures to prevent unauthorised access to personal data together with any other appropriate security measures to protect against unlawful processing, accidental loss and destruction and/or damage.

The ICO highlighted the growing trend in the use of personal mobile devices for work purposes and issued guidance on the key issues that organisations need to be aware of and which they should incorporate into their BYOD policies including:

  • being clear with staff about which types of personal data may be processed on personal devices and which may not
  • using a strong password to secure any devices
  • enabling encryption to store data on the device securely
  • ensuring that access to the device is locked or data automatically deleted if an incorrect password is input too many times
  • using public cloud-based sharing and public back-up services, which have not been fully assessed, with extreme caution, if at all
  • registering devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.

Maung Aye
Mackrell Turner Garrett