Organisations must have a proper BYOD policy, says ICO

Information Commissioner's Office warns that employees need guidance as to how to handle data on personal devices

The Information Commissioner's Office (ICO) has warned organisations that they must ensure that they have a proper bring-your-own-device (BYOD) policy in order to protect against the risks that come with using personal smartphones and tablets to process work-related information.

While many organisations already allow staff to use their own devices in the work place, many don't have proper procedures in place to ensure the confidentiality of data. The ICO cites the example of The Royal Veterinary College, which received a warning for losing data last year.

A Royal Veterinary College employee lost a camera and a memory card that contained the passport photos of six job applicants. The organisation had no policy regarding how confidential work-related information should be stored on personal devices.

"As the line between our personal and working lives becomes increasingly blurred it is critical employers have a clear policy about personal devices being used at work," said Simon Rice, group manager for the technology team at the ICO.

"The benefits must be balanced against the potential risks to work-related personal data but the organisation should not underestimate the level of effort which may be required to ensure that the processing of personal data with BYOD remains compliant with all eight principles of the Data Protection Act.

"Remember, it is the employer who is held liable for any breaches under the DPA," Rice added.

The ICO has listed a number of "key" BYOD recommendations. They include ensuring devices and data transfers are secure, retaining control of devices to such an extent that if lost they can be remotely wiped, and ensuring that employees are made aware of an acceptable use policy .

Guidance on BYOD and proper BYOD policy is provided by the ICO in a document that can be viewed online for free.