The warning comes after the College breached the UK's Data Protection Act when a member of staff lost their camera, which included a memory card containing the passport images of six job applicants. The incident occurred in December last year and the organization had no guidance in place explaining how personal information stored for work should be looked after on personal devices.
"Mishaps and breaches are showing us time and time again that rather than simply thinking about whether or not employees should be able to use personal equipment, we need to consider how best to give people access to the tools and services they need to be productive,” said Nicholas Banks, EMEA head of sales for Imation, in a comment to Infosecurity. “Taking a productivity-led approach means we’re better able to ensure that measures like encryption and data management policies are in place to secure corporate data on both corporate and personal devices. Monitoring, management and audit tracking capabilities are also vital so that we can show when, where and how data is accessed, downloaded and stored on devices.”
With a YouGov survey earlier this year showing that 47% of all UK employees now use their smartphone, tablet PC or other portable device for work purposes, there is a concern many organizations are failing to update their data protection policies to account for this growing trend, the ICO said.
“Organizations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this,” said ICO Head of Enforcement, Stephen Eckersley, in a statement. "It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes so it’s crucial employers are providing guidance and training to staff which covers this use.”
The ICO has published guidance on the growing bring-your-own-device (BYOD) trend, explaining some of the key issues that organizations need to be aware of when allowing staff to use personal devices for work. That includes being clear with staff about which types of personal data may be processed on personal devices and which may not; using a strong password to secure devices; enabling encryption to store data on the device securely; and, ensuring that access to the device is locked or data automatically deleted if an incorrect password is input too many times. Users should also register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.
The ICO also warned that organizations should use public cloud-based sharing and public backup services that have not been fully assessed with extreme caution, “if at all.”
“The Information Commissioner’s Office rightly draws attention to the need for clarity on both what we mean by BYOD and how policies are implemented,” said Banks. It’s clear that individual staff members, departments can have very different opinions on the topic of BYOD, and this is where uncertainty and risk can arise.”