The Information Commissioner’s Office (ICO) has sounded the alarm bell over the rising level of BYOD – bring your own device – usage in organisations after a data loss incident at the Royal Veterinary College.
According to the ICO, the saga arose owing to the loss of an employee’s camera containing the passport images of six job applicants.
Citing a YouGov survey of earlier this year – showing that 47pc of all UK employees now use their smartphone, tablet PC or other portable device for work purposes – the UK data commissioner says there is a concern many organisations are failing to update their data protection policies to account for this growing trend.
The ICO adds that the Royal Veterinary College breached the Data Protection Act when a member of staff lost their camera, which included a memory card containing the passport images of six job applicants.
The incident occurred in December last year and the organisation had no guidance in place explaining how personal information stored for work should be looked after on personal devices.
Commenting on the incident, Stephen Eckersley, the ICO’s Head of Enforcement, said that organisations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this.
“It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes so its crucial employers are providing guidance and training to staff which covers this use,” he said.
Eckersley went on to say that the ICO has published guidance on the BYOD issue, and urges that organisations ensure that they follow the Registrar’s recommendations by ensuring their data protection policies reflect such usage.
These recommendations, ITSP notes, include advice to use a strong password to secure devices and enable encryption to store data on the device securely.
According to Chris McIntosh, CEO of ViaSat UK, who has been vociferous in his criticism of the ICO for several years, the reality in today’s office is that data can now be stored on all manner of devices.
“Many of these cannot easily be encrypted: while employees will always find new devices to bring into work. This means organisations must ensure that a strict data protection policy is not only put in place, but followed,” he said.
“Private data needs to be stored centrally on premise if it still needs to be accessed, or transferred to another encrypted device. Obviously the best practice for information such as passport details is to ensure data it is deleted as soon as it is longer required, to make sure it doesn’t fall into the wrong hands,” he added.
McIntosh went on to say that unless organisations implement a comprehensive approach to data protection that encompasses confidential data in all its forms, these businesses will continue to risk the damage to their reputation – as well increasingly strong penalties from bodies such as the ICO.