Archive for the 'BYOD' Category

Information Commissioner publishes guidance on Bring Your Own Device

The UK’s Information Commssioner’s Office (ICO) has today published new guidance for employers on the use personal (employee owned) devices for work purposes.

Bring Your Own Device (or BYOD) is a hot topic for many organisations. Many employees are seeking to use their own smartphone or tablet for work purposes. If properly implemented, a BYOD scheme can actually reduce the information security risks by making it easier for employees to access corporate data on their own device, thereby discouraging them from trying to find workarounds (such as emailing confidential information to a personal email address, or using a personal email address to carry out work business).

However, there are risks.

In November, Computer weekly reported that the number of BYOD devices in use was set to double by 2014. However, Gartner predicts that through 2014 employee owned devices will be compromised by malware at more than double the rate of corporate owned devices.

A survey by the ICO, published alongside the new guidance, reveals that some 47% of those polled have used a personal device (whether a smartphone, tablet or laptop) for work purposes. However, only 27% of respondents said that their organisation had provided guidance on the use of personal devices for work purposes.

BYOD policy
This is worrying, as it opens up the employer and employee to a number of risks.

For example, if the employer turns a blind eye to BYOD (which would otherwise breach its information security policy), it will find itself in a very difficult position in the event of a data loss incident. Not just with the ICO and any potential fine for a breach of the Data Protection Act, but also in terms of the ability of the employer to take disciplinary action against the employee.

A lack of a BYOD policy means that the employer has no cogent BYOD strategy, setting out what is and isn’t acceptable. For example, the sorts of devices that are considered to have appropriate levels of security, password security, the employee’s responsibilities, and what happens if the device is lost or stolen.

The policy should also cover other issues such as who is responsible for voice and data costs, insurance, and what happens if the employee is unable to carry out his duties because the device has been lost or stolen.

The ICO’s guidance
The ICO’s guidance emphasises the importance of developing a BYOD policy contains the following key recommendations:

  • Be clear with staff about which types of personal data may be processed on personal devices and which may not.
  • Use a strong password to secure your devices.
  • Enable encryption to store data on the device securely.
  • Ensure that access to the device is locked or data automaticaly deleted if an incorrect password is input too many times.
  • Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all.
  • Register devices with a remote locate and wipe facility (mobile device management) to maintain confidentiality of the data in the event of a loss or theft.

The guidance also reminds organisations in the public sector that information held by employees on a personal device may be subject to disclosure under freedom of information legislation.

More information
To read our top tips for BYOD, follow this link.

To read the ICO’s new guidance, follow this link.

Brodies can help you develop a BYOD policy which suits your organisation. To discuss how we can assist please contact me or your usual Brodies contact.

Martin Sloan

Managing the legal risks with BYOD

I have an article in this month’s edition of Supply Management, the journal for the Chartered Institute of Purchasing and Supply.

The article looks at how organisations can manage some of the legal risks arising out of allowing staff to use their own smartphones, tablets and other devices for work purposes (“bring your own device” or “BYOD”).

In particular, I look at:

  • how to manage the information security risks and the benefits of mobile device management software as a way of controlling access to enterprise data;
  • the software licensing issues that can arise from allowing staff to access the enterprise network through a virtual desktop such as Citrix or from a device that isn’t owned by the employer; and
  • the importance of a BYOD policy, and what this should cover

The article is essential reading for any organisation that allows (or is thinking of allowing) staff to access enterprise systems on their own devices. This applies regardless of whether such access is provided under a formal BYOD scheme or is done on a “turning a blind eye” basis.

As my employment law colleagues noted in our recent seminars on BYOD, the latter approach is likely to lead to problems, as the employer may be unable to take disciplinary action against the employee in the event of an information security breach. In contrast, a properly drafted BYOD policy will put the employer in a far better position – in terms of setting expectations with its employees (and managing misconduct) and compliance with its obligations under data protection laws.

You can read the article on the Supply Management website.

Martin Sloan

Peter McCorkell from Brodies Employment team blogs on BYOD following our recent seminar on managing the risks with BYOD.

Brodies Employment Blog

Last Thursday the Brodies Technology and Employment teams delivered a joint seminar in Edinburgh on the burgeoning practice of employers allowing employees to bring their own devices to work. The seminar looked at the pros and cons for both companies and employees and sparked a few interesting debates about some of the more controversial issues of BYOD. What happens, for instance, to company owned material and confidential documents stored on the employee’s device when the employment comes to an end? What challenges does a company face in managing the risk of data security breaches when the device is owned by the employee?

The seminar looked at the best ways to protect the company’s position and discussed how to develop an effective policy to regulate BYOD.

One of the interesting things to note from research for the seminar was that a large number of organisations do not have a BYOD policy…

View original post 102 more words

Twitter: @BrodiesTechBlog feed

December 2017
« May    

%d bloggers like this: