Checking work emails; updating work documents; accessing work files: are your staff in the 47% of employees who, in a YouGov Survey, said they used their own personal smartphone, tablet PC or other portable device for work purposes?
A recent fine and an undertaking highlight how being unaware of the risks posed by staff using their own devices for business purposes, and poor home working arrangements, can have damaging consequences for your finances and your reputation.
Smart phones and tablets. They are everywhere, with new devices being launched almost daily. There are five in my home alone (three phone and two tablets, in case you’re interested).
I would not describe myself as a geek, nor a hoarder. The five devices reflect the fact that there are two of us at home and we work; we have personal devices and devices for our professional work.
The most recent undertaking hints at the impact of blurring the lines between those distinctions: a personal camera was used for a professional work purpose of the Royal Veterinary College (RVC). The camera was stolen. The memory card in the camera contained the passport images of six job applicants. This personal information is valuable: to someone wishing to blag information or clone an identity; to the individuals concerned, and as a record of business activity for the RVC. The ICO notes the RVC “had no guidance in place explaining how personal information stored for work should be looked after on personal devices.”
The ICO published guidance on, and written about the growing trend of Bring Your Own Device (BYOD) in March 2013. If you allow staff to create, access or store your business information – particularly personal data or sensitive personal data – you must recognise the following:
- You, as data controller, “…remain in control of the personal data for which [you are] responsible, regardless of the ownership of the device used to carry out the processing.” This means ensuring appropriate protections against unauthorised and unlawful processing – for example, that might be triggered by the theft or loss of a device, the use of the device by a family member who many unwittingly access the information, or the device enabling access to remote storage locations open between sessions.
- BYOD means the “user owns, maintains and supports the device.” This means you will have “significantly less control over the device” than you would have over a traditional corporately owned and provided device. Your ability to ensure systems are updated with the latest patches and security updates; to control what software and applications are installed on the device, and to ensure the employee uses passwords, pin numbers, encryption or other methods to protect their device is therefore limited.
- Security of personal information on such devices is only one of the issues you have to address. There are many others, for example: managing how long information is kept for; ensuring the personal information is not used for non-business purposes; ensuring the accuracy of the personal information, and access to the information should you receive a Subject Access Request.
How can I possibly make my employee’s devices secure?
You might well ask this! The ICO guidance does offer some solutions. Bottom line: a clear appreciation of the risks is essential.
If you are to allow BYOD: address all aspects of the ICO’s guidance. Articulate a clear decision on whether your staff are allowed to use their own devices to access, create and store business-related work that contains personal information; provide clear, explicit guidance on the measure you require of your staff.
If you are not going to allow BYOD: recognise and appreciate why staff are asking to, tempted by or already using their own devices. Is it because of ease of use (“turn it on and it quickly loads and works” “it’s easy to use and understand” “it’s very portable”)? Your ICT strategy, policies and procedures should seek to address these issues while ensuring they provide sufficient technical means to back up your policy decisions. For example:
- Decide what personal data can be accessed remotely, and deploy greater protections for the more sensitive personal data.
- Issue appropriate, portable ICT to the staff that need it.
- Ensure sufficient encryption.
- Ensure sufficient training, so the staff know how to use the equipment and recognise why they are (practical) controls and procedures in place.
£100,000: the impact of not addressing the risks posed by BYOD and home working
The impact of getting it wrong is shown by the £100,000 fine handed to Aberdeen City Council in August 2013. An employee was working from home. They were authorised to do this, and to access “relevant data remotely,” which included “highly personal, sensitive and confidential information” about “children, their family and their involvement with Social Work Services and other partner organisations such as the NHS.”
Aberdeen’s Data Protection Policy was found to be “impractical and ambiguous.” The key issue is why: Aberdeen “did not supply the necessary technical measures required to safeguard personal data” accessed by the employee when they worked at home.
The employee accessed the sensitive personal data via either the remote email system or a USB stick. But the employee was using their own PC. The PC did things that the employee was unaware of and Aberdeen City Council was certainly blind to. The PC had a file transfer programme installed. This did two things: it autosaved the files onto the PC’s ‘my documents’ and then “uploaded the entirety of [the] My Documents file…onto the internet….”
This is therefore a perfect example of the potential difficulties in controlling personal information where employees use their own devices. In this case the PC was “second hand” and the auto-upload program installed on it “by a previous owner.”
This demonstrates the risk of not knowing what software an employee may or may not have on their device, and what this means for the security of the personal information you are requiring them to access to do their job and which you remain responsible for.
The files uploaded included minutes of a core group meeting held about the child, a Looked After & Adopted Children Review minute and the child’s plan. Once uploaded, these were “accessible to all internet users by inputting specific search terms…such as the names of attendees at the meeting.”
The breach was deemed likely to cause substantial distress to those involved because
- the personal information was “particularly sensitive,” identified “vulnerable members of the public” and provided “an appraisal of the lives of several families and individuals based on current and past events;”
- the information has been disclosed to third parties via the internet, and
- the individuals has “entrusted their detailed information” to Aberdeen City Council “on the basis that it would be dealt with in confidence.”
The ICO is clear that this breach would cause substantial distress even if the concerns about wider access to their personal information “do not actually materialise in practice.”
One final point: reputation
Aside from the £100,000 fine, where was untold reputational damage: a national newspaper was tipped off about the incident. They “located the data online” and published a story (albeit without identifying any of the individual affected).