Data protection impact of bring your own device policies

Have you introduced a Bring Your Own Device Policy or are you thinking of introducing one?  Want to know what you need to know from a data protection perspective?  Here you go!

1.  Compliance Remains Your Responsibility!

When an organisation permits individuals to use their own devices to access corporate information (including personal data relating to customers or employees), the organisation remains responsible for complying with the DPA regardless of who owns the device which is used to access/retrieve/store the data.  The key issue will be security (and compliance with the 7th principle of the DPA), but security isn't the only issue.

2.  Audits

Audit the types of personal data which you control and which may be accessed by your employees' mobile devices - identify any categories of data which you would not want to be accessed/stored on an employee's own device and implement appropriate access restrictions - the more sensitive the data, the more likely that it shouldn't be capable of being accessed from an employee's own mobile device and that it should be subject to strict access controls.

Undertake a security audit to assess whether the use of employee mobile devices may introduce vulnerabilities into an otherwise secure corporate network - this needs to be audited and tested on an ongoing basis (and it may be sensible to audit end-user devices periodically to assess how much data is being stored locally on the device and any risk hot-spots e.g. end-users introducing apps from untrusted sources and introducing malware to the device/corporate systems).

3.  How Much Data Can You See (And Who's Data Is It)?

Assess whether the use of the employee's mobile device will result in the organisation having access to a wide-range of personal data about the individual (and potentially, other family members who also use the device for non-corporate purposes).

Be aware that corporate monitoring software has the potential to provide you with data about your employee's which isn't relevant to their corporate activities (e.g. mobile device management services which enable you to track and record the location of a device at any time in real time on a continuous basis).  Generally, you will need to revisit and refresh your fair processing notices if you are gaining access to more data about your employees as a result of your introduction of BYOD and any 'intrusive' monitoring of their non-corporate activities will need to be considered and justified.

You may also have the technical ability to 'wipe' data if security is compromised (or where a compromise is suspected).  Employees should be aware of the circumstances in which you may 'wipe' data and how much data will be 'wiped' from the end-user's device (e.g. is it limited to corporate information or will everything on the device get 'wiped').

4.  Policies

Ensure you have policies in place and that employees are actively made aware of and trained on the policies.  A range of related policies will be required in terms of BYOD, social media, data protection and IT acceptable use - these all need to be aligned and will need input from your IT and HR teams in particular (and remember that your end-user community will also add value to these policies - they know the capability and usage of their devices better than you and involving them in the policy development/review process will improve employee understanding and buy-in)!

5.  Security

As you would expect, the key concern is around security (so this section goes on a bit - skip over the bullet points if you don't want all the practical detail about security issues)!

Implement security measures which are designed to ensure that corporate personal data isn't compromised e.g. if the device is lost or stolen or somebody else other than the employee uses the device.  This is the organisation's obligation under the DPA and may include ensuring that:

  • Devices are password protected and data is encrypted.
  • There is no ability for users to remain logged-in between sessions (e.g. where data is stored remotely on a cloud-based service).
  • You understand the local storage capability of each end-user devices and that the user's ability to download data on to local storage media (e.g. an SD card) is restricted.
  • Additional levels of authentication are required where personal data (or sensitive categories of data) are being accessed through mobile devices.
  • Where the end-user ceases to be an employee, access to the corporate network is immediately restricted and that any corporate data held on the device is deleted.
  • Access to the device is locked or data automatically deleted if incorrect user-name/passwords are entered on multiple occassions.
  • The device automatically locks after short periods of inactivity (and requires a password to reactivate).
  • Data can be deleted from the device remotely by your IT team if it is lost, stolen or there is any suspicion that data may be compromised (and end-users fully understand how much data may be 'wiped' i.e. can deletion be restricted to corporate data or will all data on the device be wiped)?
  • There is a clear separation between personal use and corporate use of the device e.g. ensuring that different apps are installed for personal and corporate use; protecting against the risk of corporate data being inadvertently sent to personal contacts (e.g. where predictive e-mail addresses are utilised) - ideally, corporate apps/data/networks should be ring-fenced from personal apps/data/networks.
  • Where untrusted connections are being used (e.g. open wi-fi connections in cafes, hotels or on trains), an encrypted channel is used e.g. VPN or HTTPS.
  • That interfaces to other devices are disabled (e.g. wi-fi/bluetooth connections which may enable personal data to be printed/downloaded to storage devices) - again, end-users will need to understand in advance the implications of using their device on a BYOD basis if functionality may be impaired.
  • Data is not automatically backed-up to the end-user's back-up environment (e.g. a cloud-based data repository registered to the individual user in his personal capacity).

6.  Assess Each Device

Assess each device before it is enabled to access corporate data so that you understand any existing security vulnerabilities in the device's operating system or other software on the device.  Ensure that up-to-date security updates/patches are applied (personal devices may not have been updated with the same rigour as a corporate device) and assess how you can limit the risk of vulnerabilities being introduced (e.g. should the end-user have the discretion to install apps, which may be from untrusted sources and contain malware).

7.  Controlling Changes to the Device

Assess how you will remove any personal data from the device and acccess paths to corporate networks if the device is sold, recycled or returned to the manufacturer (e.g. in the event of a warranty claim).  Ensure that your BYOD policy sets out clear obligations on the end-user where the employee ceases to control the device or wishes to use a new device to access corporate systems (e.g. notifying you that a device will be disposed of).

8.  The Data Protection Principles

Ensure that employees understand that where corporate data is being accessed through their own devices, it is still corporate data and they must only access and use it for legitimate corporate purposes (i.e. personal data must only be used for the purposes for which it was collected and consistent with the original fair processing information provided to a data subject).

Where personal data is stored on local devices or in attachments to e-mails, there is an increased risk that it may be stored for longer than is necessary or that it may become isolated and inaccurate.  It may also become difficult to fully satisfy a subject access  request where data isn't held centrally on a corporate system (and similar issues will arise for public authorities where a FOIA request is made).

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.