ICO sounds alarm over BYOD in light of Royal Veterinary College data loss

0
124

Smartphones

Data protection watchdog claims more must be done to lockdown personal devices in the workplace.

The Information Commissioner’s Office (ICO) is ordering a clamp down on the use of personal devices in the workplace after a member of staff at the Royal Veterinary College (RVC) lost a camera containing images of six job applicants.

The images were on a flash memory card and went missing last December, and the organisation quickly realised it had no guidance in place to cover the loss of personal property.

Despite the minor nature of the incident, as the applicants could not be identified by name, the ICO has warned the college it needs to tighten up its personal device policies.

The ICO has told the RVC it must have encryption on all portable devices by 30 April 2014. Furthermore, it must offer training on the Data Protection Act to all staff on an annual basis by that time.

“Organisations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this,” said the ICO’s head of enforcement, Stephen Eckersley.

“It is clear more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes so it’s crucial employers are providing guidance and training to staff which covers this use,” he said.

“We have published guidance on this growing trend, commonly known as Bring Your Own Device (BYOD), and we would urge all organisations to make sure they follow our recommendations by ensuring their data protection policies reflect the way many of us are now using personal devices for work.”

The ICO said when allowing staff to use personal devices for work purposes, organisations must be  clear about which types of personal data can be processed on the devices. They must also use strong passwords to secure the devices and enable encryption to store data on the device securely.

It also said using public cloud-based sharing and public backup services should be done with “extreme caution, if at all”.