From the ‘Law in the Cloud’ Blog: The UK’s Information Commissioners Office (ICO) has issued a document providing guidance for businesses to remain compliant with data protection laws where they allow their employees to use their personal computing devices for work. ‘Bring your own device’ or BYOD provides a number of benefits to businesses in terms of worker satisfaction and productivity. However, as the ICO notes, businesses must be careful to ensure tha proper safeguards are in place to protect data accessed or stored on these devices.
The ICO’s advice is in the context of the Data Protection Act 1998 (UK) (DPA), but the advice is equally useful to Australian businesses. Under the DPA there are 8 principles of ‘good information handling’. As well as protecting individuals who are the subjects of this information, it imposes obligations upon those processing the information. Of most relevance is the seventh principle of maintaining ‘appropriate technical and organisational measures…[to protect] against accidental loss or destruction of, or damage to, personal data’. This requirement is similar to Australia’s National Privacy Principle 4 (Privacy Act 1988 (Cth) sch 3 s 4)
The ICO’s guidance recommends a number of security measures which employers should put in place to avoid breaching their data protection obligations, these include:
- auditing the types of personal data being processed and the devices used to access that data;
- denying or restricting access to sensitive data on devices which lack a high level of encryption; and
- controlling access to data and/or devices using passwords or PIN codes.