October 15, 2014
UK Government agency offers employers new guidance on BYOD
The UK Government’s National Technical Authority for Information Assurance (CESG) has updated its official guidance on BYOD (Bring Your Own Device), one of the most widely discussed workplace technology phenomena. While it’s tough enough for everybody else to keep up with the personal and cultural implications of technology, the slow but exceedingly fine grinding mills of Government can find it almost impossible to keep up. In an accompanying statement the CESG claims the update is essential because of the rapid uptake in flexible working in the UK and the associated increase in the use of personal mobile devices in a work context. The new guidance suggests that employers should consider the development of a formal BYOD policy, understand relevant legal issues and their potential consequences, manage information and the way it is shared and plan for inevitable security breaches.
CESG also recommends reading a range of related guidance and legal documentation including the Data Protection Act, the Employment Practices Code the Information Commissioner’s Office’s BYOD guidance to understand their legal obligations. “The legal responsibility for protecting personal information is with the data controller, not the device owner,” says the document. “The Information Commissioner’s Office (ICO) can compose fines of up to £500,000 for serious data breaches”.
The document goes on to warn how easy it is for information held on personal mobile devices to be shared in inappropriate ways, often inadvertently and sometimes even unbeknown to the device’s owner. It goes on to offer guidance on managing the inevitable loss or destruction of devices. “Plan for and rehearse incidents where a personally owned device that has access to sensitive business information is lost, stolen or compromised,” it says.“Ensure you are able to revoke access to business information and services quickly and understand how you will deal with any data remaining of the device. Consider using a remote wipe feature for business data.”