InfoLawUpdate - ICO warning on BYO devices
Burnetts' information law solicitor Natalie Ruane comments on the latest information law developments.
The ICO warns of the need to introduce ‘Bring Your Own Device Policies’ for employees
The Information Commissioners Office (ICO) has warned organisations that provisions may need to be inserted into data protection policies to deal with situations where employees are using their personal smartphones, tablets and laptops for both work and recreational purposes. Over 60% of the population own smartphones and 20% own tablets with an increasing number using their personal devices for work.
The warning comes as a result of a data breach involving the Royal Veterinary College (RVC). The breach occurred when an employee’s personal smartphone had its memory card stolen. On the memory card were photographs of six job applicants’ passports. The RVC had no policy or guidance expressly dealing with the storage of personal information for work purposes on personal devices.
The Data Protection Act 1998 (principle 7) states that data controllers need to take the appropriate technical and organisational measures to prevent accidental loss of personal data. As a result of the breach, the RVC have undertaken to provide mandatory training & guidance to staff, record and monitor such training and monitor the encryption of personal devises.
Overall, the ICO are placing large amounts of emphasis on organisations being aware of complying with data protection principles in relation to this new trend in employees using personal devices for work purposes.
The ICO published ‘Bring your own device (BYOD)’ guidance in March 2013. Its main recommendations are to:
1. Ensure Devices are Secure
2. Ensure data transfers are secure
3. Retain control
4. Have an end of contract policy
5. Have a clear Acceptable Use policy.
Britain’s Energy Coast (BEC) Information & Data Security Conference – 23rd January 2014, Energus, Workington
On Thursday 23rd January 2014 Britain’s Energy Coast hosted a conference on information and data security. At the conference there were over 120 delegates with a full programme of speakers taking place throughout the day. There were speakers from government departments such as the Department for Business, Innovation and Skills together with security managers for the Nuclear Decommissioning Authority (NDA) and Sellafield UK Ltd.
Prosecution over sensitive information of hundreds of children being lost
The ICO issued North East Lincolnshire Council a fine of £80,000 for a serious data breach after losing sensitive personal information in relation to hundreds of children with special educational needs. The information had been stored on an unencrypted memory stick that was left in a laptop in the council’s offices by a staff member. When the staff member returned the memory stick had gone. A key element in this case was that whilst the council had introduced a policy in April 2011 for encrypting portable devices, such as laptops & memory sticks, it had to make sure all of the memory sticks in operation and used by staff were encrypted.
This should be a warning for all organisations to ensure that data is secure even when working in the organisation’s offices if a device is left unattended.
Pay day loans company fined for failing to register
A pay day loans company, First Financial, based in London has been prosecuted by the Information Commissioner’s Office (ICO) for failing to register that the business was processing personal information. In addition the sole director of the company was also prosecuted for data breaches.
Under the Data Protection Act 1998 any organisation that is processing personal data is required to register with the ICO. In most circumstances organisations will have to pay an annual notification fee of £35 together with providing details of the types of information they are processing. Failing to register is a criminal offence, taken very seriously, with fines of up to £5,000 in the Magistrates Court and unlimited fines in the Crown Court.
In this case the company was fined £500 and ordered to pay £1,010.66 towards prosecution costs. The sole director, Mr Hamed Shabani, was also fined a lesser amount of £150 but was again ordered to pay £1,010.66 towards prosecution costs.
The above case reinforces the firm stance the ICO take in cases where organisations fail to register with them.
Guidance on how organisations can register can be found by clicking here.
Government unveils ‘Cyber Streetwise’ online safety campaign
On 13th January 2014 the Government launched an online campaign called ‘Cyber Streetwise’ that aims to help both individuals and businesses protect themselves against the ever increasing threat of cyber crime when shopping or banking online. The campaign aims to change attitudes towards cyber security and help provide the public and businesses with the necessary knowledge to take a pro-active role in taking control of their own cyber security.
The website is user friendly and incorporates a series of animations and videos together with useful step-by-step guides in promoting awareness of the cyber threat.
Visit www.cyberstreetwise.com for more information.
For advice on information law issues, contact Natalie on 01228 552222 or by email to email@example.com
About the author
Natalie leads the Employment Law & HR team and specialises in education.
Published: Tuesday 28th January 2014
Categorised: Information Law