U.K. data watchdog warns on BYOD risks

U.K. data watchdog warns on BYOD risks

Summary: Bringing your own device to work may be beneficial to the worker, but what about when personal citizen data gets loaded on to such devices? British authorities are firing off the warning flares.

TOPICS: United Kingdom

British data officials have warned that many U.K. employers "appear to have a laissez faire attitude" towards staff using their own devices in the workplace.


By failing to give employees the low-down and guidance on how to work with data when using their own devices, this could be putting citizen's personal information at risk to theft or data breaches, the Information Commissioner's Office (ICO) warns.

The ICO commissioned a survey by polling group YouGov, which said that 47 percent of all U.K. workers are already using their own smartphone or tablet in the enterprise. However, less than one-third have been given corporate guidance on how these devices.

This concerns the ICO, the organization in charge of data protection and privacy in the U.K., as more than two-thirds of workers may not know to look after sensitive data when accessed or stored on their bring-your-own-device (BYOD) tablets and smartphones. 

The ICO this week published its latest guidance note [PDF] on some of the risks that employers face when allowing personal devices into the enterprise. While BYOD is on the rise in the U.K., employers must still remember that the Data Protection Act—which stems from a 1995 European directive—still applies to these devices.

"Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider," said ICO technology group manager Simon Rice.

"For example, does the organisation know where personal data is being stored at any one time? Do they have measures in place to keep the information accurate and up-to-date? Is there a failsafe system so that the device can be wiped remotely if lost or stolen?"

The data protection and privacy watchdog is keen to stress that even if enterprise employers do not have direct control over their staff devices, through mobile device management (MDM) services or similar technologies, they still have a responsibility as "data controllers" to ensure that any data that employees use, even on their own devices, must remain safe and protected.

"It is important to remember that the data controller must remain in control of the personal data for which he is responsible, regardless of the ownership of the device used to carry out the processing," the ICO reiterates. 

"It means you must have appropriate security in place to prevent the personal data you hold from being accidently or deliberately compromised," the advice notes. "This is relevant if personal data is being processed on devices which you may not have direct control over."

Topic: United Kingdom

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Common Sense

    An easy solution to this problem is to just not allow technology at the work place. I know of facilities that do not allow computers, phones, tables, camera, etc. The only computers allowed in the facility are the ones they provide!! This is a shortsighted and idiotic solution to the problem.

    The problem is – companies do not want to invest in periphery devices! The whole reason this whole BYOD stuff started was to remove phones/tablets off the companies’ books. The companies, the greedy little *** they are, decided to take the security off their books as well. Just because you expect people to have their own cars, doesn’t mean you do not provide them a parking lot.

    Some of the tools (on tablets and phones) are essential productivity tools. Employees feel strong enough about these benefits that they are willing to fork out hundreds of their OWN monies. It is great to receive emails, texts, or updated schedule on the go. It is great to have the capability to record, take pictures of the while board, take notes electronically (hand written or typed) during the meetings!! It’s great to use skydrive/Dropbox/google drive to send large files or maintain synced files between computers/tablets/phones, etc.

    I do not understand how losing a company tablet is different than losing one’s own. The information is lost or compromised either way. The companies need to recognize that technology their employees BUY benefits THEM, so unless they meet half way with security and education – companies are the problem.
  • Benefits

    "... Bringing your own device to work may be beneficial to the worker ..."

    How? Seems pretty un-beneficial to me.
    And how is it OK for businesses to use their employees' property for work purposes, when most businesses consider it anathema for employees to use business property for personal use?
    • beneficial for vendor employees

      Think of it this way in terms of vendor employees.....at my company, vendor employees are issued with a laptop from their vendor company. During contracted work, they may be issued ANOTHER laptop by the contract-company so they can access their network securely. BYOD and the security policies associated with them enables vendor employees to access networks via their vendor-supplied laptop and negate the need to manage two devices. Of course, it all comes back down to security.
      • BYOD latest PC models

        Another thing to add is that company issued laptops are often quite bulky, heavy and sometimes slower than the latest models in the market. For example, I think most employees would prefer to work off their own MacBook Air rather than a company-issued Lenovo T430 laptop.
  • A separate network for BYOD is all that's needed

    At the last place I worked before retirement (an engineering company), there was a separate guest network for BYOD. No personal equipment (phone, tablet, PC, flash drive, external hard drive, etc.) could be attached to any company equipment on the main network. No company work product could be developed on anything except company-provided equipment. If you needed to take work home, a company laptop could be provided on loan. To access old code input files in TEXT format, we could email to ourselves from a personal device or bring in on a CD-R and scan for malware on both ends, but that was essentially at your own risk. References in PDF or Word format could be downloaded from the internet because it was autoscanned by our antivirus software (seemed risky to me). Freeware could be downloaded if approved by IT security. If you violated the rules and introduced malware into the company network, your device was subject to wiping before return. The first violation of these rules caused a warning. A second meant firing. To work there, you had to sign an agreement to these conditions before bringing any personal equipment to work. These rules may seem extreme to some, but we performed design calculations and safety analyses for buildings, roads, factories, and nuclear plants, so all design calculations and analyses had to be performed and checked according to standard engineering procedures.
  • Further BYOD Risks

    While it’s encouraging to see that the UK Information Commissioner is seeking to bring the 1998 Data Protection Act up to date through these new guidelines, I still don’t feel these cover the wider data security implications of BYOD for businesses.

    It’s all very well offering procedures to manage the BYOD whilst a device is in use. However the data controller is still liable for any data breach that can be traced back to an employee/contractor’s device after it has been decommissioned.

    Surely the ICO should update its guidelines on data wiping to provide clear direction on exactly what steps organisations need to take to mitigate against incurring penalties should sensitive data be extracted after a handset has been sent for recycling?

    As it stands data wiping techniques based on wiping traditional hard disk drives aren’t adequate for devices which use solid state memory. Most of us upgrade our handsets every two years or less and most bulk recycling involves shipping phones from the developed world to the developing world where data protection legislation is not as rigorous. This means that until the ICO provides additional guidance and support, BYOD opens companies up to ever greater risk.

    Ken Garner, Business Development Manager at BlackBelt
    KenGarner, BlackBelt