Data protection: 10 tips for ‘bring-your-own-device’ employees

After decades where organisations issued employees with computers and mobile phones, the rise of the smartphone and the falling cost of home computing has meant employees are increasingly bringing their own devices to work.

Employees might use their own devices – phones, tablet computers, or laptops – to supplement their use of the organisation’s IT equipment or they may do so as part of a formal bring your own device (BYOD) programme. Indeed, IT research company Gartner has predicted that by 2017, half of employers in the US will require employees to supply their own device for work purposes.

According to 2013 research, almost half (48%) of UK residents now own a smartphone. This, along with trends to toward virtual working and cloud computing, means HR departments need to ensure that staff who use their own devices for work do so in accordance with the requirements contained in the Data Protection Act 1998.

Below are 10 considerations to keep employers with BYOD employees compliant:

1. Before using their own device for work, employees must ensure they use a strong password to lock their device. The device must be capable of locking automatically if an incorrect password is entered.

2. Employees must use encryption software on their devices to store personal data securely.

3. Workers should ensure that if they transfer data, either by email or by other means, they do so through an encrypted channel, such as a virtual private network (VPN) or a secure web protocol (https://).

4. The security of any open network or wi-fi connection should always be checked, and staff and should not use unsecured wireless networks.

5. Unverified or untrusted apps should not be downloaded, as they may pose a threat to the security of the information held on employees’ devices.

6. Employees must not, under any circumstances, use corporate personal information for any purpose other than for their work and as directed or instructed by the organisation.

7. Staff should use different applications for business and personal use.

8. Software should be in place for quickly and effectively revoking access that a user might gain to a device in the event of loss or theft.

9. Employees should make sure that any software they use is genuine and is installed under an appropriate licence agreement between the employee and the relevant manufacturer to prevent any security vulnerabilities.

10. Finally, staff should report the loss or theft of their device if used for work-related activities immediately to the data protection officer in the organisation or another specified individual.

This list is adapted from XpertHR’s data protection policy on bringing your own device to work, written by Alison Frazer, a specialist employment barrister at Queen Square Chambers. The BYOD policy also covers other important matters including the retention and deletion of personal data, third-party use of the device and what happens when a BYOD employee leaves the organisation.
Comments are closed.