ICO reasserts BYOD guidelines after Royal Veterinary College data breach

Remember the report from the Information Commissioner’s Office (ICO) back in March detailing how workers often had a “laissez-faire” attitude to personal device policies?

Well, now the office is saying ‘I told you so’, following an investigation into a data breach at the Royal Veterinary College (RVC) which ended up breaking the Data Protection Act.

The investigation (PDF) details the case of an RVC employee who lost a camera, which included a memory card holding passport images of six potential job applicants.

When it transpired the college did not have an adequate BYOD policy, the hammer fell, with the ICO recommending “mandatory induction and annual refresher training” in the Data Protection Act, as well as tighter BYOD controls.

Given that according to UK-based Sophos research, one in three people have accidentally lost a device of some description, this is certainly a worry.

“Organisations must be aware of how people are now storing and using personal information for work, and the Royal Veterinary College failed to do this,” noted Stephen Eckersley, ICO head of enforcement.

“It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes – so it’s crucial employers are providing guidance and training to staff which covers this use,” he added.

According to the Sophos data taken this time last year, 78% of people who had lost a device had lost a mobile phone, laptop or tablet, with 58% never able to recover the lost device.

The ICO has also published a series of guidelines companies need to adhere to for allowing personal device policies:

  • Be clear with staff about what types of personal data may be processed on personal devices and which may not
  • Use a strong password to secure your devices
  • Enable encryption to store data on the device securely
  • Ensure that access to the device is locked, or data automatically deleted if a user inputs a password incorrectly multiple times
  • Use public cloud-based sharing facilities “with extreme caution, if at all”, if you’ve not completely assessed them
  • Register devices with remote locate and wipe facility in the event of a loss or theft

It’s worth noting that the majority of these will be readily available in an MDM solution (device access lock, remote locate and wipe). It’s a similar state with passwords, although plenty of enterprise mobility experts are discouraging the use of the password in security, with Salesforce’s latest push towards identity and access management (IAM), Salesforce Identity, looking to speed up the death of the password.

What’s your view on this? What needs to be done to educate companies on a BYOD policy?


https://www.iottechexpo.com/northamerica/wp-content/uploads/2018/09/all-events-dark-text.pngInterested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.

Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.