By Brian Davidson, CIPP/E
The Information Commissioner’s Office (ICO) has warned organisations that their privacy policies must reflect the increasing use of employee-owned personal devices for work purposes.
The warning comes after the Royal Veterinary College had to sign an ICO undertaking after a member of staff lost their personal camera and its memory card containing passport images of six job applicants. The ICO investigation found that the use of personal devices at the college fell outside the scope of the privacy policies and procedures that were in place, and the college did not appear to have accounted for the possibility that employees may use their own devices in the workplace.
In addition, data protection training for staff was not considered to be adequate and the college was found not to be taking proactive steps to address this, highlighting potentially serious failings in respect of staff awareness of information governance policies. The college was required to sign an undertaking to ensure that personal data are processed in accordance with the Seventh Data Protection Principle of the UK Data Protection Act, which requires appropriate technical and organisational measures be in place in order to ensure that personal information is secure.
The ICO action follows the publication of a YouGov survey showing that 47 percent of all UK employees use their personal device for work-related purposes. There is concern that organisational privacy policies are not being updated to account for this growing trend.
The ICO have also published Bring Your Own Device guidance, which sets out the key issues organisations need to be aware of when permitting staff to use their smartphones, tablets, etc., for work purposes.
A copy of the guidance is available here.
A copy of the Royal Veterinary College Undertaking is available here.
Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.