You may be surprised to hear that the Centre for the Protection of National Infrastructure (“CPNI”), a branch of GCHQ, has published guidance for employers on Bring Your Own Device (“BYOD”) schemes.
Since when were employer equipment practices a matter of national security, you may ask? Well, a study last year found that seven out of every ten employees who own a smartphone or tablet use it to access corporate data. Those employees could be working for organisations ranging from small businesses to large corporations or government departments. Data breaches at nationally important organisations could pose a threat to national infrastructure. In any event, who better to advise on data security breaches than Her Majesty’s Government?
The CPNI guidance can be found here and I would recommend considering it alongside the Information Commissioner’s Office guidance published last year.
Both guidances focus on the practical considerations of BYOD: where is the data stored? how is the data transferred? how will employers maintain control of the data and keep it secure? how do you plan for security incidents? how do you balance control of the data with the privacy attached to employees’ personal devices?
While the guidances focus on data security more broadly, employers should also be concerned about protecting sensitive business information and not allowing employees to wander off with their trade secrets happily stored on their tablets and smartphones.
Above all, the advice seems to be (and I would strongly echo this) that employers should have a carefully thought out and implemented BYOD policy. The more control employers want to have over the information on employees’ personal devices, the more the need for policies and even specific agreement from employees.
We’ll plan another post in the near future dealing with some of these issues in more detail, but this will hopefully give you a flavour of some of the current thinking on the subject.