Summer heralds the time of year when applications from prospective trainees come flooding through the doors of B P Collins, ready for the next step in their legal careers. With this in mind, it is worth taking heed of the recent warning issued by the Information Commissioner's Office (ICO) towards the end of last year. This reminds organisations dealing with personal data, such as employers, that they ensure their policies and procedures reflect the way in which modern workforces operate.
The warning came as a result of a breach of the Data Protection Act 1996 (DPA) by the Royal Veterinary College, after a member of staff lost her personal digital camera. Whilst this loss would usually be inconsequential for her employer, the memory card contained the photographs of six passports belonging to prospective employees, who had been interviewed recently by the College. The College did not have any policies or procedures in place detailing how personal data should to be handled.
After their investigation into the incident, the ICO required the College to give an undertaking to ensure that its staff are trained on how to handle personal data and that all devices contain encryption software if they are using sensitive data.
Despite the reprimand from the ICO and the undertaking required from the College, the entire incident could have ended with a hefty fine of up to £500,000, something I am sure they were glad to avoid.
Speaking after the incident Stephen Eckersley, head of enforcement at the ICO noted: “It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes, so it is crucial that employers are providing guidance and training to staff which covers this use.”
This emerging trend is known as 'Bring Your Own Device' (or BYOD for short) and it is fast becoming popular with employees and employers alike. The basic premise is that employees are encouraged to bring in their own electronic devices, usually mobile telephones, tablets and laptops, to the workplace instead of those traditionally provided by the employer. According to recent studies, such a policy can lead to a more engaged and flexible workforce and potentially reduces the cost to the employer of providing IT equipment and support.
With the above cautionary tale in mind, employers and, more generally, organisations that handle personal data have to make sure that their policies and procedures for handling personal data are watertight, especially if they plan to introduce a BYOD policy. The ICO has produced a set of guidelines highlighting what companies can do to protect personal data if they plan to allow employees to use their own devices for work purposes. The guidelines include enabling encryption on data which is stored on the device, the use of strong passwords to secure devices and having the ability to remotely delete the contents of such a device in the event of loss or theft.
In addition to this, employment partner and practice group leader Jo Davis has produced her top five things to consider before implementing a BYOD policy in the April edition of Real Business magazine. This article contains helpful information and tips for businesses to ensure that their BYOD policy helps them to avoid the pitfalls that the College stumbled into.
Posted by Benjamin McQueenie, trainee in the employment practice group.
Benjamin started his training contract in November 2012. He previously worked as a paralegal within the litigation departments of two well-known Bristol firms, as well as a seasonaire in the French Alps.