Summer heralds the time of year
when applications from prospective trainees come flooding through the doors of
B P Collins, ready for the next step in their legal careers. With this in mind,
it is worth taking heed of the recent warning issued by the Information Commissioner's Office (ICO) towards the end of last year. This reminds organisations
dealing with personal data, such as employers, that they ensure their policies and
procedures reflect the way in which modern workforces operate.
The warning came as a result of a
breach of the Data Protection Act 1996 (DPA) by the Royal Veterinary College, after
a member of staff lost her personal digital camera. Whilst this loss would
usually be inconsequential for her employer, the memory card contained the photographs
of six passports belonging to prospective employees, who had been interviewed recently
by the College. The College did not have any policies or
procedures in place detailing how personal data should to be handled.
After their investigation into the incident, the ICO required the College to give an undertaking to ensure that its staff are
trained on how to handle personal data and that all devices contain encryption
software if they are using sensitive data.
Despite the reprimand from the
ICO and the undertaking required from the College, the entire incident could
have ended with a hefty fine of up to £500,000, something I am sure they were
glad to avoid.
Speaking after the incident Stephen
Eckersley, head of enforcement at the ICO noted: “It is clear that more and
more people are now using a personal device, particularly their mobile phones
and tablets, for work purposes, so it is crucial that employers are providing
guidance and training to staff which covers this use.”
This emerging trend is known as 'Bring Your Own Device' (or BYOD for short) and it is fast becoming popular with employees
and employers alike. The basic premise is that employees are encouraged to
bring in their own electronic devices, usually mobile telephones, tablets and
laptops, to the workplace instead of those traditionally provided by the
employer. According to recent studies, such a policy can lead to a more engaged
and flexible workforce and potentially reduces the cost to the employer of providing
IT equipment and support.
With the above cautionary tale in
mind, employers and, more generally, organisations that handle personal data have
to make sure that their policies and procedures for handling personal data are
watertight, especially if they plan to introduce a BYOD policy. The ICO has produced a set of guidelines
highlighting what companies can do to protect personal data if they plan to
allow employees to use their own devices for work purposes. The guidelines
include enabling encryption on data which is stored on the device, the use of
strong passwords to secure devices and having the ability to remotely delete
the contents of such a device in the event of loss or theft.
In addition to this, employment
partner and practice group leader Jo Davis has produced her top five things to consider before implementing a BYOD policy in the April edition of Real
Business magazine. This article contains helpful information and tips for
businesses to ensure that their BYOD policy helps them to avoid the pitfalls
that the College stumbled into.
Posted by Benjamin McQueenie, trainee in the employment practice group.
Benjamin started his training contract in November 2012. He previously worked as a paralegal within the litigation departments of two well-known Bristol firms, as well as a seasonaire in the French Alps.
