A YouGov survey earlier this year showed that 47% of all UK employees use personal mobile devices for work, but many organisations are failing to update their data protection policies accordingly, the ICO said.
The warning comes after the Royal Veterinary College breached the Data Protection Act when a member of staff lost a camera holding a memory card that contained the passport images of six job applicants.
When the incident occurred in December 2012 the organisation had no guidance in place explaining how personal information stored for work should be looked after on personal devices, the ICO found.
“Organisations must be aware of how people are now storing and using personal information for work, but The Royal Veterinary College failed to do this,” said ICO head of enforcement Stephen Eckersley.
Protecting data: An IT guide
Protecting data from leaks and viruses is not easy, but you have some weapons in your arsenal, including encryption, remote wipe and secure containers. Click here to find out more.
“It is clear that more and more people are now using a personal device, particularly mobile phones and tablets, for work purposes, so it's crucial that employers provide guidance and training to staff which covers this use,” he said.
ICO recommendations for BYOD
The ICO has published guidance on this growing trend, commonly known as bring your own device (BYOD), and has called on all organisations to follow the recommendations.
Key issues organisations need to be aware of when allowing staff to use personal devices for work, as listed in the ICO’s guidance, include:
- Be clear with staff about which types of personal data may be processed on personal devices and which may not.
- Use a strong password to secure your devices.
- Enable encryption to store data on the device securely.
- Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times.
- Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all.
- Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.