Secure your PDA data now

Your company is liable for the corporate information held on personal digital assistants and could fall foul of the Data...

Your company is liable for the corporate information held on personal digital assistants and could fall foul of the Data Protection Act if personal information falls into the wrong hands, writes Magnus Ahlberg

The benefits of mobile computing have been much publicised but it also brings with it a new set of potential headaches for IT managers.

Where company data is held on private devices security is not the only issue. Slack safeguarding of sensitive data could result in a criminal conviction if the Data Protection Act is breached. And the biggest problem is data held on a personal digital assistant (PDA).

These devices are owned either by a company or by its staff. But they are personal - whoever owns them - and they are used in a personal manner. Consequently they frequently fall outside of the corporate security policy because they are not treated as company property. If staff are not told where they can drive their company car, why should they be told how to use a few hundred pounds worth of PDA?

But these devices are no longer simple electronic aide memoires - they are small computers of increasing power and sophistication. The current crop of Palm Pilots have a memory capacity of 8Mbytes and can store 10,000 addresses, 400 e-mails, and 3,000 documents with notes. They are carrying more and more corporate and personal data - and are increasingly a popular target for theft.

The solution to these threats is encryption. Encrypting communications won't stop eavesdroppers - whether government-sponsored Echelon, profit-driven industrial spies, or good old hackers - from intercepting your messages, but it will stop them gaining anything useful from them.

But encrypting communications is no longer enough, you also need to encrypt the data stored on the PDA as these devices can be easily stolen or lost.

However, while it is clearly advisable to encrypt the data stored on your Palm, within the European Union it may in fact be a legal requirement.

Palm Pilots are frequently used to store company contact information. This is likely to include a home address, mobile phone number and even home phone number. In other words, it is likely to include personal information that needs to be registered under the Data Protection Act 1998, and is liable to the strictures of the Act.

The seventh principle of the Act is unequivocal, "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

First, it is worth considering who is liable under this Act. The Act states that conformance to the Data Protection Act is the responsibility of the data controller. And it says that "data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed."

In other words, this "person or persons" is effectively the board and the immediate data processing managers. It is not the person who "owns" the computer or PDA. You could say that if the data is on the PDA by company consent, then it is the company that is determining the purposes for and manner in which it is to be processed - and it is therefore the company that is liable.

So, if your PDA falls into the wrong hands it could land your boss in court. But, if the data is on the PDA without company consent, then the company has already broken the Data Protection Act by failing to protect "against accidental loss or destruction of, or damage to, personal data"; that is, it has "broken" the seventh principle.

Nicholas Bohm, consultant to the e-commerce group of City law firm Fox Williams, says, "If company data is used by an employee on company business then the company, in principle, controls it - through the employee's duties of fidelity, following the rulebook, and so on. The company must make rules and provide systems that protect it from unauthorised use or disclosure.

"The rules might say, for example, that if employees carry company data on their own PDAs they must use encryption to protect it. The employee is, of course, responsible for implementing the rules but is probably responsible to the employer rather than directly to the commissioner." In other words, the company is still liable.

What actually constitutes appropriate technical and organisational measures is something that ultimately can only be defined by the courts. However, it would be best not to let it get that far. It seems fairly clear that organisational measures could be covered by a formal, written and enforced security policy designed to protect the PDA and its data. But appropriate technical measures is more difficult.

If it was the corporate mainframe we would be thinking about a firewall. Suppliers are working on chip-based firewalls that can be built into PDAs but we're not there yet. So, for the Palm Pilot and other PDAs we need something else - and all we've really got is encryption.

Magnus Ahlberg is managing director of handheld security specialist Pointsec Technologies

Read more on Data centre hardware