The Information Commissioner’s Office (ICO) has warned firms of the need to implement proper bring-your-own-device (BYOD) policies after the Royal Veterinary College (RVC) was caught out by the trend when sensitive data, which was stored on a staff-owned device, was lost.
The staff member at the College lost their own digital camera and memory card that contained six passport image scans of prospective job applicants. The ICO said after investigating the incident it found the College did not have any BYOD polices in place or guidance for staff on using devices such as tablets, phones and cameras for work purposes.
“Our investigation revealed that the device was personally owned by the employee and as such fell outside of the policies and procedures in place. However, the RVC does not appear to have accounted for the possibility of employees using their own devices in the workplace,” it said.
Head of enforcement at the data watchdog Stephen Eckersley said that the incident should serve as a warning to other organisations of the need to assess how staff are accessing data.
“Organisations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this,” he said.
“It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes, so its crucial employers are providing guidance and training to staff which covers this use.”
The College has now signed an undertaking to ensure staff are trained on personal data handling and that all devices used for sensitive data contain encryption software.
The Royal Veterinary College said it would take the ICO's guidance on board to improve it security practices.
"We are disappointed that the guidelines and processes we had in place proved inadequate in this instance. We had already taken action to strengthen our information security provisions before the ICO completed its investigation, but are nevertheless grateful to the ICO for the further guidance it has provided," it said.
The incident underlines the myriad issues that BYOD can cause. While most warnings focus on devices such as tablets and phones, as this case shows, anything that allows the storage and movement of digital data must be considered when designing and implementing policies.
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches