These documents are not, and do not purport to be, detailed explanations of their subject, but they are helpful reminders which may encourage organisations to seek more detailed advice or, at least, to consider things which have hitherto gone unregarded.
One such paper is called Bring Your Own Device (BYOD) . It is short and succinct on the risks faced by an organisation and its data controller in circumstances where organisational control is limited because the user owns, maintains and supports the device.
The controller, the ICO says, will need to consider:
- what type of data is held;
- where data may be stored;
- how it is transferred;
- potential for data leakage
- blurring of personal and business use;
- the device’s security capacities;
- what to do if the person who owns the device leaves their employment;
- and how to deal with the loss, theft, failure and support of a device.
Although the paper does not deal specifically with demands for electronic disclosure / discovery, it does cover Subject Access Requests and Freedom of Information requests, two examples where a third party is entitled to demand data from an organisation.
All these things do not merely raise questions of ownership and control and privacy rights: as a practical matter, how is an organisation to know that the data exists at all? The problem is exacerbated by the fact that most of us are daily creating data which even the user does not know about; how then can the employer be sure that it has considered everything which is potentially disclosable?
If this is a problem now it will become much a much bigger one once the General Data Protection Regulation comes into force in May 2018. Among other things, the GDPR will widen the range of protected information and increase the duties of organisations and their data privacy officer in relation to its security. For those new to the subject, or who think that their organisation may have a blind spot about it, this paper makes a good start.