ICO paper on Bring Your Own Device (BYOD)

The UK Information Commissioner’s Office (ICO) publishes several short papers designed to increase awareness of the technical, security and legal implications of various aspects of data holding.

These documents are not, and do not purport to be, detailed explanations of their subject, but they are helpful reminders which may encourage organisations to seek more detailed advice or, at least, to consider things which have hitherto gone unregarded.

One such paper is called Bring Your Own Device (BYOD) . It is short and succinct on the risks faced by an organisation and its data controller in circumstances where organisational control is limited because the user owns, maintains and supports the device.

The controller, the ICO says, will need to consider:

  • what type of data is held;
  •  where data may be stored;
  •  how it is transferred;
  •  potential for data leakage
  •  blurring of personal and business use;
  •  the device’s security capacities;
  •  what to do if the person who owns the device leaves their employment;
  • and how to deal with the loss, theft, failure and support of a device.

Although the paper does not deal specifically with demands for electronic disclosure / discovery, it does cover Subject Access Requests and Freedom of Information requests, two examples where a third party is entitled to demand data from an organisation.

All these things do not merely raise questions of ownership and control and privacy rights: as a practical matter, how is an organisation to know that the data exists at all? The problem is exacerbated by the fact that most of us are daily creating data which even the user does not know about; how then can the employer be sure that it has considered everything which is potentially disclosable?

If this is a problem now it will become much a much bigger one once the General Data Protection Regulation comes into force in May 2018. Among other things, the GDPR will widen the range of protected information and increase the duties of organisations and their data privacy officer in relation to its security. For those new to the subject, or who think that their organisation may have a blind spot about it, this paper makes a good start.


About Chris Dale

I have been an English solicitor since 1980. I run the e-Disclosure Information Project which collects and comments on information about electronic disclosure / eDiscovery and related subjects in the UK, the US, AsiaPac and elsewhere
This entry was posted in Data privacy, Data Protection, Data Security, GDPR, Litigation Support. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s