Have you considered the data protection issues raised by mobile technology?
Lousha Bryl explains the implications
When the Data Protection
Act 1998 (DPA) came into force in
2000, many organisations introduced
detailed and complex policies to ensure
compliance. But how many have
updated their policies to reflect the
changing use of technology, and, in
particular, mobile technology? Think
about it. When your policy was created,
did you own an iPad? Well, chances
are the iPad wasn’t even created and
your phone certainly didn’t pick up
email. It is no surprise then that many
organisations’ policies are no longer
adequately protecting their data.
Since April 6, 2010, the Information
Commissioner’s Office (ICO) has had the
power to issue monetary penalties of
up to £500,000 for serious breaches of
the DPA and the Privacy and Electronic
Communications Regulations. An increasing
number of these penalties relate to the loss
of personal data on mobile devices.
Earlier this year, a survey commissioned
by the ICO revealed that 47 per cent of all UK
adults now use their personal smartphone,
laptop or tablet computer for work purposes.
However, less than three in 10 who do so
are provided with guidance on how their
devices should be used in this capacity.
Recent examples of monetary penalties
awarded by the ICO have included
£150,000 to Greater Manchester Police
following the theft of a memory stick
containing sensitive personal data from an
officer’s home which was not password
protected. A further example is an £80,000
penalty to Ealing Council following the
loss of an unencrypted laptop containing
personal information.
Protecting data
Organisations should therefore consider
what action they can take to protect their
data in line with changing technology. If we
look at what the seventh principle of the
DPA requires, it states that those handling
personal information should take appropriate
technical and organisational measures
against accidental loss or destruction of,
or damage to, personal data. There is no
distinction between data processed or
stored at a place of work or at home on a
mobile device. Regardless of who owns the
device, the data controller at the organisation
remains responsible for the personal data
but the challenge of ensuring that data is
protected is becoming more difficult.
A starting point for many organisations
could be to carry out an audit of the current
use of mobile devices in their organisation.
What devices are being used? Are they
owned by the employee or the organisation?
How often are they used and what for?
Policies can then be reviewed to ensure that
they are relevant and up to date with the
way in which mobile technology is being
used in your organisation and any particular
areas of concern can be addressed.
However, you should remember that technology is changing quickly and you need
to review your policies regularly to ensure
that they keep up with evolving technology.
Basic steps such as introducing minimum
password requirements for any devices
which are used to process data belonging
to the organisation or locking devices with
a pin code will go a long way to achieving
data security. This is particularly important
if it is a personally owned device.
Organisations may also want to consider
introducing technological measures to
ensure the security of data on mobile
devices, such as using encryption
technology and ensuring that they have
the capability to remotely lock and erase
data from mobile devices if they are lost
or stolen, even if they are owned by the
employee. In some cases, organisations
should consider whether it is necessary to
provide privacy filters to employees to use
on their mobile devices to prevent other
people being able to see the data that they
are processing.
Staff training is fundamental to
successfully ensuring compliance with
your data protection policies. It should be
used to make staff aware of the important
data protection principles and that these
principles and your policies apply even
where they are using their own devices for
work purposes.
Staff should also be offered practical
guidance on the use of mobile devices.
This may include information on the types
of data that may be processed on their
personal or mobile devices (including any
data that they are not allowed to process),
to training on technical issues such as using
the organisation’s encryption software or
how to choose suitable passwords.
Organisations should not be afraid
of using mobile technology. It has many
benefits including improved job satisfaction,
increased job efficiency and increased
flexibility. However, it is important that
organisations consider the risks to data
protection and introduce relevant policies,
supplemented by practical staff training.
Lousha Bryl is an associate at
law firm Hugh James