The Information Commissioner (ICO) has warned organisations to monitor the use of personal devices at work after a Royal Veterinary College staff member lost a camera containing images of job applicants.
The camera containing the picture of six applicants on a data card went missing last December at which point the RVC realised that its otherwise strict data protection policies did not cover personal property.
Although a minor incident – the photographed applicants would not have been identifiable by name – the ICO has decided to warn the organisation of the need to tighten its policies rather than issue a more serious enforcement notice.
All portable devices at the RVC, whether laptops or other media, had to be encrypted by 30 April 2014 regardless of whether those devices belonged to staff, the ICO said.
“Organisations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this,” said the ICO’s head of enforcement, Stephen Eckersley.
“It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes so it’s crucial employers are providing guidance and training to staff which covers this use,” he said.
“We have published guidance on this growing trend, commonly known as Bring Your Own Device (BYOD), and we would urge all organisations to make sure they follow our recommendations by ensuring their data protection policies reflect the way many of us are now using personal devices for work.”
Organisations should be explicit about which data could be kept on personal devices, and insist on strong passwords, enforce encryption where appropriate, and use remote wipe technology.
Non-approved cloud backup and storage services should be used with “extreme caution if at all,” the ICO said.