BYOD:
Privacy and Security
Andrew Paterson,
Senior Technology Officer
The ICO’s mission
“uphold information rights in the public interest”:
Openness by public bodies:
• Freedom of Information Act
• Environmental Information Regulations
Privacy for individuals:
• Privacy and Electronic Communications Regulations (PECR)
• Data Protection Act (DPA)
The DPA in one slide:
• It’s about personal data
• You have to use it fairly and lawfully: act
reasonably
• You have to be open about what you do with it
• You have to give people access to their own data
• You have to keep it secure
A typical mobile device
•
•
•
•
•
•
•
•
Portable
Personal
Always-on
Frequently-used
Internet: Wifi / cell
Camera
Mic
NFC, Bluetooth, GPS,
accelerometer
• OS + Apps ecosystem
Typical aspects of BYOD
• One or more of the following:
– User/employee chooses,
purchases,
owns,
maintains, or
supports the device
• So what is the role of the Data Controller?
Why consider BYOD?
Possible Benefits
Possible Risks
Reduced hardware cost
Increased support cost of diverse
hardware and software
More flexible and efficient
working
Blurring work and personal use
affects privacy (email, contacts,
SMS, GPS, VPN)
Greater employee satisfaction
What about those who don’t want to
(or can’t) bring their own device?
Data loss / fragmentation
Security exploits: data leak / theft;
man-in-the-middle; malware
When, not if?
Controlling BYOD
Key areas to consider:
1. Policy
– Does everyone know what they should (and
should not) be doing?
2. Where is the personal data stored?
3. How is the data transferred?
4. How will you control and secure the device?
Policy
• Acceptable use policy
• Social media policy
• Users must understand their
responsibilities
• Requires input from IT, HR, TU & end
users
• How will you monitor compliance?
Where does data reside?
• Depends on what setup you choose:
– Data on the device
• Internal or external?
– Data on the organisation's network
• Local caching?
– Cloud
• Private
• Community
• Public
How is the data transferred?
• How do you transfer data to devices?
–
–
–
–
–
–
–
–
3G, Wi-Fi, Wired connection
HTTP, HTTPS, VPN, other encryption
MAC address filtering
IM, Skype or similar
Cloud-based service
File transfer or email attachment
Direct connection or via proxy
USB or CD
How do you control
and secure the device?
• Who owns the device?
• What OS is it running? (and who decides?)
• Who else has access to it?
• What else is it used for?
• What if it gets lost? (remote deletion?)
• Onward transfer of data or device itself?
Privacy of the user
• By definition, some BYOD use will be
personal
– May also be used by other individuals (e.g.
family members)
• Consider how to protect the users’ privacy
if you use:
– a traffic monitoring tool
– geo-location monitoring
– data loss prevention software
Other legal obligations?
• BYOD could lead to disparate copies of
data in disparate locations
• Data Protection:
– Subject access rights
– Adequate, relevant and not excessive
– Accuracy
• Freedom Of Information:
– Can you search for the data?
– Can you access the data?
Questions?
ICO’s guidance on BYOD (and lots more) can be found at our
website www.ico.org.uk
Keep in touch
Subscribe to our e-newsletter at www.ico.gov.uk
or find us on…
• www.twitter.com/icon
ews