I guess even fewer have considered the links to ISO9001 clause 7.5.4 and the requirement to ‘exercise care with customer property whilst it is under the organisations’s control or being used by the organisation’ – and personal data is, as is made clear in the 2008 version of the standard, considered to be customer property.
As the use of this type of equipment grows it’s time that businesses grasped the significance of this issue and acted to protect themselves, and the data being managed.
The ICO survey suggests that nearly 50% of UK adults use personal devices as part of their work but that less than 30% are given any advice or guidance on controls that should be in place when they do
so.
Here’s what Simon Rice, the ICO Group Manager for Technology has to say:
“The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely. While these changes offer
significant benefits to organisations, employers must have adequate controls in place to make sure this information is kept secure.
“The cost of introducing these controls can range from being relatively modest to quite significant, depending on the type of processing being considered, and might even be greater than the initial savings expected. Certainly the sum will pale into insignificance when you consider the reputational damage caused by a serious data breach. This is why organisations must act now.”
Commneting on the new guidance, he said:
“Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider. For example, does the organisation know where personal data is being stored at any one time? Do they have measures in place to keep the information accurate and up-to-date? Is there a failsafe system so that the device can be wiped remotely if lost or stolen?”
The ICO survey suggests that email accounts for the largest usage, but that nearly 40% used their devices to edit documents and over 35% stored work documents on their device and the ICO warn that there
is a very good chance that all these activities involve the processing of personal information and therefore fall within the bounds of the Data Protection Act.
Key recommendations from guidance include:
I have just added some very targeted
questions to my audit question bank – this is an area which needs careful
exploration and action. Expect your
external certification bodies to be looking at this
too!