Wednesday 16 October 2013

ICO slams Royal Veterinary College for lack of BYOD policies after data loss

Vets examining a dog
The Information Commissioner’s Office (ICO) has warned firms of the need to implement proper bring-your-own-device (BYOD) policies after the Royal Veterinary College (RVC) was caught out by the trend when sensitive data, which was stored on a staff-owned device, was lost.
The staff member at the College lost their own digital camera and memory card that contained six passport image scans of prospective job applicants. The ICO said after investigating the incident it found the College did not have any BYOD polices in place or guidance for staff on using devices such as tablets, phones and cameras for work purposes.
“Our investigation revealed that the device was personally owned by the employee and as such fell outside of the policies and procedures in place. However, the RVC does not appear to have accounted for the possibility of employees using their own devices in the workplace,” it said.
Head of enforcement at the data watchdog Stephen Eckersley said that the incident should serve as a warning to other organisations of the need to assess how staff are accessing data.
“Organisations must be aware of how people are now storing and using personal information for work and the Royal Veterinary College failed to do this,” he said.
“It is clear that more and more people are now using a personal device, particularly their mobile phones and tablets, for work purposes, so its crucial employers are providing guidance and training to staff which covers this use.”
The College has now signed an undertaking to ensure staff are trained on personal data handling and that all devices used for sensitive data contain encryption software.
V3 contacted the Royal Veterinary College for comment on the incident but had received no reply at the time of publication.
The incident underlines the myriad issues that BYOD can cause. While most warnings focus on devices such as tablets and phones, as this case shows, anything that allows the storage and movement of digital data must be considered when designing and implementing policies.

No comments:

Post a Comment