1 / 16

BYOD: Privacy and Security

BYOD: Privacy and Security. Andrew Paterson, Senior Technology Officer. The ICO’s mission. “ uphold information rights in the public interest ”: Openness by public bodies: Freedom of Information Act Environmental Information Regulations Privacy for individuals:

yovela
Download Presentation

BYOD: Privacy and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BYOD:Privacy and Security Andrew Paterson, Senior Technology Officer

  2. The ICO’s mission • “uphold information rights in the public interest”: • Openness by public bodies: • Freedom of Information Act • Environmental Information Regulations • Privacy for individuals: • Privacy and Electronic Communications Regulations (PECR) • Data Protection Act (DPA)

  3. The DPA in one slide: • It’s about personal data • You have to use it fairly and lawfully: act reasonably • You have to be open about what you do with it • You have to give people access to their own data • You have to keep it secure

  4. A typical mobile device • Portable • Personal • Always-on • Frequently-used • Internet: Wifi / cell • Camera • Mic • NFC, Bluetooth, GPS, accelerometer • OS + Apps ecosystem

  5. Typical aspects of BYOD • One or more of the following: • User/employee chooses, purchases, owns, maintains, or supports the device • So what is the role of the Data Controller?

  6. Why consider BYOD?

  7. When, not if?

  8. Controlling BYOD Key areas to consider: • Policy • Does everyone know what they should (and should not) be doing? • Where is the personal data stored? • How is the data transferred? • How will you control and secure the device?

  9. Policy • Acceptable use policy • Social media policy • Users must understand their responsibilities • Requires input from IT, HR, TU & end users • How will you monitor compliance?

  10. Where does data reside? • Depends on what setup you choose: • Data on the device • Internal or external? • Data on the organisation's network • Local caching? • Cloud • Private • Community • Public

  11. How is the data transferred? • How do you transfer data to devices? • 3G, Wi-Fi, Wired connection • HTTP, HTTPS, VPN, other encryption • MAC address filtering • IM, Skype or similar • Cloud-based service • File transfer or email attachment • Direct connection or via proxy • USB or CD

  12. How do you controland secure the device? • Who owns the device? • What OS is it running? (and who decides?) • Who else has access to it? • What else is it used for? • What if it gets lost? (remote deletion?) • Onward transfer of data or device itself?

  13. Privacy of the user • By definition, some BYOD use will be personal • May also be used by other individuals (e.g. family members) • Consider how to protect the users’ privacy if you use: • a traffic monitoring tool • geo-location monitoring • data loss prevention software

  14. Other legal obligations? • BYOD could lead to disparate copies of data in disparate locations • Data Protection: • Subject access rights • Adequate, relevant and not excessive • Accuracy • Freedom Of Information: • Can you search for the data? • Can you access the data?

  15. Questions? ICO’s guidance on BYOD (and lots more) can be found at our website www.ico.org.uk

  16. Keep in touch Subscribe to our e-newsletter atwww.ico.gov.uk or find us on… • www.twitter.com/iconews

More Related