The Information Commissioner’s Office (ICO) has today published its guidance on Bring Your Own Device (BYOD) – the term used to describe the trend whereby personal devices are used to access and store corporate information.
Unsurprisingly, a key focus of the guidance is on the need to take appropriate technical and organisational measures to protect the personal data held on the device, in particular having a BYOD policy that clearly sets out the responsibilities of device owners and ensuring that compliance with the policy is monitored on an on-going basis.
In order to determine what security measures are appropriate, data controllers will need to determine the risks posed by BYOD. In this regard, the guidance sets out the factors that need to be taken into consideration when undertaking a risk assessment, for example: what type of data is held; where it may be stored; how it is transferred; how it may be used (i.e. the potential for a blurring of business and personal use); and how the device can be controlled and secured.
A large part of the guidance is dedicated to discussing the technical and organisational measures that should be considered in a BYOD context, with many of the suggestions being made in the form of practical “top tips”. Examples of top tips include using a strong password to secure devices, ensuring that any data stored on the device itself is encrypted and maintaining a clear separation between personal data processed on behalf of the data controller and personal data processed for the device owner’s own purposes. In this regard, the guidance suggests that data controllers should consider “sand-boxing” or ring-fencing personal data within certain apps.
As well as technical measures, the guidance supports the implementation of an appropriate policy framework, e.g. a clear BYOD policy, an Acceptable Use Policy and a Social Media Policy (if BYOD leads to an increased use of social media) and points to the need to ensure that there is a process in place for quickly and effectively revoking device or user access in the event of a reported loss or theft. It suggests by way of a top tip that data controllers should register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.
In addition, the guidance make makes clear that a BYOD policy should facilitate compliance with all aspects of the Data Protection Act, not just security. For example, it suggests that using devices to connect to a single central repository of data (rather than allowing copies of data to be stored on many different devices) can help mitigate the risk of data being inaccurate, out-of-date or retained longer than is necessary and makes it easier to respond to a data subject access.
As well as risks to the personal data for which the data controller is responsible, the ICO also considers the potential privacy risks to the owner of the device. The guidance makes clear that any technical and organisational measures used to protect personal data must be proportionate to and justified by real benefits that will be delivered.  The ICO points out that device owners should be told about any device tracking and the consequences of such tracking for them. They should also know exactly which data might be automatically or remotely deleted and under which circumstances. The ICO refers to the existing guidance on the topic of monitoring at work and suggests that employers should be mindful of any internet monitoring software in place, especially during periods of personal use.
The ICO guidance on BYOD can be found at http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online/byod.aspx

Globally, we are seeing some exciting developments in peer to peer payments, remote mobile web commerce payments and near field communication (NFC) payments – when users hold their device in close proximity to a point-of-sale terminal. The growth of these new payment services will mean that organisations other than banks will have access to information held in bank accounts. In fact, there is likely to be a variety of new stakeholders across various jurisdictions involved in the retail payments industry, including mobile phone manufacturers, telecommunications providers, financial institutions, non-bank payment providers, mobile services infrastructure providers, customers and merchants. Inevitably, we will see telecoms providers “morph” into financial services providers and banks obtaining telecoms licences.
There is a race on and the prize is customer data and the ability to use that data in a way that goes far beyond facilitating a payment transaction. Of course, having a greater amount of data about customers and using it in innovative ways is not necessarily a bad thing for the customer. However, the argument runs that there are significant barriers to entry in the form of European data protection laws and regulations for companies who seek to use US payment products more globally.
Given the myriad of potential stakeholders involved in providing a mobile payments solution, a key issue is to determine who will be acting as a data controller for the relevant personal data since it is the data controller that will generally be responsible for compliance with data protection laws. In some scenarios, for example, where the mobile payments solution simply involves an extension of the current web-based payment solutions offered by financial institutions, it will usually be the financial institutions that will be acting as data controllers. However, in other mobile payment models, the position may be different and in some situations, more than one party may be acting as a data controller.
Nevertheless, it is in the interests of all of the relevant stakeholders to ensure that the mobile payments solution as a whole achieves compliance with EU data protection laws. As in many other areas of technology development, designing for privacy from the outset is fundamental to achieving cost-effective compliance in the long term and the importance of the ‘privacy by design’ concept has been recognised by its inclusion in the proposed new EU Data Protection Regulation.
But what does ‘privacy by design’ really mean? Too often in the context of technological developments, the issue of security tends to be touted as the main data protection risk that arises. However, while security is obviously very important, it is only one part of the whole picture and there are a range of other data protection challenges that should not be overlooked at design stage. For example, ‘privacy by design’ would also demand that the relevant data processing systems are designed a way that: (i) minimises the data collected (for example by limiting the ‘data fields’ to be completed); (ii) ensures that only users that have a ‘need-to-know’ can access detailed transaction information; and (iii) takes account of circumstances in which a banking customer’s consent may be required and, if appropriate, provides an interface with the relevant consent mechanism.
In general, all of the relevant data protection principles should be factored into the design stage of a mobile payments solution, where it is possible to do so. Obviously, any design implementation would also need to take account of other laws and regulations (for example, telecommunications regulations and the rules in relation to the use of e-money).
Mobile payments are, and should be, the future for customers and merchants alike, and, as with Big Data, the law should not stand in the way. But by the same token, stakeholders cannot write themselves a blank cheque as regards what they can do with customer data and should be designing for compliance from the outset.

If there were any doubts under existing data protection law that employers cannot rely on consent to process personal data relating to employees, those doubts have now been laid to rest.  The Regulation seems to envisage that there will always be a clear imbalance between the data subject and the controller in the employment context.  Consequently, employers will need to justify processing of employee data on grounds other than consent.  In many cases, this position is likely to mean that, unless the data processing is required by law (e.g. processing of sickness data to administer sick pay benefit), employers will need to rely on the so-called ‘legitimate interests’ criterion for the processing of employee personal data, namely that the processing is necessary for the legitimate interests pursued by the employer except where such interests are overridden by the interests or fundamental rights and freedoms of the employee which require protection of personal data.

In addition, employers will be required to specify the relevant legitimate interests pursued by them in the data protection notices that they provide to employees.  If employers wish to process personal data for purposes other than those for which employment data was collected (as specified in the relevant data protection notices), they will have limited compliance options. The Regulation makes clear that, where the purpose of further processing is not compatible with the one for which the personal data has been collected, employers will not be able to justify the processing by reference to the legitimate interests criterion.

Given that consent is also unlikely to be an option, the Regulation presents a serious difficulty for employers since there are a number of scenarios in which employers may wish to use personal data in a way that is not compatible with the purposes for which it was collected.  An important test of compatibility is whether the employer intends to use or disclose the employee data in a way in which employees would expect it to be used and disclosed.

So, for example, if employees have been told via an ‘acceptable use policy’ that monitoring is undertaken for a particular purpose, in general, it is likely to be unfair to use the information for another unexpected purpose.  Simply getting employees to sign up to a new acceptable use policy may not get employers where they need to be since the new Regulation makes clear that such consent will not be valid.  Neither will it be possible to rely on the legitimate interests criterion.

Consequently, it will be more important than ever to ensure that employers get their data protection notices/acceptable use policies right at the outset.  In practice, the temptation for employers will be to draft very wide data protection notices to try to anticipate processing activities that they may wish to carry out in the future.  In order to achieve compliance however, the challenge will be to get the balance right between a data protection notice that is comprehensive and one that is meaningful.

The ICO has introduced informal advisory visits aimed at small-to-medium sized businesses, charities, not-for-profit organisations and public authorities that would like some help to improve their data protection practices. 

While it is open to organisations to apply for a full-blown audit, the ICO makes the point in its published guidance on consensual audits that it takes a risk-based approach to such audits.  In practice, this is likely to mean that the ICO will give priority to conducting audits of organisations that it considers to be high risk. 

While the ICO guidance on advisory visits states that the ICO will give priority to organisations that will benefit most from a visit, the visits are likely to offer the opportunity for more audits of organisations perceived as being low risk who wish to benefit from the knowledge and experience of the ICO’s good practice team.

According to ICO guidance, an advisory visit would take one day and would look at three main areas as follows:  Security; Records Management; and Requests for Personal Data. Within each of these areas, the ICO would look at what policies and procedures are in place in order to check that they are appropriate, verify that they are being followed and provide practical advice.    

The one day visit would then be followed up by a report which would summarize the findings and identify areas for improvement.  The fact that an advisory visit has been conducted with a particular organisation would be published on the ICO’s website.  With the consent of the organisation, the ICO would also publish a short summary of the visit (which would include the background to the visit, the areas reviewed and a summary of the findings identifying good practice and areas for improvement.)

Organisations can register their interest in an advisory visit by sending an email to the following address: advisory@ico.gsi.gov.uk. 

The ICO has produced a guide to advisory visits which can be found here.