The Information Commissioner’s Office (ICO) has warned organisations to include in data protection policies provision to address employees’ use of personal devices, such as smartphones, tablets and laptops, for work purposes.

The Royal Veterinary College (RVC) recently gave an undertaking to the Information Commissioner following a data breach involving the theft of an employee’s personal camera memory card in December 2012.

The memory card included stored photographs of six job applicants’ passports.  The RVC had no guidance in place on the storage on personal devices of personal information for work purposes.

The seventh data protection principle in the Data Protection Act 1998 (DPA) obliges data controllers to take appropriate technical and organisational measures against unauthorised processing and accidental loss of personal data.

RVC have undertaken to provide mandatory training to staff, recording and monitoring of such training, encryption of portable devices and physical and other appropriate security measures to ensure compliance with the seventh principle.

The ICO highlighted the increasing use of personal devices for work purposes.  It indicated that organisations should update data protection policies and provide staff with guidance and training to account for this trend.

For further advice on your data protection policies, please contact us at: