BYOD Threats Concern British Privacy Regulator

The bring-your-own-device (BYOD) movement poses significant threats to data security and privacy, said the U.K.'s Information Commissioner's Office (ICO) at its annual conference in Manchester last week. The ICO is the government body set up to police data privacy and levy hefty fines on organizations it deems have too lax control over personal data.

The organization said its basis for raising such concerns is a study it recently conducted about BYOD attitudes among the British public. The ICO upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals, as set out in the U.K.'s Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

The ICO study's study found many employers appear to have a way-casual (in its phrase, laissez faire) attitude about allowing staff to use their personal laptops, tablet computers or smartphones for work. It warns that may be "placing people's personal information at risk" – and it doesn't like it.

[ What's the most dangerous smartphone? See Malware Writers Prefer Android. ]

The online survey, carried out by well-known U.K. consumer attitude pollsters YouGov, polled 2,151 British adults from Feb. 27 through March 1, 2013.

They found that 47% of all U.K. adults now use their personal smartphone, laptop or tablet computer for work purposes.

That would be fine, except fewer than three in 10 get guidance from their bosses on how to use BYOD, said the Information Commissioner. It said that raises "worrying concerns" that people may not understand how to look after the personal information accessed and stored on these devices.

"Employers must have adequate controls in place to make sure this information is kept secure," warned Simon Rice, the ICO's group manager for technology.

Rice also said many businesses aren't properly calculating the cost of introducing these controls -- which can range from being "relatively modest" to "quite significant." As a result, he is concerned any expected advantage from BYOD may not actually be delivered.

"Certainly," he said, "the sum will pale into insignificance when you consider the reputational damage caused by a serious data breach."

He should know: the ICO just fined a public sector nursing and midwifery organization £130,000 ($224,000) for losing three DVDs related to a nurse's misconduct hearing.

To help address these BYOD gaps, ICO has published a free guide to help CIOs address some of the main issues around properly protecting customer, patient or personal data in a BYOD context.

The guidance comes in the context of what -- echoing that ancient Chinese curse -- the Information Commissioner, Christopher Graham, calls "interesting times".

Speaking to some 800 data compliance officers at the conference, Graham said the ICO's annual conference fell at "a decisive moment for the data protection sector."

Graham's reference is to ongoing changes in European data legislation and the U.K's own struggle to find new ways of protecting privacy and free speech in an age of press intrusions and Twitter.

Still, for Graham, "Our central purpose remains unchanged: upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals."