UK BYOD: ICO Issues Undertaking To Royal Veterinary College After Camera Mishap.

The Royal Veterinary College has signed an Undertaking with the UK’s Information Commissioner’s Office after a memory card was stolen from a camera owned by RVC staff.  In terms of BYOD security this one takes the cake because how do you protect such data?  Mobile encryption software is not going to work in this situation as this requires a central processor powerful enough to encrypt and decrypt the data as required.

On the other hand, the Undertaking shows how smartphones and tablets used in the workplace (which generally come with cameras, as well as the ability to store sensitive data) could potentially be at the center of a data breach, and that the ICO will not turn a blind eye to it.

Camera’s Memory Card Stolen

According to the Undertaking signed by Mr. Ian Darker, Acting Head of the RVC, the loss of a memory card in December of 2012 resulted in a data breach.  The memory card was stolen from a staff member’s camera (which is weird.  The camera was right there, but someone decided to steal something that will fetch maybe $10?) and contained the passport photos of job applicants (six, according to databreaches.net).

A subsequent ICO investigation revealed that RVC did not have proper security controls and employee training in place, which is the purported reason for the Undertaking.

But honestly, I just can’t wrap my head around the fact that a camera and people’s portraits are at the center of the data breach.  Why were the images in the employee’s camera?  Did the employee personally take pictures of the applicants?  Or were these pictures of the pictures that the applicants submitted (which is odd in so many was)?

It just doesn’t make any sense.

Nearly 50% of All Employees in UK Engaged in BYOD

According to databreaches.net, a survey by YouGov has shown that “47% of all UK employees now use their smartphone, tablet PC or other portable device for work purposes.”  It is not specified whether these are instances of authorized BYOD or the sort of Bring Your Own Device program that springs up at the ad hoc, grassroots level:  In other words, employees do what they want and higher management are oblivious until too late.

Organizations in the UK are urged to read the Bring Your Own Device Guideline, that was released by the ICO, in order to gain an understanding of what needs to be done to ensure that BYOD devices do not cause a workplace data breach.

Related Articles and Sites:
http://www.ico.org.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/Royal-Veterinary-College-Undertaking.pdf (PDF)
http://www.databreaches.net/ico-reminds-organizations-of-need-for-byod-policies-to-protect-data/

 



Comments (0)


Let us know what you think