RISK: Bring your own device (BYOD)

SMARTPHONES are becoming an increasingly common resource in the delivery of patient care as healthcare professionals take advantage of text and picture messaging or refer to one of the many clinical apps.

But while the use of personal smartphones at work has advantages, it also poses a threat to patient confidentiality that employers must be mindful of. This includes not only the transmission of written patient identifiable information but also the sharing of still and moving images for diagnostic advice purposes.

A recent survey published in the Postgraduate Medical Journal concluded: “There is a need for guidance on how patient information can be safely secured and transmitted using smartphones, their appropriate use, and any restrictions on the use of these devices in certain clinical settings.”

Right on cue, the Office of the Information Commissioner (ICO) subsequently produced new and imaginatively titled guidance on this subject called Bring Your Own Device (BYOD).

The guidance is aimed at data controllers and raises a number of important considerations when permitting the use of personal devices (which the organisation has no direct control over) to process personal data (for which they are responsible).

It addresses a number of concerns that can arise when a device is owned by the user (i.e. the doctor) rather than an organisation. It acknowledges that under the Data Protection Act personal data must be processed lawfully and in line with the seventh data protection principle that: “appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data.”

The Information Commissioner notes that it is crucial that data controllers ensure all processing of personal data under their control remains in full compliance with the DPA. He emphasises that organisations should remain mindful of the personal usage of devices and that measures employed to protect personal data must remain proportionate to and justified by any real benefits that will be delivered.

Many organisations receive requests from employees to use personal smartphones to carry out their jobs. This means corporate/ clinical information, as well as the individual’s own private data, will be accessed, processed and stored on a single device.

BYOD emphasises that the data controller must remain in control of the personal data for which he is responsible, regardless of who owns the device used to process it. Consideration needs to be given to the type of data being held, where it may be stored and how it is transferred. The potential for “data leakage” and any blurring of lines between personal and business use should also be assessed.

Further consideration includes what to do when a personal device owner leaves their employment, and how to deal with any loss, theft, failure and support of a device.

The Information Commissioner points out that “an effective BYOD policy can lead to a number of benefits, including improved employee job satisfaction, increased job efficiency and increased flexibility. By considering the risks to data protection at the outset, a data controller has the opportunity to embed data protection at the core of its business activities and to raise overall standards, for example by specifying the types of personal data that can be stored and processed on particular devices”.

A good place to start could be an audit of the types of personal data you are processing and the devices, including their ownership, which will be used to hold it. This should clearly identify what personal data can be processed on a personal device and which must be held in a more restrictive environment.

Conversely, the use of employees’ own devices may also mean that the employer ends up processing non-corporate information about the owner of the device and possibly others who use it, such as family members. In a nutshell the employer must consider whether the controls in place are appropriate and proportionate for any sensitive personal data being processed.

The BYOD guidance also addresses the practical and technical risks of connecting personal devices to organisational IT systems and the importance of individuals fully understanding their responsibilities in this area.

It is also worth mentioning the issue of monitoring at work. The ICO has previously published guidance for employers on this topic, which reminds us that employees have legitimate expectations that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment.

Employers who wish to monitor their workers should be clear about the purpose and be satisfied that the particular monitoring arrangement is justified by real benefits.

Therefore, when drafting your own BYOD acceptable use policies, it is useful to also take into account the ICO’s Employment Practice Code.

Download the full guidance here

Alan Frame is a risk adviser at MDDUS