Employee losing own camera causes data protection breach

Following a data breach by the Royal Veterinary College, the ICO's office have again warned organisations of the importance of updating data protection policies to account for Bring Your Own Device.

17 October 2013

Following a breach of the Data Protection Act by the Royal Veterinary College (RVC), the Information Commissioner's Office (ICO) have again warned organisations of the importance of updating data protection policies to account for the growing trend of employees using personal portable devices for work purposes (a trend known as 'Bring Your Own Device').

As a result of the breach the RVC have provided the ICO with an undertaking, guaranteeing the future level of data protection training, follow-up procedures, use of encryption and other security measures they will adopt to ensure compliance with the Data Protection Act. A breach of the undertaking will result in a section 40 Enforcement Notice being served and potential fines being levied.

The RVC informed the ICO in December 2012 that a memory card containing passport images of job applicants had been stolen from a camera. The camera was owned by an employee who had used it for work purposes.

The RVC had policies and procedures in place for devices owned by the college, but had not dealt with the issues relating to Bring Your Own Device. Specifically, they failed to advise how personal information stored for work should be protected on personal devices. On investigation, the Commissioner also found that the employee data protection training provided was inadequate and failed to draw staff awareness to Information Governance policies.

In its guidance on Bring Your Own Device, the ICO identifies key issues which organisations should be aware of when allowing staff to utilise their own devices for work purposes. These include:

  • identifying which types of personal data may (or may not) be processed on personal devices
  • utilising strong passwords and encryption on devices
  • operating locate and wipe technology to enable the deletion of data where devices are lost or stolen
  • ensuring devices are automatically blocked or data deleted when incorrect passwords are repeatedly entered.

In addition to updating and enforcing data protection policies, the ICO highlights the importance of providing employees with adequate training on the policies in force and monitoring compliance with any procedures implemented.

The use of personal devices is becoming progressively common; a recent survey carried out by YouGov showed that 47% of all employees now use smartphones, tablet PCs or other portable devices for work purposes. If your staff policies, guidance and training don't reflect this increasing trend then you should act now to ensure your continued data protection compliance.

If you would like further information on any of the content above, please contact a member of our Data Protection team. 

The author Chris O’Connell is part of Burges Salmon’s Technology and Outsourcing team led by Andrew Dunlop. The team advises on all aspects of IT and technology law, IT outsourcings and data protection.

Key contact

Andrew Dunlop

Andrew Dunlop Partner

  • Head of Outsourcing
  • Head of Technology
  • Head of Data Protection

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more