Bring Your Own Device (BYOD) describes the recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers, and databases (http://en.wikipedia.org/wiki/Bring_your_own_device).
Of course there are pros and cons as well as risks for both employer and employee, but these can and should be managed. As is so often the case though, the doomsayers are warning of all kinds of trouble ahead, and missing the real cause of the problem. In a recent Guardian article one local authority’s head of ICT was reported as saying that a BYOD policy was costing the council more than if it provided the devices itself. The basis of his argument was twofold:
Firstly, BYOD had increased demand on the council’s help desk. I can’t help wondering if this is not a positive impact, in that it suggests that the help desk might in fact be helping people use their devices rather than the more negative function of making sure they don’t try to use dangerous tools such as Delicious and Doodle.
The second line of argument illustrates the old habit of looking in the wrong place for the cause of the problem:
I also think you’ve got to factor in that if it all goes wrong, the local authority may fall foul of the information commissioner for a breach and get a £500,000 fine.
To date virtually all fines levied by by the data commissioner relate to misuse of data via employer owned devices, for example lost or stolen laptops. Some don’t even involve technology at all:
- Leicestershire County Council breached the Data Protection Act (DPA), following the theft of a briefcase containing sensitive personal data from a social worker’s home
- Croydon Council was fined £100,000 after a bag containing papers about a child sex abuse court case was stolen from a social worker in a pub
- Norfolk County Council was fined £80,000 after a social worker at the authority hand-delivered a report to the wrong address.
- Midlothian council fined £140,000 for sending sensitive data to the wrong people
The head of ICT is right to point out that employee-owned devices may increase the number ways in which data protection might be breached as the information ecology becomes more complex, but the response surely is to focus on user education so that people understand better the principles of data protection, copyright and so on. After all, it’s people, not technology, that break the law.