Privacy Commissioner Issues New Guidance on BYOD

In August 2016, the Hong Kong Privacy Commissioner for Personal Data issued new guidance for employers who operate a Bring Your Own Device (“BYOD”) scheme in the workplace. BYOD is an organisational policy that allows employees to use their own personal mobile devices to access the organisation’s information, including personal data collected by the organisation. This practise is becoming increasingly popular but there are potential data privacy risks surrounding employees using their personal devices to access personal data held by the organisation.  Similarly, where an employee uses their personal device for work purposes then there is a risk that the employer will have access to personal and non-work related information held on the employee’s device. The new guidance helps to mitigate these risks by suggesting best practices to follow.

Responsibility to protect personal data is placed on the employer. The Commissioner states that even though the personal data is stored on a device owned by the employee, the organisation remains fully responsible for the security of data in compliance with the Personal Data Privacy Ordinance (“PDPO”). Organisations are expected to establish administrative, physical and technical measures to ensure that all personal data is protected. These measures should be reinforced through written policies, notifications and training. However organisations are also reminded that BYOD equipment contains private information about employees which organisations must respect and take measures to avoid a reverse flow of personal information from employee’s devices to the organisation.

The following best practices are suggested by the guidance: 

  • A clear BYOD policy should be established. This policy should detail the roles, obligations and responsibilities of both the organisation and the employees using personal devices.  Organisations can use this policy to clearly outline which information can be accessible by personal devices.
  • A risk assessment should be undertaken to determine the types of data that BYOD devices can access and store. The harm and likelihood of the loss or unauthorised disclosure of any personal data should also be assessed. This risk assessment should be used to inform decisions around the types of personal data that can be accessed by BYOD devices and develop proportionate access controls and measures to protect the data.
  • Technical solutions should be considered and applied to reduce and contain the risks of any loss of personal data. Control software and applications are recommended to enhance device security as they can be used to remotely wipe, lock or track the physical location of BYOD devices.  Organisations may also choose to implement an additional layer of password protection, encrypt data held on BYOD devices or auto-erase business applications on the devices which contain organizational data where the device is lost or has not connected to the organisation’s servers for a pre-defined period of time.
  • Organisations should regularly review and update all policies and measures surrounding compliance to BYOD guidelines. Protection measures should be fine-tuned and revised in line with any technological advancements or business changes. 

Partner, Eversheds

Consultant, Eversheds