Date: 31 August 2016
Privacy Commissioner Issues “BYOD (Bring Your Own Device)” Information Leaflet
(31 August 2016) Privacy Commissioner for Personal Data, Hong Kong (“Privacy Commissioner”) today issued the “
BYOD (Bring Your Own Device)” Information Leaflet (the “Information Leaflet”) to highlight the personal data privacy risks that an organisation needs to be aware of when it develops a BYOD policy. It also suggests best practices in allowing employees to use BYOD equipment.
BYOD is a practice that is becoming increasingly popular in organisations. It allows employees to use their own mobile devices to access and work with their employers’ organisational information. Privacy Commissioner Mr Stephen Kai-yi WONG said, “In allowing BYOD, organisations are reminded that such BYOD equipment contains private information about employees. Any protective measures implemented by the organisations should also respect such private information. Moreover, even though the organisation-collected personal data is stored on a device owned by the employee, it is important for organisations to realise that they remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (the “Ordinance”) in respect of this personal data.”
This new Information Leaflet states that organisations should consider:
-
Whether there is sufficient reminder to employees not to misuse organisation-collected personal data downloaded to or stored in BYOD equipment;
-
Whether sufficient technical measures are in place to enable BYOD equipment for accessing or storing organisation-collected personal data while respecting private information, for example any alternatives, effective control system and security measures etc.
Best practices are also suggested to those organisations that plan to allow BYOD:
-
Establishing a BYOD policy describing its governance, such as roles and responsibilities of the organisation and the employees, and the approval procedure for deployment etc.;
-
Conducting a risk assessment to ascertain the types of personal data to be accessible by, or stored in, the BYOD equipment, and the harm and likelihood of its loss or unauthorised disclosure;
-
Applying technical solutions to reduce or contain the risks, such as implementing an independent and additional layer of password protection or access control, proper encryption of data stored and auto-erasure; and
-
Devising a monitoring and review mechanism to ascertain compliance to the BYOD policy while keeping up with any business changes.
The Information Leaflet is now available for download at the PCPD website (
www.pcpd.org.hk//english/resources_centre/publications/files/BYOD_e.pdf).
-END-