Before permitting BYOD use in school, there are several things to consider:
- the type of data to be accessed via the device
- whether any data is going to be stored on the device
- how secure is any data transfer to and from the device
- whether there is any potential for data leakage
- blurring of personal and business use
- how secure the device is
- what happens when the device owner leaves
- how to deal with the loss or theft of the device
Under the 1998 Data Protection Act, the school must take appropriate technical and organisational measure to prevent loss or unlawful processing of the data the device holds. This does not necessarily mean that schools should impose a blanket ban on the use of BYOD, as there can be some benefits; including: increased work efficiency and flexibility and job satisfaction. What it does mean is that schools considering the use of BYOD should first make sure they have a robust and well thought-through BYOD policy.
BYOD policy - a good place to start would be an audit of all the types of device likely to be used by staff in the school. Then consider which, if any, personal data should be accessed by those devices and which should be held more securely. It is important that users are made fully aware of their responsibilities for keeping the any data safe and secure. This can be done by drawing up an acceptable use policy for BYOD. The policy should make it clear which data can be accessed via BYOD and which cannot. You may also wish to consider whether use of BYOD might conflict with any school policy on the use of social media.
It is important to determine how and where any personal data might be stored; on the device itself, on the school network or on externally on a public or private cloud. Regardless of where the information is stored it is still the school’s responsibility, as data controller, to take appropriate measures against unauthorised access or loss of data. Be aware that some devices have removable memory cards, so loss of data may not be apparent for some time. Some security steps which could be taken include:
- using a password to secure access to the device
- using encryption to protect the information
- ensure that the device is locked if incorrect password is entered too many times
- ensure the device locks if left inactive
- maintaining a clear separation between school and personal data, e.g by using different apps
Your BYOD policy should also consider how data is transferred, as the transfer process can present risks. For maximum security, ensure all data is transferred via an encrypted channel and treat any public cloud-based sharing or back-up facility with extreme caution. You should also consider whether to insist on the disabling of interfaces such as Bluetooth or Wi-Fi.
Finally, the BYOD policy should facilitate compliance with the data protection act. Although security of the device might be the primary concern, care should be taken to ensure that data is not processed for any purpose other than the one for which it was originally collected. Users should be informed of their responsibilities to use the data strictly for school business. Also, if the data is stored on different devices there is the possibility of it becoming out of date. There is also the possibility that the data is stored for longer than necessary. There might also be some difficulty in responding to the right of the data subject to know how and where their information is stored.
BYOD raises a number of data protection concerns due to the fact that the device is owned by the user rather than the data controller. However, it is crucial that as data controller the school ensures that all processing of personal data which is under its control remains in compliance with the DPA. In the event of a security breach, you must be able to demonstrate that you have secured, controlled or deleted all personal data on a particular device.
Photo credit: Ivan Casasempere