BRING YOUR OWN DEVICE
|
|
- Archibald Conley
- 7 years ago
- Views:
Transcription
1 BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe
2 3. BYOD and existing Policies 4. Legal issues to take into account when implementing BYOD Policies 5. Practical TIPs for BYOD Policies ABSTRACT This document offers a practical and concrete legal overview on the BYOD s trends around Europe from a data protection perspective. The scope is twofold: (i) to highlight the main privacy and personal data protection legal issues related to BYOD; (ii) and to point out the main elements to be taken into account when drafting an effective BYOD Policy. This will help companies and entrepreneurs to better understand the relevant legal framework, to assess current policies, and to implement effective BYOD corporate standards.
3 AUTHORS Paolo Balboni, Ph.D. Founding Partner ICT Legal Consulting Domenico Converso, LL.M. Senior Associate ICT Legal Consulting 1. WHAT IS BYOD? Mobile devices are consumer products that are starting to dominate the business world and change the way people do business. Nowadays, we are experiencing a huge rise in mobile devices popularity, uses and capabilities. For these reasons, many employers are increasingly dealing with demands from their employees wishing to use their devices in the workplace to carry out their activities. This trendis commonly known as Bring Your Own Device (BYOD), an expression that refers to the employees use of their own personal mobile devices to access, store and process corporate information and applications. BYOD, in other words, refers to the use of employee owned devices to access enterprise content or networks. The definition of BYOD, however, needs to be improved, by clarifying the meaning of its three core elements: 1. mobile devices, 2. employees and 3. corporate information 1. First of all, the definition of BYOD is strictly connected with the concept of mobile device, which is intended as an handheld computing device with an operating system (OS) and equipped with different IT capabilities (Wi-Fi, Bluetooth, GPS, camera, etc.) running various types of application software, also known as Apps. There are many types of mobile devices. In the BYOD s definition we should restrict the approach only to mobile phones, smartphones, PDAs and tablets.
4 2. The BYOD s definition, furthermore, includes also the concept of employee which also requires a short clarification. This term, indeed, it is not used in a proper way due to the fact that it literally implies the existence of an employment agreement. However, in BYOD cases, we should refer to a broader category of workers, to be intended as individuals who work for an employer, whether under an employment agreement, or any other contract where an individual undertakes to do or perform personally any work or service. For example: agency workers; short-term casual workers; freelancers; etc. 3. The concept of corporate information, instead, simply refers to information and personal data of the involved organization. More precisely, in case of personal data, the organization acts as Data Controller (in the meaning of the applicable European Data Protection legislation) that is responsible and liable for unlawful data processing, even if the processing operations are carried out by its employees/workers. 2. BENEFITS AND RISKS OF BYOD IN EUROPE In Europe, BYODis a trend that can bring enterprises both substantial advantages and considerable risks. Benefits With regards to benefits, employers should seriously take into account that BYOD determines a high increase of productivity and innovation. Employees, indeed, are more comfortable and efficient with their own personal devices, which tend to be more cutting-edge. Furthermore, users upgrade to the latest hardware and software more frequently. Companies benefit from the use of such advanced and updated devices. Allowing employees to use personal devices also helps them avoid carrying multiple devices, with relevant consequences in terms of employee satisfaction. From a cost-savings perspective, instead, BYOD allows companies to save budget by simply shifting costs to the user, with employees paying for mobile devices, applications and data services.
5 Lastly, BYOD gives employers the opportunity to embed data protection at the core of their business activities and to raise overall standards, for example by specifying the types of personal data that can be stored on particular devices and which should not (for example, the storage of sensitive data). 1 Risks Risks, on the other side, are represented by the mixed (i.e, personal-professional) use of devices. Translated in a data protection perspective, employees own, maintain and support the device while employers must comply with data protection obligations. In particular, employers need to assess, as clarified by the Information Commissioner s Office (the first European Data Protection Authority to issue guidelines on BYOD), the following aspects: what type of data is held; where data may be stored; how it is transferred; potential for data leakage; blurring of personal and business use; the device s security capacities; what to do if the person who owns the device leaves their employment; and how to deal with the loss, theft, failure and support of a device. In fact, it is important to underline that employers are considered to be data controllers, which implies they need to remain in control of the personal data for which they are responsible/liable, regardless of the ownership of the device used to carry out the processing. If companies allow BYOD, they will have significantly less control over the device than they would have over a traditional corporately owned device. In this respect, the present document will help data controllers to ensure that risks associated with BYOD are appropriately managed. 3. BYOD AND EXISTING POLICIES 1 See Information Commissioner s Office, Bring your own devices /Practical_application/ico_bring_your_own_device_byod_guidance.ashx
6 In many cases, an employer already has certain corporate policies in place that may relate to or address some BYOD concerns (see, for example, corporate devices policies, social media policies, wireless access policies, and internet policies, etc.). Consistency between existing policies and BYOD policies is of fundamental importance! Many current device policies regulate configuration and security requirements on the assumption that the company owns and centrally controls the device. These policies may in fact apply to all mobile devices, without distinguishing between company-owned devices and personally owned devices. However, to set the same rules for personal devices as for company-owned devices is a big mistake. At the same time, drafting different policies for personal devices could create confusion and disproportion. Therefore, regardless of the choice made by an organization on policy structure, in many cases existing policies will need to be modified to ensure that proper distinctions are being drawn between personally and company-owned devices, and that existing policies are not over- or under-inclusive when it comes to addressing BYOD issues. 4. LEGAL ISSUES TO TAKE INTO ACCOUNT WHEN IMPLEMENTING BYOD POLICIES In order to draft an effective and strong BYOD Policy employers have to deal with the numerous challenges, such as: the company does not own or physically control the devices; there is a wide variety of personal data to consider; personal data and information can potentially reside in multiple locations; safeguarding and retrieving the data can be difficult. These elements give rise to a significant number of data protection legal issues that we practically summarise below. Distinguishing privacy roles First of all, it is important to underline that employers, under the European data protection legal framework, are personal data controllers. It follows that they have to put in place, on non-corporate devices, appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing operations.
7 In fact, in this respect, the so-called European Data Protection Directive (Directive 95/46/EC) specifically requires that: the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected (see article 17). It follows that employers (and not employees) despite the absence of physical control over the device are obliged to comply with data protection rules. Managing multiple categories of data Another essential legal issue to take into account when drafting effective BYOD Policies is represented by the multiple types of personal data that can be processed with the employee s device. From a BYOD Policy perspective, an interesting way of categorizing those types of data is to distinguish them between corporate and non-corporate information. The first are data (also personal) associated with the company, such as corporate s, documents, and text messages. The second, instead, refers to data (also personal) that individuals create or store on the device for purely personal purposes (such as personal s, pictures, phone numbers, etc.). The problem is that employee s devices used in a corporate environment will likely contain both corporate and non-corporate information/personal data. For example, all s, pictures and documents - both personal and corporate - may be stored in the same database on the privately owned device, which is under the sole privacy-responsibilities of the employer. Despite the fact that usually current devices architecture and operating systems do not support the native separation of those types of data, companies have to implement solid BYOD Policies. There, employers need to accurately specify which data are allowed to be
8 stored on the device and which data need to be processed in a more restrictive environment (for example, by using different apps for business and personal use or to store corporate data within the corporate network instead of on the device). Maintain a clear separation between personal data processed on behalf of the data controller (employer) and the ones processed for the device owner s own purposes, can minimize privacy responsibilities while simplifying and improving data collection. Dealing with different purposes of data processing Usage of BYOD could also increase the risk that personal data are processed for purposes different from the ones they were originally collected, kept for longer than necessary or not up to date. For example, if copies of data are stored on many different devices, there is an increased risk that personal data will be used for incompatible purposes, become out-of-date or inaccurate over time. There is also an increased risk that data will be retained for longer than necessary, due to the fact that it is more difficult to keep track of all copies of the data. Additionally, if multiple copies of data are stored on many different devices, it is more difficult to enable effective exercise of data subjects rights. For example, it may be problematic to guarantee compliance with data subjects access or deletion request if one is not aware of all the devices on which personal data may be stored. It is therefore strongly recommended that BYOD Policies will impose an obligation on employees to: 1) connect to a central corporate repository of data when processing corporate information; 2) process corporate personal data only for corporate purposes. Understanding where data might reside data location Personal data processed via a personal device may primarily reside in three locations: 1) on the device; 2) on a server within the organisation s IT network or in a private cloud; or 3) in a community or public cloud.
9 The better solution might be to use the corporate network or a private cloud: in this case, in fact, employers are able to meet the privacy requirements and compliance obligations without needing access to the employee s device. Notes that certain types of data are practically impossible to retrieve. For example, current devices do not usually store unlimited call history, text message data, browser history and cache. Telecommunication carriers may have more complete data available; however, such data are in principle accessible only to law enforcement agencies or to employers but only on the basis of a court order. Therefore BYOD Policy should set out procedure providing for regular backup and/or synchronization on the corporate network (or private cloud). Unlawful access In the case devices get stolen employers should take appropriate technical and organizational measures to protect data against unauthorized or unlawful access. As pointed out by ICO 2, such measures can include: controlling access to the data or device using a password or PIN (or) encrypting the data. It is fundamental to consider the security of the access credentials in the event of loss or theft of the device. In fact, if a device is used to access a cloud service or an IT network and permits users to remain logged in between sessions, unauthorized access to the device could easily result in an unauthorized disclosure of personal data. Control of the device In the case not recommended where personal data are stored on a device, it will be important to consider the safe and secure deletion of the data throughout the lifecycle of the device, and particularly if the device is to be sold, gets stolen, lost or is transferred to a third-party. Employers, therefore, shall ensure the confidentiality of any personal data stored on the device. 2 See Information Commissioner s Office, Bring your own devices /Practical_application/ico_bring_your_own_device_byod_guidance.ashx
10 For example, as it has been suggested by ICO, most modern devices offer the possibility to locate personal data remotely and delete data on demand. Such operations can also be managed by third-party software - known as Mobile Device Management ( MDM ). MDM services, however, allow employers to record and track the device in real time. In legal terms, this is a really delicate issue, involving European Member States specific employment legislation. The risk is to fall within the remote monitoring and surveillance of workers, which is in principle not allowed throughout the European Union. Employees, in fact, have legitimate expectations that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment. As it has been clarified by Article 29 Working Party in its Opinion 8/2001 on the processing of personal data in the employment context 3 : - any monitoring must be a proportionate response by an employer to risks it faces taking into account the legitimate privacy and other interests of workers; - any personal data held or used in the course of monitoring must be adequate, relevant and not excessive for the purpose for which the monitoring is justified. Any monitoring must be carried out in the least intrusive way possible. It must be targeted on the area of risk, taking into account that data protection rules and, where applicable, the principle of secrecy of correspondence. - employees must be informed of the existence of the surveillance, the purposes for which personal data are to be processed and other information necessary to guarantee fair processing. The transfer of personal data Another issue to take into account when implementing BYOD Policy regards the transfer of personal data between the personal device and the IT corporate system. The transfer process, in fact, can present significant risks of interception. Employers, thus, might consider forcing all traffic through encrypted channels (such as a VPN or HTTPS for individual services) in order to offer some security when employees are using un-trusted connections (for example Wi-Fi network). 3 See Working Party Article 29, Opinion 8/2011 on the processing of personal data in the employment context.
11 A good practice, on this point, might be to include in BYOD Policies specific guidelines to employees on how to assess the security of Wi-Fi networks, such as those found in hotels, cafes, restaurants, etc. Moreover, it is worth noticing that pursuant to Article 25 of the EU Privacy Directive (Directive 95/46/CE), transfers of personal data to a third country outside the European Economic Area can only take place where the third country ensures an adequate level of protection for the data. Article 26, however, sets out derogations including instances in which: the data subject has given his consent unambiguously to the proposed transfer (or) the transfer is necessary for the performance of a contract between the data subject and the controller (or) the transfer is on the basis of standard contractual clauses approved by the Commission as providing adequate safeguards. etc. In this respect, it should be borne in mind that many transfers of personal data are from a data controller in the EU (for example, the employer) to a data processor outside the EU (for example, the Cloud Provider). 5. PRACTICAL TIPS FOR BYOD POLICIES 1. KEY DEFINITIONS Make distinctions between company-owned devices and personal devices. 2. PROHIBITED INFORMATION/DATA Specify what types of information/personal data are allowed/prohibited and can/not be stored in the device. BYOD Policies, for example, may state that employees cannot download sensitive data or privileged information into their personal devices unless they are downloaded into an IT corporate folder or network. 3. SECURITY INCIDENT Set an obligation (within the BYOD Policy) on employees to promptly report any actual or reasonably suspected incidentsof hacking or unauthorized disclosure of information contained on the device.
12 4. SECURITY Address device/data security (e.g., devices must be password protected; encryption of data; secure connections, etc.) 5. INTERATIONAL DATA TRANSFERS Consider personal data flow/ transfer due to the use of cloud services and social networks: e.g., transferring of data to countries outside the EEA which do not offer an adequate level of data protection 6.DEVICE SYSTEM REQUIREMENTS AND LIMITATIONS Require to employees a minimum set of requirements in their own personal device. Device configurations should prohibit, for example: - automatic back-up or cloud storage; - the use of personal device as a mobile hotspot; - certain specific application installations (such as, jail-break or unauthorized modding of devices). 7. SOCIAL MEDIA Consider employees social media use and coordinate Social Media Policy with the BYOD Policy 8. LABOUR LAW Consider Labour Law implications/limitations vs. Mobile Device Management tools. For example: - involve employees and their representatives in the development of a BYOD Policy; - identify the purposes behind the monitoring of workers; - inform employees about the purpose and the reasons of any monitoring; - clarify that despite employees have reasonable expectations of privacy on their personal devices, the employer has the right to monitor or access the device for specified corporate reasons. 9. APPS
13 Clarify whether employees can download, install and use Apps. Companies may also use technology for preventing downloads of questionable apps or copyright-infringing content on the device 10. IT DEPARTMENT BYOD Policies should provide that the employee must present any mobile devices to the employer's IT department prior to connecting to the company network, and that the employee consents to the employer installing proper security protocol and necessary office software. CONCLUSION As pointed out by ICO 4, an effective BYOD policy can lead to a number of benefits including improved employee job satisfaction, overall morale increase, increased job efficiency and increased flexibility. By considering the risks to data protection at the outset, employers have the opportunity to embed data protection at the core of their business activities and to raise overall standards. Paolo Balboni, Ph.D. Founding Partner ICT Legal Consulting paolo.balboni@ictlegalconsulting.com Domenico Converso, LL.M. Senior Associate ICT Legal Consulting domenico.converso@ictlegalconsulting.com 4 See Information Commissioner s Office, Bring your own devices /Practical_application/ico_bring_your_own_device_byod_guidance.ashx
Data Protection Act 1998. Bring your own device (BYOD)
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
More informationCortado Corporate Server
Cortado Corporate Server 100 % On Premise Installed & Run Entirely On Your Corporate Network Feature Mobile Device Device Policy Application E-mail Push Wi-Fi Configuration Push Enable secure BYOD and
More informationThe supplier shall have appropriate policies and procedures in place to ensure compliance with
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the
More informationMobile devices risk management and data protection Fidel Santiago DPO meeting 8 May 2015
Mobile devices risk management and data protection Fidel Santiago DPO meeting 8 May 2015 Personal data in mobile devices Data relating to Staff members EU institutions Natural persons outside a working
More informationECSA EuroCloud Star Audit Data Privacy Audit Guide
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
More informationGuideline on Safe BYOD Management
CMSGu2014-01 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Safe BYOD Management National Computer Board Mauritius Version
More informationEXECUTIVE DECISION NOTICE. ICT, Communications and Media. Councillor John Taylor. Deputy Executive Leader
EXECUTIVE DECISION NOTICE SERVICE AREA: SUBJECT MATTER: DECISION: DECISION TAKER(S): DESIGNATION OF DECISION TAKER(S): GOVERNANCE ICT, Communications and Media PERSONAL DEVICE POLICY That the Personal
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationPrivacy Policy Version 1.0, 1 st of May 2016
Privacy Policy Version 1.0, 1 st of May 2016 THIS PRIVACY POLICY APPLIES TO PERSONAL INFORMATION COLLECTED BY GOCIETY SOLUTIONS FROM USERS OF THE GOCIETY SOLUTIONS APPLICATIONS (GoLivePhone and GoLiveAssist)
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationSecurity, privacy, and incident response issues are often
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY The Legal Implications of BYOD: Preparing Personal Device Use Policies By David Navetta, Esq. ISSA member, Denver, USA Chapter This article
More informationData protection compliance checklist
Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationBinding Corporate Rules ( BCR ) Summary of Third Party Rights
Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting
More informationAstaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationPolicy Checklist. Directorate of Performance and Reform. Stephen Hylands, Head of Information Technology
Policy Checklist Name of Policy: Purpose of Policy: Directorate responsible for Policy Name & Title of Author: Does this meet criteria of a Policy? Trade Union consultation? Equality Screened by: Date
More informationData Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
More informationVodafone Global Enterprise Deploy the Apple iphone across your Enterprise with confidence
Vodafone Global Enterprise Deploy the Apple iphone across your Enterprise with confidence White Paper Vodafone Global Enterprise 3 The Apple iphone has become a catalyst for changing the way both users
More informationGENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS
GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS December 2005 2 GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS I. OBJECTIVE... 1 II. SCOPE... 1 III. APPLICATION OF LOCAL LAWS...
More informationCCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING
CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law
More informationType of Personal Data We Collect and How We Use It
Philips Lumify App Privacy Notice This Privacy Notice was last changed on September 1, 2015. Philips Electronics North America Corporation ("Philips") strongly believes in protecting the privacy of the
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationBring Your Own Device Policy
Bring Your Own Device Policy Purpose of this Document This document describes acceptable use pertaining to using your own device whilst accessing University systems and services. This document will be
More informationNorton Mobile Privacy Notice
Effective: April 12, 2016 Symantec and the Norton brand have been entrusted by consumers around the world to protect their computing devices and most important digital assets. This Norton Mobile Privacy
More informationBRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
More informationBring Your Own Device. Individual Liable User Policy Considerations
Bring Your Own Device Individual Liable User Contents Introduction 3 Policy Document Objectives & Legal Disclaimer 3 Eligibility Considerations 4 Reimbursement Considerations 4 Security Considerations
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationHow To Protect Your Data In European Law
Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work
More informationsingapore american school
Background The Singapore Personal Data Protection Act - 2012 (PDPA) establishes a data protection law that comprises various rules governing the collection, use, disclosure, and care of personal data.
More informationBring Your Own Device
Bring Your Own Device Save costs, deliver flexible working and manage the risks Gary Shipsey Managing Director 25 September 2014 Agenda Bring Your Own Device (BYOD) and your charity and how to avoid the
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationBYOD Privacy and Security in Europe
BYOD Privacy and Security in Europe BYOD: Overview 2 BYOD Overview 38% of companies expect to stop providing electronic devices to their employees by 2016 (1) According to a 2013 survey conducted by Cisco,
More informationMobile Medical Devices and BYOD: Latest Legal Threat for Providers
Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationPOLICIES AND REGULATIONS Policy #78
Peel District School Board POLICIES AND REGULATIONS Policy #78 DIGITAL CITIZENSHIP Digital Citizenship Digital citizenship is defined as the norms of responsible behaviour related to the appropriate use
More informationTERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation
TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote
More informationUsing AWS in the context of Australian Privacy Considerations October 2015
Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview
More informationBell Mobile Device Management (MDM)
Bell MDM Business FAQs 1 Bell Mobile Device Management (MDM) Frequently Asked Questions INTRODUCTION Bell Mobile Device Management provides business customers an all in one device administration tool to
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationLAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release)
CHARLES LUCE S LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release) A. Cloud Computing Defined: n. A loosely defined term for any system providing access
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online
More informationApplication of Data Protection Concepts to Cloud Computing
Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective
More informationMobile Devices Policy
Mobile Devices Policy Item Policy description Division Director Contact Description Guidelines to ensure that mobile devices are deployed and used in a secure and appropriate manner. IT Services and Records
More informationGUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES
GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES CONTENT 1. WHY A CLOUD COMPUTING GUIDE?... 2 2. WHAT IS CLOUD COMPUTING?... 4 3. WHAT ARE THE ROLES OF THE CLOUD SERVICES
More informationMobile Security: Controlling Growing Threats with Mobile Device Management
Mobile Security: Controlling Growing Threats with Mobile Device Management As the use of mobile devices continues to grow, so do mobile security threats. Most people use their mobile devices for both work
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationThis policy outlines different requirements for the use of PSDs based on the classification of information.
POLICY OFFICE OF THE INFORMATION COMMISSIONER Use of portable storage devices 1. Purpose A Portable Storage Device (PSD) is a mobile device capable of storing and transferring digital information. Examples
More informationPolicy for Staff and Post 16 Student BYOD (Bring Your Own Device)
Policy for Staff and Post 16 Student BYOD (Bring Your Own Device) Date approved: 7 th May 2015 Review Schedule: Annual Reviewed: Next review: 1 Context Aims of this Policy Definitions CONTENTS 1. OVERVIEW...
More informationAppendix 11 - Swiss Data Protection Act
GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the
More informationPRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)
PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard
More informationXperia TM. in Business. Enterprise Mobility Management. Read about how Xperia devices can be administered in a corporate IT environment.
Xperia TM in Business Enterprise Mobility Management Read about how Xperia devices can be administered in a corporate IT environment April 2016 About this document Products covered This document describes
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationstacktools.io Services Device Account and Profile Information
Privacy Policy Introduction This Privacy Policy explains what information Super7ui LLC collect about you and why, what we do with that information, how we share it, and how we handle the content you place
More informationData Protection Policy.
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
More informationSuccessful ediscovery in a Bring Your Own Device Environment
IT@Intel White Paper Intel IT IT Best Practices IT Governance and IT Consumerization June 2012 Successful ediscovery in a Bring Your Own Device Environment Executive Overview Close collaboration between
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More informationSample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )
Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 ) Overview: The Bring Your Own Device (BYOD) program allows employees to use their own computing
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationWhite Paper Security. Data Protection and Security in School Management Systems
White Paper Security Data Protection and Security in School Management Systems This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems.
More informationtrends and audit considerations
Bring your own device (BYOD) trends and audit considerations SIFMA IT audit session 4 October 2012 Disclaimer Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited,
More informationCounty of Grande Prairie - Information Systems
County of Grande Prairie - Information Systems Title [Systems] [BRING YOUR OWN DEVICE - BYOD] - Procedure Location Buddie Systems and HR Documents Approved by Natalia Madden Collaborators Sophie Mercier,
More informationAccess Control Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationSummary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act
Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act On 1 January 2016, the Dutch Data Breach Notification Act will enter into force. The Dutch DPA issued Guidelines
More informationThe BYOD Challenge. Noel A. Nazario Senior Manager, Ernst & Young. ISACA NCAC Emerging Technology Conference 20 November 2012
The BYOD Challenge Noel A. Nazario Senior Manager, Ernst & Young ISACA NCAC Emerging Technology Conference 20 November 2012 Disclaimer The methods and approaches discussed are intellectual property of
More informationPRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA
PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA Updated: 20 Jun 2015 (substitutes previous versions) This Privacy Policy describes
More informationDocument Type Doc ID Status Version Page/Pages. Policy LDMS_001_00161706 Effective 2.0 1 of 7 Title: Corporate Information Technology Usage Policy
Policy LDMS_001_00161706 Effective 2.0 1 of 7 AstraZeneca Owner Smoley, David Authors Buckwalter, Peter (MedImmune) Approvals Approval Reason Approver Date Reviewer Approval Buckwalter, Peter (MedImmune)
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More informationPRIVACY AND DATA SECURITY MODULE
"This project has been funded under the fourth AAL call, AAL-2011-4. This publication [communication] reflects the views only of the author, and the Commission cannot be held responsible for any use which
More informationInvestigation Report: HKA Holidays Limited Leaked Customers Personal Data through the Mobile Application TravelBud
Published under Section 48(2) of the Personal Data (Privacy) Ordinance (Cap. 486) Investigation Report: HKA Holidays Limited Leaked Customers Personal Data through the Mobile Application TravelBud Report
More informationPlease Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision.
May 2013 Bring Your Own Device Policy Template for Further Education Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision. Table
More informationBYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012
BYOD and Mobile Device Security Shirley Erp, CISSP CISA November 28, 2012 Session is currently being recorded, and will be available on our website at http://www.utsystem.edu/compliance/swcacademy.html.
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
More informationUse Bring-Your-Own-Device Programs Securely
Use Bring-Your-Own-Device Programs Securely By Dale Gonzalez December 2012 Bring-your-own-device (BYOD) programs, which allow employees to use their personal smartphones, tablets and laptops in and out
More informationCLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More informationHow To Support Bring Your Own Device (Byod)
WHITE PAPER: EXPLOITING THE BUSINESS POTENTIAL OF BYOD........................................ Exploiting the business potential of BYOD (bring your own device) Who should read this paper This paper addresses
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationE-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY
E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY Oana Dolea 7 th Annual Leg@l.IT Conference March 26th, 2013 Montreal, Canada INTRODUCTION Mobile e-commerce vs. E-commerce Mobile e-commerce:
More informationLEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
More informationData Protection Consent Clause and Policy Background
Data Protection Consent Clause and Policy Background The Singapore Personal Data Protection Act - 2012 (PDPA) establishes a data protection law that comprises various rules governing the collection, use,
More informationLast updated: 30 May 2016. Credit Suisse Privacy Policy
Last updated: 30 May 2016 Credit Suisse Please read this privacy policy (the ) as it describes how we intend to collect, use, store, share, and safeguard your information. By accessing, visiting or using
More informationModule 1: Facilitated e-learning
Module 1: Facilitated e-learning CHAPTER 3: OVERVIEW OF CLOUD COMPUTING AND MOBILE CLOUDING: CHALLENGES AND OPPORTUNITIES FOR CAs... 3 PART 1: CLOUD AND MOBILE COMPUTING... 3 Learning Objectives... 3 1.1
More informationBUSINESS ONLINE BANKING AGREEMENT
BUSINESS ONLINE BANKING AGREEMENT This Business Online Banking Agreement ("Agreement") establishes the terms and conditions for Business Online Banking Services ( Service(s) ) provided by Mechanics Bank
More information"choose your own device" : the employer still provides the hardware and the employee can choose e.g. the model.
WHAT IS BYOD? BYOD comes in "different shades of grey". "bring your own device" : employees are allowed to use their privately owned hard- and software. IT-applications and company data of the employer
More information"Secure insight, anytime, anywhere."
"Secure insight, anytime, anywhere." THE MOBILE PARADIGM Mobile technology is revolutionizing the way information is accessed, distributed and consumed. This 5th way of computing will dwarf all others
More informationKaspersky Security 10 for Mobile Implementation Guide
Kaspersky Security 10 for Mobile Implementation Guide APPLICATION VERSION: 10.0 MAINTENANCE RELEASE 1 Dear User, Thank you for choosing our product. We hope that you will find this documentation useful
More informationMobile Device Security Is there an app for that?
Mobile Device Security Is there an app for that? Session Objectives. The security risks associated with mobile devices. Current UC policies and guidelines designed to mitigate these risks. An approach
More informationHands on, field experiences with BYOD. BYOD Seminar
Hands on, field experiences with BYOD. BYOD Seminar Brussel, 25 september 2012 Agenda Challenges RIsks Strategy Before We Begin Thom Schiltmans Deloitte Risk Services Security & Privacy Amstelveen tschiltmans@deloitte.nl
More informationRAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER
RaySafe S1 SECURITY WHITEPAPER Contents 1. INTRODUCTION 2 ARCHITECTURE OVERVIEW 2.1 Structure 3 SECURITY ASPECTS 3.1 Security Aspects for RaySafe S1 Data Collector 3.2 Security Aspects for RaySafe S1 cloud-based
More informationPersonal Data Act (1998:204);
Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationHow To Ensure Health Information Is Protected
pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health
More informationBlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide
BlackBerry Enterprise Service 10 Universal Service Version: 10.2 Administration Guide Published: 2015-02-24 SWD-20150223125016631 Contents 1 Introduction...9 About this guide...10 What is BlackBerry
More information