BRING YOUR OWN DEVICE

Size: px
Start display at page:

Download "BRING YOUR OWN DEVICE"

Transcription

1 BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe

2 3. BYOD and existing Policies 4. Legal issues to take into account when implementing BYOD Policies 5. Practical TIPs for BYOD Policies ABSTRACT This document offers a practical and concrete legal overview on the BYOD s trends around Europe from a data protection perspective. The scope is twofold: (i) to highlight the main privacy and personal data protection legal issues related to BYOD; (ii) and to point out the main elements to be taken into account when drafting an effective BYOD Policy. This will help companies and entrepreneurs to better understand the relevant legal framework, to assess current policies, and to implement effective BYOD corporate standards.

3 AUTHORS Paolo Balboni, Ph.D. Founding Partner ICT Legal Consulting Domenico Converso, LL.M. Senior Associate ICT Legal Consulting 1. WHAT IS BYOD? Mobile devices are consumer products that are starting to dominate the business world and change the way people do business. Nowadays, we are experiencing a huge rise in mobile devices popularity, uses and capabilities. For these reasons, many employers are increasingly dealing with demands from their employees wishing to use their devices in the workplace to carry out their activities. This trendis commonly known as Bring Your Own Device (BYOD), an expression that refers to the employees use of their own personal mobile devices to access, store and process corporate information and applications. BYOD, in other words, refers to the use of employee owned devices to access enterprise content or networks. The definition of BYOD, however, needs to be improved, by clarifying the meaning of its three core elements: 1. mobile devices, 2. employees and 3. corporate information 1. First of all, the definition of BYOD is strictly connected with the concept of mobile device, which is intended as an handheld computing device with an operating system (OS) and equipped with different IT capabilities (Wi-Fi, Bluetooth, GPS, camera, etc.) running various types of application software, also known as Apps. There are many types of mobile devices. In the BYOD s definition we should restrict the approach only to mobile phones, smartphones, PDAs and tablets.

4 2. The BYOD s definition, furthermore, includes also the concept of employee which also requires a short clarification. This term, indeed, it is not used in a proper way due to the fact that it literally implies the existence of an employment agreement. However, in BYOD cases, we should refer to a broader category of workers, to be intended as individuals who work for an employer, whether under an employment agreement, or any other contract where an individual undertakes to do or perform personally any work or service. For example: agency workers; short-term casual workers; freelancers; etc. 3. The concept of corporate information, instead, simply refers to information and personal data of the involved organization. More precisely, in case of personal data, the organization acts as Data Controller (in the meaning of the applicable European Data Protection legislation) that is responsible and liable for unlawful data processing, even if the processing operations are carried out by its employees/workers. 2. BENEFITS AND RISKS OF BYOD IN EUROPE In Europe, BYODis a trend that can bring enterprises both substantial advantages and considerable risks. Benefits With regards to benefits, employers should seriously take into account that BYOD determines a high increase of productivity and innovation. Employees, indeed, are more comfortable and efficient with their own personal devices, which tend to be more cutting-edge. Furthermore, users upgrade to the latest hardware and software more frequently. Companies benefit from the use of such advanced and updated devices. Allowing employees to use personal devices also helps them avoid carrying multiple devices, with relevant consequences in terms of employee satisfaction. From a cost-savings perspective, instead, BYOD allows companies to save budget by simply shifting costs to the user, with employees paying for mobile devices, applications and data services.

5 Lastly, BYOD gives employers the opportunity to embed data protection at the core of their business activities and to raise overall standards, for example by specifying the types of personal data that can be stored on particular devices and which should not (for example, the storage of sensitive data). 1 Risks Risks, on the other side, are represented by the mixed (i.e, personal-professional) use of devices. Translated in a data protection perspective, employees own, maintain and support the device while employers must comply with data protection obligations. In particular, employers need to assess, as clarified by the Information Commissioner s Office (the first European Data Protection Authority to issue guidelines on BYOD), the following aspects: what type of data is held; where data may be stored; how it is transferred; potential for data leakage; blurring of personal and business use; the device s security capacities; what to do if the person who owns the device leaves their employment; and how to deal with the loss, theft, failure and support of a device. In fact, it is important to underline that employers are considered to be data controllers, which implies they need to remain in control of the personal data for which they are responsible/liable, regardless of the ownership of the device used to carry out the processing. If companies allow BYOD, they will have significantly less control over the device than they would have over a traditional corporately owned device. In this respect, the present document will help data controllers to ensure that risks associated with BYOD are appropriately managed. 3. BYOD AND EXISTING POLICIES 1 See Information Commissioner s Office, Bring your own devices /Practical_application/ico_bring_your_own_device_byod_guidance.ashx

6 In many cases, an employer already has certain corporate policies in place that may relate to or address some BYOD concerns (see, for example, corporate devices policies, social media policies, wireless access policies, and internet policies, etc.). Consistency between existing policies and BYOD policies is of fundamental importance! Many current device policies regulate configuration and security requirements on the assumption that the company owns and centrally controls the device. These policies may in fact apply to all mobile devices, without distinguishing between company-owned devices and personally owned devices. However, to set the same rules for personal devices as for company-owned devices is a big mistake. At the same time, drafting different policies for personal devices could create confusion and disproportion. Therefore, regardless of the choice made by an organization on policy structure, in many cases existing policies will need to be modified to ensure that proper distinctions are being drawn between personally and company-owned devices, and that existing policies are not over- or under-inclusive when it comes to addressing BYOD issues. 4. LEGAL ISSUES TO TAKE INTO ACCOUNT WHEN IMPLEMENTING BYOD POLICIES In order to draft an effective and strong BYOD Policy employers have to deal with the numerous challenges, such as: the company does not own or physically control the devices; there is a wide variety of personal data to consider; personal data and information can potentially reside in multiple locations; safeguarding and retrieving the data can be difficult. These elements give rise to a significant number of data protection legal issues that we practically summarise below. Distinguishing privacy roles First of all, it is important to underline that employers, under the European data protection legal framework, are personal data controllers. It follows that they have to put in place, on non-corporate devices, appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing operations.

7 In fact, in this respect, the so-called European Data Protection Directive (Directive 95/46/EC) specifically requires that: the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected (see article 17). It follows that employers (and not employees) despite the absence of physical control over the device are obliged to comply with data protection rules. Managing multiple categories of data Another essential legal issue to take into account when drafting effective BYOD Policies is represented by the multiple types of personal data that can be processed with the employee s device. From a BYOD Policy perspective, an interesting way of categorizing those types of data is to distinguish them between corporate and non-corporate information. The first are data (also personal) associated with the company, such as corporate s, documents, and text messages. The second, instead, refers to data (also personal) that individuals create or store on the device for purely personal purposes (such as personal s, pictures, phone numbers, etc.). The problem is that employee s devices used in a corporate environment will likely contain both corporate and non-corporate information/personal data. For example, all s, pictures and documents - both personal and corporate - may be stored in the same database on the privately owned device, which is under the sole privacy-responsibilities of the employer. Despite the fact that usually current devices architecture and operating systems do not support the native separation of those types of data, companies have to implement solid BYOD Policies. There, employers need to accurately specify which data are allowed to be

8 stored on the device and which data need to be processed in a more restrictive environment (for example, by using different apps for business and personal use or to store corporate data within the corporate network instead of on the device). Maintain a clear separation between personal data processed on behalf of the data controller (employer) and the ones processed for the device owner s own purposes, can minimize privacy responsibilities while simplifying and improving data collection. Dealing with different purposes of data processing Usage of BYOD could also increase the risk that personal data are processed for purposes different from the ones they were originally collected, kept for longer than necessary or not up to date. For example, if copies of data are stored on many different devices, there is an increased risk that personal data will be used for incompatible purposes, become out-of-date or inaccurate over time. There is also an increased risk that data will be retained for longer than necessary, due to the fact that it is more difficult to keep track of all copies of the data. Additionally, if multiple copies of data are stored on many different devices, it is more difficult to enable effective exercise of data subjects rights. For example, it may be problematic to guarantee compliance with data subjects access or deletion request if one is not aware of all the devices on which personal data may be stored. It is therefore strongly recommended that BYOD Policies will impose an obligation on employees to: 1) connect to a central corporate repository of data when processing corporate information; 2) process corporate personal data only for corporate purposes. Understanding where data might reside data location Personal data processed via a personal device may primarily reside in three locations: 1) on the device; 2) on a server within the organisation s IT network or in a private cloud; or 3) in a community or public cloud.

9 The better solution might be to use the corporate network or a private cloud: in this case, in fact, employers are able to meet the privacy requirements and compliance obligations without needing access to the employee s device. Notes that certain types of data are practically impossible to retrieve. For example, current devices do not usually store unlimited call history, text message data, browser history and cache. Telecommunication carriers may have more complete data available; however, such data are in principle accessible only to law enforcement agencies or to employers but only on the basis of a court order. Therefore BYOD Policy should set out procedure providing for regular backup and/or synchronization on the corporate network (or private cloud). Unlawful access In the case devices get stolen employers should take appropriate technical and organizational measures to protect data against unauthorized or unlawful access. As pointed out by ICO 2, such measures can include: controlling access to the data or device using a password or PIN (or) encrypting the data. It is fundamental to consider the security of the access credentials in the event of loss or theft of the device. In fact, if a device is used to access a cloud service or an IT network and permits users to remain logged in between sessions, unauthorized access to the device could easily result in an unauthorized disclosure of personal data. Control of the device In the case not recommended where personal data are stored on a device, it will be important to consider the safe and secure deletion of the data throughout the lifecycle of the device, and particularly if the device is to be sold, gets stolen, lost or is transferred to a third-party. Employers, therefore, shall ensure the confidentiality of any personal data stored on the device. 2 See Information Commissioner s Office, Bring your own devices /Practical_application/ico_bring_your_own_device_byod_guidance.ashx

10 For example, as it has been suggested by ICO, most modern devices offer the possibility to locate personal data remotely and delete data on demand. Such operations can also be managed by third-party software - known as Mobile Device Management ( MDM ). MDM services, however, allow employers to record and track the device in real time. In legal terms, this is a really delicate issue, involving European Member States specific employment legislation. The risk is to fall within the remote monitoring and surveillance of workers, which is in principle not allowed throughout the European Union. Employees, in fact, have legitimate expectations that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment. As it has been clarified by Article 29 Working Party in its Opinion 8/2001 on the processing of personal data in the employment context 3 : - any monitoring must be a proportionate response by an employer to risks it faces taking into account the legitimate privacy and other interests of workers; - any personal data held or used in the course of monitoring must be adequate, relevant and not excessive for the purpose for which the monitoring is justified. Any monitoring must be carried out in the least intrusive way possible. It must be targeted on the area of risk, taking into account that data protection rules and, where applicable, the principle of secrecy of correspondence. - employees must be informed of the existence of the surveillance, the purposes for which personal data are to be processed and other information necessary to guarantee fair processing. The transfer of personal data Another issue to take into account when implementing BYOD Policy regards the transfer of personal data between the personal device and the IT corporate system. The transfer process, in fact, can present significant risks of interception. Employers, thus, might consider forcing all traffic through encrypted channels (such as a VPN or HTTPS for individual services) in order to offer some security when employees are using un-trusted connections (for example Wi-Fi network). 3 See Working Party Article 29, Opinion 8/2011 on the processing of personal data in the employment context.

11 A good practice, on this point, might be to include in BYOD Policies specific guidelines to employees on how to assess the security of Wi-Fi networks, such as those found in hotels, cafes, restaurants, etc. Moreover, it is worth noticing that pursuant to Article 25 of the EU Privacy Directive (Directive 95/46/CE), transfers of personal data to a third country outside the European Economic Area can only take place where the third country ensures an adequate level of protection for the data. Article 26, however, sets out derogations including instances in which: the data subject has given his consent unambiguously to the proposed transfer (or) the transfer is necessary for the performance of a contract between the data subject and the controller (or) the transfer is on the basis of standard contractual clauses approved by the Commission as providing adequate safeguards. etc. In this respect, it should be borne in mind that many transfers of personal data are from a data controller in the EU (for example, the employer) to a data processor outside the EU (for example, the Cloud Provider). 5. PRACTICAL TIPS FOR BYOD POLICIES 1. KEY DEFINITIONS Make distinctions between company-owned devices and personal devices. 2. PROHIBITED INFORMATION/DATA Specify what types of information/personal data are allowed/prohibited and can/not be stored in the device. BYOD Policies, for example, may state that employees cannot download sensitive data or privileged information into their personal devices unless they are downloaded into an IT corporate folder or network. 3. SECURITY INCIDENT Set an obligation (within the BYOD Policy) on employees to promptly report any actual or reasonably suspected incidentsof hacking or unauthorized disclosure of information contained on the device.

12 4. SECURITY Address device/data security (e.g., devices must be password protected; encryption of data; secure connections, etc.) 5. INTERATIONAL DATA TRANSFERS Consider personal data flow/ transfer due to the use of cloud services and social networks: e.g., transferring of data to countries outside the EEA which do not offer an adequate level of data protection 6.DEVICE SYSTEM REQUIREMENTS AND LIMITATIONS Require to employees a minimum set of requirements in their own personal device. Device configurations should prohibit, for example: - automatic back-up or cloud storage; - the use of personal device as a mobile hotspot; - certain specific application installations (such as, jail-break or unauthorized modding of devices). 7. SOCIAL MEDIA Consider employees social media use and coordinate Social Media Policy with the BYOD Policy 8. LABOUR LAW Consider Labour Law implications/limitations vs. Mobile Device Management tools. For example: - involve employees and their representatives in the development of a BYOD Policy; - identify the purposes behind the monitoring of workers; - inform employees about the purpose and the reasons of any monitoring; - clarify that despite employees have reasonable expectations of privacy on their personal devices, the employer has the right to monitor or access the device for specified corporate reasons. 9. APPS

13 Clarify whether employees can download, install and use Apps. Companies may also use technology for preventing downloads of questionable apps or copyright-infringing content on the device 10. IT DEPARTMENT BYOD Policies should provide that the employee must present any mobile devices to the employer's IT department prior to connecting to the company network, and that the employee consents to the employer installing proper security protocol and necessary office software. CONCLUSION As pointed out by ICO 4, an effective BYOD policy can lead to a number of benefits including improved employee job satisfaction, overall morale increase, increased job efficiency and increased flexibility. By considering the risks to data protection at the outset, employers have the opportunity to embed data protection at the core of their business activities and to raise overall standards. Paolo Balboni, Ph.D. Founding Partner ICT Legal Consulting Domenico Converso, LL.M. Senior Associate ICT Legal Consulting 4 See Information Commissioner s Office, Bring your own devices /Practical_application/ico_bring_your_own_device_byod_guidance.ashx

Data Protection Act 1998. Bring your own device (BYOD)

Data Protection Act 1998. Bring your own device (BYOD) Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...

More information

CISCO MERAKI EU DATA PROCESSING ADDENDUM

CISCO MERAKI EU DATA PROCESSING ADDENDUM Meraki LLC 500 Terry Francois Blvd. San Francisco, CA 94158 T 415.432.1000 CISCO MERAKI EU DATA PROCESSING ADDENDUM This EU Data Processing Addendum ( DPA ) forms part of the End Customer Agreement (the

More information

The supplier shall have appropriate policies and procedures in place to ensure compliance with

The supplier shall have appropriate policies and procedures in place to ensure compliance with Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version November 3, 2015 1. Scope and order of precedence This agreement (the Data Processing Agreement ) applies to Oracle s Processing of Personal

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Cortado Corporate Server

Cortado Corporate Server Cortado Corporate Server 100 % On Premise Installed & Run Entirely On Your Corporate Network Feature Mobile Device Device Policy Application E-mail Push Wi-Fi Configuration Push Enable secure BYOD and

More information

Mobile Device Usage Standards (Phones, Smart Phones, Tablets, Laptops)

Mobile Device Usage Standards (Phones, Smart Phones, Tablets, Laptops) Mobile Device Usage Standards (Phones, Smart Phones, Tablets, Laptops) 1. Purpose Banner encourages the business use of Mobile Devices by employees as productivity enhancement tools. The purpose of this

More information

Roche Directive on the Protection of Personal Data

Roche Directive on the Protection of Personal Data Roche Directive on the Protection of Personal Data PREAMBLE As a Group that operates around the globe, Roche uses systems in all sectors to process data and to exchange data between units within the Group

More information

Mobile devices risk management and data protection Fidel Santiago DPO meeting 8 May 2015

Mobile devices risk management and data protection Fidel Santiago DPO meeting 8 May 2015 Mobile devices risk management and data protection Fidel Santiago DPO meeting 8 May 2015 Personal data in mobile devices Data relating to Staff members EU institutions Natural persons outside a working

More information

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ECSA EuroCloud Star Audit Data Privacy Audit Guide ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

EXECUTIVE DECISION NOTICE. ICT, Communications and Media. Councillor John Taylor. Deputy Executive Leader

EXECUTIVE DECISION NOTICE. ICT, Communications and Media. Councillor John Taylor. Deputy Executive Leader EXECUTIVE DECISION NOTICE SERVICE AREA: SUBJECT MATTER: DECISION: DECISION TAKER(S): DESIGNATION OF DECISION TAKER(S): GOVERNANCE ICT, Communications and Media PERSONAL DEVICE POLICY That the Personal

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:

More information

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"

More information

Bring Your Own Device Policy

Bring Your Own Device Policy Bring Your Own Device Policy Purpose of this Document This document describes acceptable use pertaining to using your own device whilst accessing University systems and services. This document will be

More information

Norton Mobile Privacy Notice

Norton Mobile Privacy Notice Effective: October 25, 2016 Symantec and the Norton brand have been entrusted by consumers around the world to protect their computing devices and digital assets. This Norton Mobile Privacy Notice tells

More information

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the

More information

Guideline on Safe BYOD Management

Guideline on Safe BYOD Management CMSGu2014-01 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Safe BYOD Management National Computer Board Mauritius Version

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

BYOD Privacy and Security in Europe

BYOD Privacy and Security in Europe BYOD Privacy and Security in Europe BYOD: Overview 2 BYOD Overview 38% of companies expect to stop providing electronic devices to their employees by 2016 (1) According to a 2013 survey conducted by Cisco,

More information

Bring Your Own Device

Bring Your Own Device Bring Your Own Device Save costs, deliver flexible working and manage the risks Gary Shipsey Managing Director 25 September 2014 Agenda Bring Your Own Device (BYOD) and your charity and how to avoid the

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM DATA PROCESSING ADDENDUM Last Revised: November 14, 2016 This Data Processing Addendum ( Addendum ) forms part of the master services agreement or terms of use, as applicable (the Agreement ), entered

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

Type of Personal Data We Collect and How We Use It

Type of Personal Data We Collect and How We Use It Philips Lumify App Privacy Notice This Privacy Notice was last changed on September 1, 2015. Philips Electronics North America Corporation ("Philips") strongly believes in protecting the privacy of the

More information

Bring Your Own Device. Individual Liable User Policy Considerations

Bring Your Own Device. Individual Liable User Policy Considerations Bring Your Own Device Individual Liable User Contents Introduction 3 Policy Document Objectives & Legal Disclaimer 3 Eligibility Considerations 4 Reimbursement Considerations 4 Security Considerations

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law

More information

Policy Checklist. Directorate of Performance and Reform. Stephen Hylands, Head of Information Technology

Policy Checklist. Directorate of Performance and Reform. Stephen Hylands, Head of Information Technology Policy Checklist Name of Policy: Purpose of Policy: Directorate responsible for Policy Name & Title of Author: Does this meet criteria of a Policy? Trade Union consultation? Equality Screened by: Date

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Data protection compliance checklist

Data protection compliance checklist Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing

More information

Security, privacy, and incident response issues are often

Security, privacy, and incident response issues are often ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY The Legal Implications of BYOD: Preparing Personal Device Use Policies By David Navetta, Esq. ISSA member, Denver, USA Chapter This article

More information

Code of Conduct. Corporate Data Protection. We make ICT strategies work

Code of Conduct. Corporate Data Protection. We make ICT strategies work Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

International Data Transfer Agreement

International Data Transfer Agreement International Data Transfer Agreement Standard Contractual Clauses (processors) For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third

More information

Using AWS in the context of Australian Privacy Considerations October 2015

Using AWS in the context of Australian Privacy Considerations October 2015 Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview

More information

Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )

Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 ) Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 ) Overview: The Bring Your Own Device (BYOD) program allows employees to use their own computing

More information

Norton Mobile Privacy Notice

Norton Mobile Privacy Notice Effective: April 12, 2016 Symantec and the Norton brand have been entrusted by consumers around the world to protect their computing devices and most important digital assets. This Norton Mobile Privacy

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

Mobile Devices Policy

Mobile Devices Policy Mobile Devices Policy Item Policy description Division Director Contact Description Guidelines to ensure that mobile devices are deployed and used in a secure and appropriate manner. IT Services and Records

More information

stacktools.io Services Device Account and Profile Information

stacktools.io Services Device Account and Profile Information Privacy Policy Introduction This Privacy Policy explains what information Super7ui LLC collect about you and why, what we do with that information, how we share it, and how we handle the content you place

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

Agreement Digital Testing System (Annex 4 to the RFP Digital Testing System) Annex 1 - Data Processing Agreement

Agreement Digital Testing System (Annex 4 to the RFP Digital Testing System) Annex 1 - Data Processing Agreement Agreement Digital Testing System (Annex 4 to the RFP Digital Testing System) Annex 1 - Data Processing Agreement ANNEX 1 DATA PROCESSING AGREEMENT RELATING TO THE AGREEMENT DIGITAL TESTING SYSTEM BETWEEN

More information

LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release)

LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release) CHARLES LUCE S LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release) A. Cloud Computing Defined: n. A loosely defined term for any system providing access

More information

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy) PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard

More information

Successful ediscovery in a Bring Your Own Device Environment

Successful ediscovery in a Bring Your Own Device Environment IT@Intel White Paper Intel IT IT Best Practices IT Governance and IT Consumerization June 2012 Successful ediscovery in a Bring Your Own Device Environment Executive Overview Close collaboration between

More information

Bell Mobile Device Management (MDM)

Bell Mobile Device Management (MDM) Bell MDM Business FAQs 1 Bell Mobile Device Management (MDM) Frequently Asked Questions INTRODUCTION Bell Mobile Device Management provides business customers an all in one device administration tool to

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012 BYOD and Mobile Device Security Shirley Erp, CISSP CISA November 28, 2012 Session is currently being recorded, and will be available on our website at http://www.utsystem.edu/compliance/swcacademy.html.

More information

Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Privacy Policy Version 1.0, 1 st of May 2016

Privacy Policy Version 1.0, 1 st of May 2016 Privacy Policy Version 1.0, 1 st of May 2016 THIS PRIVACY POLICY APPLIES TO PERSONAL INFORMATION COLLECTED BY GOCIETY SOLUTIONS FROM USERS OF THE GOCIETY SOLUTIONS APPLICATIONS (GoLivePhone and GoLiveAssist)

More information

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote

More information

Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act

Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act On 1 January 2016, the Dutch Data Breach Notification Act will enter into force. The Dutch DPA issued Guidelines

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Data Processing Agreement

Data Processing Agreement Data Processing Agreement New Day at Work Online workspace of the future! Page 1 Content 1. Definitions... 3 2. Scope... 3 3. Our obligations as a Data Processor... 4 4. Your obligations as a Data Controller...

More information

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS December 2005 2 GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS I. OBJECTIVE... 1 II. SCOPE... 1 III. APPLICATION OF LOCAL LAWS...

More information

webcrm Privacy Policy (webcrm website) April 2015

webcrm Privacy Policy (webcrm website) April 2015 webcrm Privacy Policy (webcrm website) April 2015 Introduction This privacy policy provides information on how webcrm A/S ( webcrm ) processes the personal data which you may leave and/or submit when you

More information

Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision.

Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision. May 2013 Bring Your Own Device Policy Template for Further Education Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision. Table

More information

Vodafone Global Enterprise Deploy the Apple iphone across your Enterprise with confidence

Vodafone Global Enterprise Deploy the Apple iphone across your Enterprise with confidence Vodafone Global Enterprise Deploy the Apple iphone across your Enterprise with confidence White Paper Vodafone Global Enterprise 3 The Apple iphone has become a catalyst for changing the way both users

More information

This policy outlines different requirements for the use of PSDs based on the classification of information.

This policy outlines different requirements for the use of PSDs based on the classification of information. POLICY OFFICE OF THE INFORMATION COMMISSIONER Use of portable storage devices 1. Purpose A Portable Storage Device (PSD) is a mobile device capable of storing and transferring digital information. Examples

More information

Safeguarding Privacy on Mobile Devices

Safeguarding Privacy on Mobile Devices i Safeguarding Privacy on Mobile Devices www.ipc.on.ca Table of Contents Introduction 1 Tips for Safeguarding Mobile Devices 3 Checklist 4 Further Resources 8 Safeguarding Privacy on Mobile Devices Introduction

More information

Xperia TM. in Business. Enterprise Mobility Management. Read about how Xperia devices can be administered in a corporate IT environment.

Xperia TM. in Business. Enterprise Mobility Management. Read about how Xperia devices can be administered in a corporate IT environment. Xperia TM in Business Enterprise Mobility Management Read about how Xperia devices can be administered in a corporate IT environment April 2016 About this document Products covered This document describes

More information

trends and audit considerations

trends and audit considerations Bring your own device (BYOD) trends and audit considerations SIFMA IT audit session 4 October 2012 Disclaimer Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited,

More information

Mobile Security: Controlling Growing Threats with Mobile Device Management

Mobile Security: Controlling Growing Threats with Mobile Device Management Mobile Security: Controlling Growing Threats with Mobile Device Management As the use of mobile devices continues to grow, so do mobile security threats. Most people use their mobile devices for both work

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

County of Grande Prairie - Information Systems

County of Grande Prairie - Information Systems County of Grande Prairie - Information Systems Title [Systems] [BRING YOUR OWN DEVICE - BYOD] - Procedure Location Buddie Systems and HR Documents Approved by Natalia Madden Collaborators Sophie Mercier,

More information

Application of Data Protection Concepts to Cloud Computing

Application of Data Protection Concepts to Cloud Computing Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective

More information

POLICIES AND REGULATIONS Policy #78

POLICIES AND REGULATIONS Policy #78 Peel District School Board POLICIES AND REGULATIONS Policy #78 DIGITAL CITIZENSHIP Digital Citizenship Digital citizenship is defined as the norms of responsible behaviour related to the appropriate use

More information

White Paper Security. Data Protection and Security in School Management Systems

White Paper Security. Data Protection and Security in School Management Systems White Paper Security Data Protection and Security in School Management Systems This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems.

More information

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

singapore american school

singapore american school Background The Singapore Personal Data Protection Act - 2012 (PDPA) establishes a data protection law that comprises various rules governing the collection, use, disclosure, and care of personal data.

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

"choose your own device" : the employer still provides the hardware and the employee can choose e.g. the model.

choose your own device : the employer still provides the hardware and the employee can choose e.g. the model. WHAT IS BYOD? BYOD comes in "different shades of grey". "bring your own device" : employees are allowed to use their privately owned hard- and software. IT-applications and company data of the employer

More information

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES CONTENT 1. WHY A CLOUD COMPUTING GUIDE?... 2 2. WHAT IS CLOUD COMPUTING?... 4 3. WHAT ARE THE ROLES OF THE CLOUD SERVICES

More information

Data Protection Policy

Data Protection Policy London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

Hands on, field experiences with BYOD. BYOD Seminar

Hands on, field experiences with BYOD. BYOD Seminar Hands on, field experiences with BYOD. BYOD Seminar Brussel, 25 september 2012 Agenda Challenges RIsks Strategy Before We Begin Thom Schiltmans Deloitte Risk Services Security & Privacy Amstelveen tschiltmans@deloitte.nl

More information

PRIVACY AND DATA SECURITY MODULE

PRIVACY AND DATA SECURITY MODULE "This project has been funded under the fourth AAL call, AAL-2011-4. This publication [communication] reflects the views only of the author, and the Commission cannot be held responsible for any use which

More information

BlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide

BlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide BlackBerry Enterprise Service 10 Universal Service Version: 10.2 Administration Guide Published: 2015-02-24 SWD-20150223125016631 Contents 1 Introduction...9 About this guide...10 What is BlackBerry

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA

PRIVACY REGULATIONS regarding the Web Health History (W.H.H.) Service called LifepassportPRO provided by Meshpass SA PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA Updated: 20 Jun 2015 (substitutes previous versions) This Privacy Policy describes

More information

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_00161706 Effective 2.0 1 of 7 Title: Corporate Information Technology Usage Policy

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_00161706 Effective 2.0 1 of 7 Title: Corporate Information Technology Usage Policy Policy LDMS_001_00161706 Effective 2.0 1 of 7 AstraZeneca Owner Smoley, David Authors Buckwalter, Peter (MedImmune) Approvals Approval Reason Approver Date Reviewer Approval Buckwalter, Peter (MedImmune)

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Use Bring-Your-Own-Device Programs Securely

Use Bring-Your-Own-Device Programs Securely Use Bring-Your-Own-Device Programs Securely By Dale Gonzalez December 2012 Bring-your-own-device (BYOD) programs, which allow employees to use their personal smartphones, tablets and laptops in and out

More information

S Z E C S K A Y Ü g y v é d i

S Z E C S K A Y Ü g y v é d i EMPLOYEE MONITORING FROM THE PERSPECTIVE OF HUNGARIAN DATA PROTECTION LAWS While employers oftentimes wish to monitor the behavior of their employees, which generally is a rightful intention, it is also

More information

Data Protection Policy.

Data Protection Policy. Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Binding Corporate Rules for Processing Customer Personal Data (Processor) June 2015

Binding Corporate Rules for Processing Customer Personal Data (Processor) June 2015 Binding Corporate Rules for Processing Customer Personal Data (Processor) June 2015 Binding Corporate Rules for Processing Customer Personal Data (Processor) Introduction These BCRs define the standards

More information

APPENDIX 1: SUPPLIER INSTRUCTIONS FOR THE PROCESSING OF PERSONAL DATA

APPENDIX 1: SUPPLIER INSTRUCTIONS FOR THE PROCESSING OF PERSONAL DATA APPENDIX 1: SUPPLIER INSTRUCTIONS FOR THE PROCESSING OF PERSONAL DATA Purpose SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these

More information

Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA.

Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA. Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA. What is Mobile Security? Mobile security is the protection of both personal and business information stored on and transmitted

More information

Mobile Device Security Is there an app for that?

Mobile Device Security Is there an app for that? Mobile Device Security Is there an app for that? Session Objectives. The security risks associated with mobile devices. Current UC policies and guidelines designed to mitigate these risks. An approach

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

Acceptable Media Use and Bring Your Own Device (BYOD) Policy

Acceptable Media Use and Bring Your Own Device (BYOD) Policy Acceptable Media Use and Bring Your Own Device (BYOD) Policy Author: Mr Joe Cowell Headteacher Date Ratified by Governors: September 2015 Date of Review: September 2018 Wollaston School Acceptable Media

More information