1 BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe
2 3. BYOD and existing Policies 4. Legal issues to take into account when implementing BYOD Policies 5. Practical TIPs for BYOD Policies ABSTRACT This document offers a practical and concrete legal overview on the BYOD s trends around Europe from a data protection perspective. The scope is twofold: (i) to highlight the main privacy and personal data protection legal issues related to BYOD; (ii) and to point out the main elements to be taken into account when drafting an effective BYOD Policy. This will help companies and entrepreneurs to better understand the relevant legal framework, to assess current policies, and to implement effective BYOD corporate standards.
3 AUTHORS Paolo Balboni, Ph.D. Founding Partner ICT Legal Consulting Domenico Converso, LL.M. Senior Associate ICT Legal Consulting 1. WHAT IS BYOD? Mobile devices are consumer products that are starting to dominate the business world and change the way people do business. Nowadays, we are experiencing a huge rise in mobile devices popularity, uses and capabilities. For these reasons, many employers are increasingly dealing with demands from their employees wishing to use their devices in the workplace to carry out their activities. This trendis commonly known as Bring Your Own Device (BYOD), an expression that refers to the employees use of their own personal mobile devices to access, store and process corporate information and applications. BYOD, in other words, refers to the use of employee owned devices to access enterprise content or networks. The definition of BYOD, however, needs to be improved, by clarifying the meaning of its three core elements: 1. mobile devices, 2. employees and 3. corporate information 1. First of all, the definition of BYOD is strictly connected with the concept of mobile device, which is intended as an handheld computing device with an operating system (OS) and equipped with different IT capabilities (Wi-Fi, Bluetooth, GPS, camera, etc.) running various types of application software, also known as Apps. There are many types of mobile devices. In the BYOD s definition we should restrict the approach only to mobile phones, smartphones, PDAs and tablets.
4 2. The BYOD s definition, furthermore, includes also the concept of employee which also requires a short clarification. This term, indeed, it is not used in a proper way due to the fact that it literally implies the existence of an employment agreement. However, in BYOD cases, we should refer to a broader category of workers, to be intended as individuals who work for an employer, whether under an employment agreement, or any other contract where an individual undertakes to do or perform personally any work or service. For example: agency workers; short-term casual workers; freelancers; etc. 3. The concept of corporate information, instead, simply refers to information and personal data of the involved organization. More precisely, in case of personal data, the organization acts as Data Controller (in the meaning of the applicable European Data Protection legislation) that is responsible and liable for unlawful data processing, even if the processing operations are carried out by its employees/workers. 2. BENEFITS AND RISKS OF BYOD IN EUROPE In Europe, BYODis a trend that can bring enterprises both substantial advantages and considerable risks. Benefits With regards to benefits, employers should seriously take into account that BYOD determines a high increase of productivity and innovation. Employees, indeed, are more comfortable and efficient with their own personal devices, which tend to be more cutting-edge. Furthermore, users upgrade to the latest hardware and software more frequently. Companies benefit from the use of such advanced and updated devices. Allowing employees to use personal devices also helps them avoid carrying multiple devices, with relevant consequences in terms of employee satisfaction. From a cost-savings perspective, instead, BYOD allows companies to save budget by simply shifting costs to the user, with employees paying for mobile devices, applications and data services.
5 Lastly, BYOD gives employers the opportunity to embed data protection at the core of their business activities and to raise overall standards, for example by specifying the types of personal data that can be stored on particular devices and which should not (for example, the storage of sensitive data). 1 Risks Risks, on the other side, are represented by the mixed (i.e, personal-professional) use of devices. Translated in a data protection perspective, employees own, maintain and support the device while employers must comply with data protection obligations. In particular, employers need to assess, as clarified by the Information Commissioner s Office (the first European Data Protection Authority to issue guidelines on BYOD), the following aspects: what type of data is held; where data may be stored; how it is transferred; potential for data leakage; blurring of personal and business use; the device s security capacities; what to do if the person who owns the device leaves their employment; and how to deal with the loss, theft, failure and support of a device. In fact, it is important to underline that employers are considered to be data controllers, which implies they need to remain in control of the personal data for which they are responsible/liable, regardless of the ownership of the device used to carry out the processing. If companies allow BYOD, they will have significantly less control over the device than they would have over a traditional corporately owned device. In this respect, the present document will help data controllers to ensure that risks associated with BYOD are appropriately managed. 3. BYOD AND EXISTING POLICIES 1 See Information Commissioner s Office, Bring your own devices /Practical_application/ico_bring_your_own_device_byod_guidance.ashx
6 In many cases, an employer already has certain corporate policies in place that may relate to or address some BYOD concerns (see, for example, corporate devices policies, social media policies, wireless access policies, and internet policies, etc.). Consistency between existing policies and BYOD policies is of fundamental importance! Many current device policies regulate configuration and security requirements on the assumption that the company owns and centrally controls the device. These policies may in fact apply to all mobile devices, without distinguishing between company-owned devices and personally owned devices. However, to set the same rules for personal devices as for company-owned devices is a big mistake. At the same time, drafting different policies for personal devices could create confusion and disproportion. Therefore, regardless of the choice made by an organization on policy structure, in many cases existing policies will need to be modified to ensure that proper distinctions are being drawn between personally and company-owned devices, and that existing policies are not over- or under-inclusive when it comes to addressing BYOD issues. 4. LEGAL ISSUES TO TAKE INTO ACCOUNT WHEN IMPLEMENTING BYOD POLICIES In order to draft an effective and strong BYOD Policy employers have to deal with the numerous challenges, such as: the company does not own or physically control the devices; there is a wide variety of personal data to consider; personal data and information can potentially reside in multiple locations; safeguarding and retrieving the data can be difficult. These elements give rise to a significant number of data protection legal issues that we practically summarise below. Distinguishing privacy roles First of all, it is important to underline that employers, under the European data protection legal framework, are personal data controllers. It follows that they have to put in place, on non-corporate devices, appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing operations.
7 In fact, in this respect, the so-called European Data Protection Directive (Directive 95/46/EC) specifically requires that: the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected (see article 17). It follows that employers (and not employees) despite the absence of physical control over the device are obliged to comply with data protection rules. Managing multiple categories of data Another essential legal issue to take into account when drafting effective BYOD Policies is represented by the multiple types of personal data that can be processed with the employee s device. From a BYOD Policy perspective, an interesting way of categorizing those types of data is to distinguish them between corporate and non-corporate information. The first are data (also personal) associated with the company, such as corporate s, documents, and text messages. The second, instead, refers to data (also personal) that individuals create or store on the device for purely personal purposes (such as personal s, pictures, phone numbers, etc.). The problem is that employee s devices used in a corporate environment will likely contain both corporate and non-corporate information/personal data. For example, all s, pictures and documents - both personal and corporate - may be stored in the same database on the privately owned device, which is under the sole privacy-responsibilities of the employer. Despite the fact that usually current devices architecture and operating systems do not support the native separation of those types of data, companies have to implement solid BYOD Policies. There, employers need to accurately specify which data are allowed to be
8 stored on the device and which data need to be processed in a more restrictive environment (for example, by using different apps for business and personal use or to store corporate data within the corporate network instead of on the device). Maintain a clear separation between personal data processed on behalf of the data controller (employer) and the ones processed for the device owner s own purposes, can minimize privacy responsibilities while simplifying and improving data collection. Dealing with different purposes of data processing Usage of BYOD could also increase the risk that personal data are processed for purposes different from the ones they were originally collected, kept for longer than necessary or not up to date. For example, if copies of data are stored on many different devices, there is an increased risk that personal data will be used for incompatible purposes, become out-of-date or inaccurate over time. There is also an increased risk that data will be retained for longer than necessary, due to the fact that it is more difficult to keep track of all copies of the data. Additionally, if multiple copies of data are stored on many different devices, it is more difficult to enable effective exercise of data subjects rights. For example, it may be problematic to guarantee compliance with data subjects access or deletion request if one is not aware of all the devices on which personal data may be stored. It is therefore strongly recommended that BYOD Policies will impose an obligation on employees to: 1) connect to a central corporate repository of data when processing corporate information; 2) process corporate personal data only for corporate purposes. Understanding where data might reside data location Personal data processed via a personal device may primarily reside in three locations: 1) on the device; 2) on a server within the organisation s IT network or in a private cloud; or 3) in a community or public cloud.
9 The better solution might be to use the corporate network or a private cloud: in this case, in fact, employers are able to meet the privacy requirements and compliance obligations without needing access to the employee s device. Notes that certain types of data are practically impossible to retrieve. For example, current devices do not usually store unlimited call history, text message data, browser history and cache. Telecommunication carriers may have more complete data available; however, such data are in principle accessible only to law enforcement agencies or to employers but only on the basis of a court order. Therefore BYOD Policy should set out procedure providing for regular backup and/or synchronization on the corporate network (or private cloud). Unlawful access In the case devices get stolen employers should take appropriate technical and organizational measures to protect data against unauthorized or unlawful access. As pointed out by ICO 2, such measures can include: controlling access to the data or device using a password or PIN (or) encrypting the data. It is fundamental to consider the security of the access credentials in the event of loss or theft of the device. In fact, if a device is used to access a cloud service or an IT network and permits users to remain logged in between sessions, unauthorized access to the device could easily result in an unauthorized disclosure of personal data. Control of the device In the case not recommended where personal data are stored on a device, it will be important to consider the safe and secure deletion of the data throughout the lifecycle of the device, and particularly if the device is to be sold, gets stolen, lost or is transferred to a third-party. Employers, therefore, shall ensure the confidentiality of any personal data stored on the device. 2 See Information Commissioner s Office, Bring your own devices /Practical_application/ico_bring_your_own_device_byod_guidance.ashx
10 For example, as it has been suggested by ICO, most modern devices offer the possibility to locate personal data remotely and delete data on demand. Such operations can also be managed by third-party software - known as Mobile Device Management ( MDM ). MDM services, however, allow employers to record and track the device in real time. In legal terms, this is a really delicate issue, involving European Member States specific employment legislation. The risk is to fall within the remote monitoring and surveillance of workers, which is in principle not allowed throughout the European Union. Employees, in fact, have legitimate expectations that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment. As it has been clarified by Article 29 Working Party in its Opinion 8/2001 on the processing of personal data in the employment context 3 : - any monitoring must be a proportionate response by an employer to risks it faces taking into account the legitimate privacy and other interests of workers; - any personal data held or used in the course of monitoring must be adequate, relevant and not excessive for the purpose for which the monitoring is justified. Any monitoring must be carried out in the least intrusive way possible. It must be targeted on the area of risk, taking into account that data protection rules and, where applicable, the principle of secrecy of correspondence. - employees must be informed of the existence of the surveillance, the purposes for which personal data are to be processed and other information necessary to guarantee fair processing. The transfer of personal data Another issue to take into account when implementing BYOD Policy regards the transfer of personal data between the personal device and the IT corporate system. The transfer process, in fact, can present significant risks of interception. Employers, thus, might consider forcing all traffic through encrypted channels (such as a VPN or HTTPS for individual services) in order to offer some security when employees are using un-trusted connections (for example Wi-Fi network). 3 See Working Party Article 29, Opinion 8/2011 on the processing of personal data in the employment context.
11 A good practice, on this point, might be to include in BYOD Policies specific guidelines to employees on how to assess the security of Wi-Fi networks, such as those found in hotels, cafes, restaurants, etc. Moreover, it is worth noticing that pursuant to Article 25 of the EU Privacy Directive (Directive 95/46/CE), transfers of personal data to a third country outside the European Economic Area can only take place where the third country ensures an adequate level of protection for the data. Article 26, however, sets out derogations including instances in which: the data subject has given his consent unambiguously to the proposed transfer (or) the transfer is necessary for the performance of a contract between the data subject and the controller (or) the transfer is on the basis of standard contractual clauses approved by the Commission as providing adequate safeguards. etc. In this respect, it should be borne in mind that many transfers of personal data are from a data controller in the EU (for example, the employer) to a data processor outside the EU (for example, the Cloud Provider). 5. PRACTICAL TIPS FOR BYOD POLICIES 1. KEY DEFINITIONS Make distinctions between company-owned devices and personal devices. 2. PROHIBITED INFORMATION/DATA Specify what types of information/personal data are allowed/prohibited and can/not be stored in the device. BYOD Policies, for example, may state that employees cannot download sensitive data or privileged information into their personal devices unless they are downloaded into an IT corporate folder or network. 3. SECURITY INCIDENT Set an obligation (within the BYOD Policy) on employees to promptly report any actual or reasonably suspected incidentsof hacking or unauthorized disclosure of information contained on the device.
12 4. SECURITY Address device/data security (e.g., devices must be password protected; encryption of data; secure connections, etc.) 5. INTERATIONAL DATA TRANSFERS Consider personal data flow/ transfer due to the use of cloud services and social networks: e.g., transferring of data to countries outside the EEA which do not offer an adequate level of data protection 6.DEVICE SYSTEM REQUIREMENTS AND LIMITATIONS Require to employees a minimum set of requirements in their own personal device. Device configurations should prohibit, for example: - automatic back-up or cloud storage; - the use of personal device as a mobile hotspot; - certain specific application installations (such as, jail-break or unauthorized modding of devices). 7. SOCIAL MEDIA Consider employees social media use and coordinate Social Media Policy with the BYOD Policy 8. LABOUR LAW Consider Labour Law implications/limitations vs. Mobile Device Management tools. For example: - involve employees and their representatives in the development of a BYOD Policy; - identify the purposes behind the monitoring of workers; - inform employees about the purpose and the reasons of any monitoring; - clarify that despite employees have reasonable expectations of privacy on their personal devices, the employer has the right to monitor or access the device for specified corporate reasons. 9. APPS
13 Clarify whether employees can download, install and use Apps. Companies may also use technology for preventing downloads of questionable apps or copyright-infringing content on the device 10. IT DEPARTMENT BYOD Policies should provide that the employee must present any mobile devices to the employer's IT department prior to connecting to the company network, and that the employee consents to the employer installing proper security protocol and necessary office software. CONCLUSION As pointed out by ICO 4, an effective BYOD policy can lead to a number of benefits including improved employee job satisfaction, overall morale increase, increased job efficiency and increased flexibility. By considering the risks to data protection at the outset, employers have the opportunity to embed data protection at the core of their business activities and to raise overall standards. Paolo Balboni, Ph.D. Founding Partner ICT Legal Consulting Domenico Converso, LL.M. Senior Associate ICT Legal Consulting 4 See Information Commissioner s Office, Bring your own devices /Practical_application/ico_bring_your_own_device_byod_guidance.ashx
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
Meraki LLC 500 Terry Francois Blvd. San Francisco, CA 94158 T 415.432.1000 CISCO MERAKI EU DATA PROCESSING ADDENDUM This EU Data Processing Addendum ( DPA ) forms part of the End Customer Agreement (the
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
Mobile Device Usage Standards (Phones, Smart Phones, Tablets, Laptops) 1. Purpose Banner encourages the business use of Mobile Devices by employees as productivity enhancement tools. The purpose of this
Roche Directive on the Protection of Personal Data PREAMBLE As a Group that operates around the globe, Roche uses systems in all sectors to process data and to exchange data between units within the Group
Mobile devices risk management and data protection Fidel Santiago DPO meeting 8 May 2015 Personal data in mobile devices Data relating to Staff members EU institutions Natural persons outside a working
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
Effective: October 25, 2016 Symantec and the Norton brand have been entrusted by consumers around the world to protect their computing devices and digital assets. This Norton Mobile Privacy Notice tells
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the
CMSGu2014-01 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Safe BYOD Management National Computer Board Mauritius Version
Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting
BYOD Privacy and Security in Europe BYOD: Overview 2 BYOD Overview 38% of companies expect to stop providing electronic devices to their employees by 2016 (1) According to a 2013 survey conducted by Cisco,
Bring Your Own Device Save costs, deliver flexible working and manage the risks Gary Shipsey Managing Director 25 September 2014 Agenda Bring Your Own Device (BYOD) and your charity and how to avoid the
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
Philips Lumify App Privacy Notice This Privacy Notice was last changed on September 1, 2015. Philips Electronics North America Corporation ("Philips") strongly believes in protecting the privacy of the
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law
Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY The Legal Implications of BYOD: Preparing Personal Device Use Policies By David Navetta, Esq. ISSA member, Denver, USA Chapter This article
Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
International Data Transfer Agreement Standard Contractual Clauses (processors) For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third
Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 ) Overview: The Bring Your Own Device (BYOD) program allows employees to use their own computing
Effective: April 12, 2016 Symantec and the Norton brand have been entrusted by consumers around the world to protect their computing devices and most important digital assets. This Norton Mobile Privacy
Mobile Devices Policy Item Policy description Division Director Contact Description Guidelines to ensure that mobile devices are deployed and used in a secure and appropriate manner. IT Services and Records
Agreement Digital Testing System (Annex 4 to the RFP Digital Testing System) Annex 1 - Data Processing Agreement ANNEX 1 DATA PROCESSING AGREEMENT RELATING TO THE AGREEMENT DIGITAL TESTING SYSTEM BETWEEN
CHARLES LUCE S LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release) A. Cloud Computing Defined: n. A loosely defined term for any system providing access
PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard
IT@Intel White Paper Intel IT IT Best Practices IT Governance and IT Consumerization June 2012 Successful ediscovery in a Bring Your Own Device Environment Executive Overview Close collaboration between
Bell MDM Business FAQs 1 Bell Mobile Device Management (MDM) Frequently Asked Questions INTRODUCTION Bell Mobile Device Management provides business customers an all in one device administration tool to
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
BYOD and Mobile Device Security Shirley Erp, CISSP CISA November 28, 2012 Session is currently being recorded, and will be available on our website at http://www.utsystem.edu/compliance/swcacademy.html.
TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote
Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act On 1 January 2016, the Dutch Data Breach Notification Act will enter into force. The Dutch DPA issued Guidelines
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
Data Processing Agreement New Day at Work Online workspace of the future! Page 1 Content 1. Definitions... 3 2. Scope... 3 3. Our obligations as a Data Processor... 4 4. Your obligations as a Data Controller...
GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS December 2005 2 GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS I. OBJECTIVE... 1 II. SCOPE... 1 III. APPLICATION OF LOCAL LAWS...
May 2013 Bring Your Own Device Policy Template for Further Education Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision. Table
Vodafone Global Enterprise Deploy the Apple iphone across your Enterprise with confidence White Paper Vodafone Global Enterprise 3 The Apple iphone has become a catalyst for changing the way both users
POLICY OFFICE OF THE INFORMATION COMMISSIONER Use of portable storage devices 1. Purpose A Portable Storage Device (PSD) is a mobile device capable of storing and transferring digital information. Examples
i Safeguarding Privacy on Mobile Devices www.ipc.on.ca Table of Contents Introduction 1 Tips for Safeguarding Mobile Devices 3 Checklist 4 Further Resources 8 Safeguarding Privacy on Mobile Devices Introduction
Xperia TM in Business Enterprise Mobility Management Read about how Xperia devices can be administered in a corporate IT environment April 2016 About this document Products covered This document describes
Bring your own device (BYOD) trends and audit considerations SIFMA IT audit session 4 October 2012 Disclaimer Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited,
Mobile Security: Controlling Growing Threats with Mobile Device Management As the use of mobile devices continues to grow, so do mobile security threats. Most people use their mobile devices for both work
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
County of Grande Prairie - Information Systems Title [Systems] [BRING YOUR OWN DEVICE - BYOD] - Procedure Location Buddie Systems and HR Documents Approved by Natalia Madden Collaborators Sophie Mercier,
Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective
Peel District School Board POLICIES AND REGULATIONS Policy #78 DIGITAL CITIZENSHIP Digital Citizenship Digital citizenship is defined as the norms of responsible behaviour related to the appropriate use
White Paper Security Data Protection and Security in School Management Systems This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems.
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
WHAT IS BYOD? BYOD comes in "different shades of grey". "bring your own device" : employees are allowed to use their privately owned hard- and software. IT-applications and company data of the employer
GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES CONTENT 1. WHY A CLOUD COMPUTING GUIDE?... 2 2. WHAT IS CLOUD COMPUTING?... 4 3. WHAT ARE THE ROLES OF THE CLOUD SERVICES
London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6
Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/
Hands on, field experiences with BYOD. BYOD Seminar Brussel, 25 september 2012 Agenda Challenges RIsks Strategy Before We Begin Thom Schiltmans Deloitte Risk Services Security & Privacy Amstelveen email@example.com
"This project has been funded under the fourth AAL call, AAL-2011-4. This publication [communication] reflects the views only of the author, and the Commission cannot be held responsible for any use which
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
Policy LDMS_001_00161706 Effective 2.0 1 of 7 AstraZeneca Owner Smoley, David Authors Buckwalter, Peter (MedImmune) Approvals Approval Reason Approver Date Reviewer Approval Buckwalter, Peter (MedImmune)
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
Use Bring-Your-Own-Device Programs Securely By Dale Gonzalez December 2012 Bring-your-own-device (BYOD) programs, which allow employees to use their personal smartphones, tablets and laptops in and out
EMPLOYEE MONITORING FROM THE PERSPECTIVE OF HUNGARIAN DATA PROTECTION LAWS While employers oftentimes wish to monitor the behavior of their employees, which generally is a rightful intention, it is also
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
Binding Corporate Rules for Processing Customer Personal Data (Processor) June 2015 Binding Corporate Rules for Processing Customer Personal Data (Processor) Introduction These BCRs define the standards
APPENDIX 1: SUPPLIER INSTRUCTIONS FOR THE PROCESSING OF PERSONAL DATA Purpose SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these
Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA. What is Mobile Security? Mobile security is the protection of both personal and business information stored on and transmitted
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
Acceptable Media Use and Bring Your Own Device (BYOD) Policy Author: Mr Joe Cowell Headteacher Date Ratified by Governors: September 2015 Date of Review: September 2018 Wollaston School Acceptable Media