Speaking to Publictechnology.net, Simon Rice, group manager, technology, at the ICO, praised the approach taken by some authorities to classify and store data differently depending on the level of security sensitivity.
He said that allowing less sensitive data to be accessed on users’ personal devices could enable local authorities to block potentially insecure internet services on corporate devices which are used to handle more sensitive data.
Rice said: “BYOD can actually increase security. If a local authority wanted to lock down the internet on its corporate system for security reasons, it could still allow users to browse the web on their personal devices to access social media and other sites.
"This would reduce the likelihood of a hacker stealing the most sensitive data being held by a council.”
He added that BYOD does still produce a number of challenges to security, not least when a user decides to upgrade their mobile or tablet and sell on their old device.
Rice said: “The resale value of these devices is often quite high and councils need to have a strategy to ensure that data is removed properly before this happens.”
The ICO this week released guidance on how councils and other organisations can ensure that BYOD policies help to ensure that security risks are minimised.
In addition, data transfer between corporate systems and the device should be made via a secure channel.
Devices should also be registered with a remote “locate and wipe” facility in the event of loss or theft.
Councils should also consider implementing an “end of contract” policy to enable the security of work-related data when the employee leaves their job.
Finally, councils should all adopt acceptable use policies to ensure both employer and employee understand their data security obligations.
Rice said: “The benefits of BYOD must be balanced against the potential risks to work-related personal data but the organisation should not underestimate the level of effort which may be required to ensure that the processing of personal data with BYOD remains compliant with all eight principles of the Data Protection Act.
“Remember, it is the employer who is held liable for any breaches under the DPA.”