ISO 9001:2015 clause 7.5.4 explained.

How many of us use our own ‘personal devices’ for work purposes? Included within that term are items such as smartphones, laptops, tablets etc. I guess the answer would be ‘quite a lot of us’ and a 2013 survey commissioned by the Information Commissioner’s Office (ICO) suggested that many employers haven’t really grasped the significance of this and its relationship to the Data Protection Act.

I guess even fewer have considered the links to ISO 9001 clause 7.5.4 and the requirement to ‘exercise care with customer property whilst it is under the organisation’s control or being used by the organisation’ – and personal data is, as is made clear in the 2008 version of the standard, considered to be customer property. As the use of this type of equipment grows it’s time that businesses grasped the significance of this issue and acted to protect themselves, and the data being managed.

The ICO survey suggests that nearly 50% of UK adults use personal devices as part of their work but that less than 30% are given any advice or guidance on controls that should be in place when they do so.

Here’s what Simon Rice, the ICO Group Manager for Technology has to say:

“The rise of smartphones and tablet devices means that many of the common daily tasks we would have previously carried out on the office computer can now be worked on remotely.  While these changes offer significant benefits to organisations, employers must have adequate controls in place to make sure this information is kept secure.

“The cost of introducing these controls can range from being relatively modest to quite significant, depending on the type of processing being considered, and might even be greater than the initial savings expected. Certainly, the sum will pale into insignificance when you consider the reputational damage caused by a serious data breach. This is why organisations must act now.”

Commenting on the new guidance, he said: “Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider. For example, does the organisation know where personal data is being stored at any one time? Do they have measures in place to keep the information accurate and up-to-date? Is there a failsafe system so that the device can be wiped remotely if lost or stolen?”

The ICO survey suggests that email accounts for the largest usage, but that nearly 40% used their devices to edit documents and over 35% stored work documents on their device, and the ICO warn that there is a very good chance that all these activities involve the processing of personal information and therefore fall within the bounds of the Data Protection Act.

Here are some great questions to add to your audits:

• Do staff understand what personal data may be processed on personal devices? How has this been communicated to them? Are there records available to demonstrate this?
• What control measures are staff required to put in place to protect data (eg strong passwords, encryption, lock systems on devices etc)? What checks are made to ensure these are in place? Are records held of checks made?
• How secure are any cloud-based public sharing and public backup devices? How have these been assessed? Do staff know what they can use and what they cannot? How has this been communicated to them?
• Are devices registered with a remote locate and wipe facility to maintain the confidentiality of the data in the event of a loss or theft?

I have just added these very targeted questions to my audit question bank – this is an area that needs careful exploration and action. Expect your external certification bodies to be looking at this too!