“Bring Your Own Device” (BYOD) and Data Protection

Many schools are more than happy to allow staff to bring their own personal devices such as smartphones, to the workplace to either connect into the school’s network or to use for work purposes. Although “Bring Your Own Device” (BYOD) is popular it increases the risk of data security breaches because the school does not legally own or control the device upon which its own data is being processed. In fact, this has led some to ask “Is BYOD security an oxymoron?”

Under the Data Protection Act 1998 (DPA) the school, must take appropriate steps to keep personal data safe and secure. If staff are using their own devices to process personal data relating to pupils, the school, as data controller, remains legally responsible for ensuring that this data is processed in accordance with the DPA regardless of the fact that it does not legally own the device used to carry out that processing.

Practical Steps

• If you allow BYOD then a BYOD Policy is essential.
• Such a policy will need to consider whether the school can trigger a remote lock down or even a remote “wipe”
• Ensure the member of staff has to inform you if the device is reported as lost or stolen. This will link to how you will ensure school data is deleted when staff leave and what obligations will you impose on staff to report missing or faulty devices to you.