Mobile Phone Data Security


Mobile phones make life very easy on the one hand, and very difficult on the other. Here's why.

A study by TAXI, the magazine for the Licensed Taxi Drivers Association, revealed that during a six-month period a staggering 63,135 mobile phones were mistakenly left in London cabs.  If they contained customer data and information that was not secure, then their owners could find themselves in breach of the Data Protection Act.

MOBILE PHONE DATA SECURITY

Mobile phones are common tools of the trade now for many businesses. However, in recent years these devices have become much more sophisticated. Many have the capacity to store over one million emails, as well as contact details of an entire customer base and other sensitive information, such as word documents and spreadsheets.

Awareness
Think how important the data on your mobile phone is.  Be aware, too, that if your employees are equipped with a company mobile phone, they must similarly be conscious of the importance of any stored information and contact details.  We strongly recommend that you look at your own mobile device security strategy, and that of your company. 

Precautions
As a first step you should note down your mobile device’s IMEI (International Mobile Equipment Identity) number. This is often found underneath the battery and your mobile provider will require it when you report the loss or theft of your mobile.  This should be a mandatory safety measure for all staff with company mobiles.

Seven Steps to Take
Here are some of the other things you should consider in formulating your mobile security strategy:
  • Enable the “Automatic Lock” function on your device, and set the lock period to the minimum time
  • Enable the “Require Pin” function or, if the option is available, the lock device on SIM card removal 
  • If you use memory cards, enable the “Encrypt External Storage” option if supported by your device
  • Only store essential names, numbers and documents on your mobile phone
  • Check with your mobile provider if your device supports “Remote Wipe”, and know how to implement this
  • Keep your mobile provider’s number handy as they can disable your phone when you give them your IMEI 
  • Be prepared to notify the Information Commissioner and your customers if a mobile device with customer data is lost/stolen
Further Action
There may be other things specific to your business that you need to think about, and you may need to create a workplace policy to ensure all staff are aware of the implications of storing data on mobile devices.

Posted by

Comments (6)

Oct 19, 2009
Annie Bromwich-Alexandra said...
This is very useful. Any guidance you can point me to regarding using mobile phones for work-related photo-taking? It seems likely that pictures should be treated the same as personal data but we are seeking to strengthen our procedures around this whole issue.
Oct 19, 2009
Andy Gambles said...
Annie - It depends on who or what is in the photo. You need consent from individuals for the photos to be taken and you may also require permission to take photos of certain buildings and objects under Intellectual Property rules if the image is for commercial purposes.
Apr 08, 2010
Sam Calvert said...
Do company mobile phones come under the same DPA rules as personal in terms of the number not being available on general search engines (this is for a large company with a number of individual phones for employees)
Apr 08, 2010
Andy Gambles said...
Very interesting question Sam. The data on the mobile phone coudl hold personal information of customers and is therefore covered by the DPA.

However I think your question is an you publish an employees mobile number publicly if the phone is provided by the company. The DPA requires that you protect data that could cause an individual harm or distress and can identify an individual person and that you only publish data with the persons consent.

So publishing an employees name and mobile number is to some extent publishing personal information.

However the mobile is supplied by the company and presumably required in the course of their work.

Therefore the information that is personal under the DPA is the persons actual name. So provided the employee gives permission for their name to be published then I do not see any issues.

Apr 09, 2010
Sam Calvert said...
Thanks Andy, this is really useful. Given the uncertainty of what is deemed private and public I presume mobile phone companies would not be at liberty to disclose the information to general enquiries and only legitimate publishing companies who have authority to hold the data on the companies behalf?
Apr 09, 2010
Andy Gambles said...
Sam - I am not sure what you are asking?

Leave a comment...