Acceptable BYOD use
Employees using their own smartphones or tablets to conduct business should be a matter of concern to all employers, from a data protection point of view
When processing personal information, it should be kept secure. This is one of the eight key data protection principles. But, if an employee is using their own smartphone or tablet to conduct business, to what extent is that adhered to? In many cases it's not, and that should be a concern to employment practitioners, not only as advisers, but as employers too.
The rapid rise of the practice known as BYOD (bring your own device) has not been matched by a commensurate increase in amendment of data protection and other policies.
Recently, the Information Commissioner's Office was moved to highlight the issue after a member of staff at the Royal Veterinary College lost their camera and its memory card, which contained the passport images of six job applicants. The organisation had no guidance in place covering the storage of personal information on personal devices for work purposes.
It is far from unique. The same month, Samsung reported a survey revealing that fewer than a third of businesses in Europe with more than 1,000 employees have a formal BYOD policy.
BYOD ticks many boxes. Reduced costs, increased engagement, enhanced productivity, greater flexibility - all can apparently be delivered by allowing staff to use their own devices for work. But do the risks outweigh these benefits? They certainly have the potential to. So, with almost half of UK employees now using personal devices, the risks must be managed.
The fundamental concerns that arise relate to data protection. The device is owned by the user, but the data controller must ensure that all personal information for which it is responsible is processed lawfully. An acceptable use policy ("AUP") should be in place and maintained - whether standalone, or by integrating a section on BYOD within a wider AUP.
Practical difficulties will arise. Corporate-issued devices tend to be much of a muchness. However, the range of different devices owned by staff members could prove a challenge. Regardless of what type of device is used or where data is stored - on your network, on the device, or in the cloud - you need measures in place to protect against unlawful or unauthorised access. The most obvious is to ensure that password or pin protection is deployed, or that encryption is used. But you may also need to set expectations on use of the personal device by, for example, other members of the employee's family.
Rules may need to be set as to what personal items can be downloaded to the device, as apps from untrusted sources, for example, have a higher risk of being malicious and so presenting a risk to the corporate information. The user will need to maintain a separation between business and personal use. And, on the flipside, you will have to ensure that, in protecting the personal data under your control, you are not also processing personal information about the user (and/or their family).
Any monitoring of personal device use will have to be carried out carefully, with the purpose explained and the extent of any monitoring being justified by benefits. One purpose of such monitoring might be to ensure that data can be remotely deleted if a device is lost or stolen, or on termination of employment. This could involve tracking the location of a device. If so, such a facility should only be used for the specified purpose and not for wider, ongoing surveillance or monitoring of users.
An area in which you will want to ensure stringent monitoring is the increased working hours that invariably result from home use. Answering emails in the evenings, at weekends and on holidays could feed into a desire for increased responsiveness. However, it is important to ensure there is no breach of the Working Time Regulations 1998, nor creation of a culture in which stress-related conditions can breed.
Finally, what of the views of clients? Commentary from the US reveals that top financial services firms on Wall Street do not want their outside counsel using personal devices, with warnings that any breach of security as a result of BYOD would also result in the end of the client-lawyer relationship.
If you have stumbled into BYOD use, perhaps under pressure from employees wanting to use their own devices, now is the time to review practices and policies to ensure you are not falling foul of the very laws you advise clients on. A self-styled "ethical hacker" has been quoted recently as saying that he did "believe BYOD involved lots of drug use by your auditors and lawyers for them to accept it, there are just so many liabilities here". Best to do a review before you have your own bitter pill to swallow.
Jane Green, partner, Employment, Maclay Murray & Spens