Consumerisation has the potential to land CIOs in legal hot water.
Legal experts from law firm Pinsent Masons answer common queries.
What are the benefits and risks of allowing employees to use their own devices for work?
It is a fact of business life that employees are increasingly using their own devices for work purposes, and that the dominion IT teams pre-viously had over what devices could access company data is being swept away by the prevailing winds of smartphone and tablet use. We make professional calls on our personal phones, check emails at home over VPNs, and send text messages about work matters to colleagues. Whether companies have a bring your own device (BYOD) policy in place or not, it is becoming more and more difficult to dictate what devices staff can use for work purposes.
There are upsides to BYOD for employers; firms no longer have to pay for devices and employees are more likely to bear the cost of maintaining them, lessening the burden on IT support. Employees may be more productive if they are free to put together a presentation using Keynote on their iPad than on an outdated version of PowerPoint on the shared IT system, and having email, calendars and contacts available 24/7 makes working from any location much easier. The other side of the BYOD coin, however, are the problems of security, data protection and privacy this raises.
What are the data protection implications of BYOD?
The Data Protection Act (DPA) imposes obligations on all organisations to keep personal data secure and to take appropriate technical and organisational measures against “unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data”.
This task becomes more complicated when personal mobile devices are used to access personal and confidential data held by an employer. Where this occurs there is likely to be personal information of the employee, and their personal contacts, held alongside company data on the device, for example in the Outlook address book or in a messaging app. If this device is lost or stolen, the firm may wish to remotely wipe the company data on the device to prevent it being accessed by unauthorised persons or used unlawfully. This remote wiping is likely to involve a degree of processing of the employee’s own personal data, and that of their personal contacts, giving rise to further data protection issues. A company would have to obtain an employee’s explicit, fully informed and freely given consent to process such personal data, or show that it is in the firm’s legitimate interests to carry out this processing. Remote wiping is therefore not an easy solution to administer in practice.
What are the privacy implications of BYOD and how do you tackle them?
Simply placing a clause in an employee’s contract of employment or similar that allows for wholesale remote wiping of their device is unlikely to satisfy the provisions of the DPA. Standard terms are seldom read carefully so wiping an entire iTunes library or photo album may still come as a shock and do little to improve employee relations.
Any conditions that are likely to be objected to by employees must be brought to their attention to reduce the risk of a complaint being made to the Information Commissioner’s Office (ICO), or of the employee withdrawing their consent to the processing of their personal data which, under the DPA, they may do at any time.
So companies should aim to manage employees’ privacy expectations from the outset, advising them to think of a personal device that they use to access company data as a company device.
In the event of a security breach where foul play is suspected the employer may wish to carry out a post-breach forensic investigation of the device. The employer should put in place technical and organisational measures to ensure that only relevant information is accessed and not, for example, personal text messages or photos - however, if personal data is mixed with the company data, the employer should attempt to alter the employee’s expectations of privacy accordingly. For its part, the ICO is likely to consider whether any prejudice to the employee caused by an investigation into a data breach is justified, and look at the steps the company took to minimise the processing.
Who would be liable for data loss if an employee device was stolen?
Failure to put in place appropriate security measures to protect company personal data will be a breach of a com-pany’s DPA obligations, which could lead to a fine being imposed on companies and individual officers, rather than the employee directly at fault. The ICO has powers to investigate and punish breaches of the DPA, including by levying fines, and has shown a willingness to use them.
What safety measures should a company take if it wants to introduce BYOD?
Ultimately, technical safeguards for data loss should be Plan B; Plan A should be driving the right behaviour among employees in the first place, as it is vital they understand that in using their own devices they have a responsibility to keep company data secure. Running Q&A sessions to dispel employees’ misconceptions may also be helpful; the more information that employees are given, the greater their awareness of the policy and the easier the company will find managing employees’ expectations.
Confiscating or wiping a personal device should only be done as a last resort to manage a serious security risk. There are apps available to avoid a heavy-handed approach to wiping. AT&T is offering the Toggle app, for example, which will ring-fence company data and allow IT administrators to wipe only the company data on the device.
Danvers Baillieu, David Matheson and Kellie Blyth are solicitors at law firm Pinsent Masons.