If the smartphone belongs to the company, will personal use be permitted? If so, to what extent? Will employees be prohibited from downloading apps (in order to minimise the risk of installing malware)? Will excessive personal use require the employee to reimburse the company for any expense, or will it have disciplinary consequences? Are there restrictions on the type of data that can be accessed by employees via their smartphones? Is password protection mandatory? Are there processes in place for notifying the company of loss or theft?
If the use of personal smartphones is unavoidable, then companies need to consider putting in place specific policies addressing such devices so that employees are made aware of their obligations from the outset. Accessing or protecting company data is likely to be difficult unless the position has been very clearly spelt out in the appropriate policy. For example, will the company be permitted to wipe an employee’s smartphone remotely if it has been lost, stolen or otherwise compromised?
What are an organisation’s rights in relation to monitoring data on a smartphone used by an employee?
Smartphones are essentially miniature computers and can contain the same sort of data as a desktop PC, laptop or tablet (emails, texts, voicemails, client contacts, company documents, spreadsheets and so forth), in addition to varying amounts of employee personal data.
Is an employer allowed to monitor all this data? When considering this issue it can be helpful to distinguish between employer data and employee data.
Examples of employer data include employer account emails (unless they are clearly personal) and company documents. Examples of employee data include text messages sent from/received by a smartphone, or personal email accounts accessed via the smartphone (but hosted outside the employer’s network).
In the UK, the Data Protection Act 1998 (DPA) requires an employer to “process” its employees’ personal data fairly and lawfully. This generally requires transparency so that employees have an expectation as to what an employer will do with their personal data. This is one of the reasons why having a clear policy in place makes so much sense.
An employer has an obvious legitimate interest in processing employer data in order to protect and conduct its business. However, the employer data is probably already on the company’s server, meaning that in the context of smartphones the employee data is likely to be of greater interest.
The concern with an employer processing employee data is that the surveillance is far more intrusive into the privacy of the employee and thus far less likely to be “fair”. For example, the Information Commissioner’s Employment Practices Code states: “If workers are allowed to access personal email accounts from the workplace, such emails should only be monitored in exceptional circumstances”.