Feature: Are your smartphones in safe hands?

By John D McGonagle
06 Mar 2012 View Comments
Smartphone user

If the smartphone belongs to the company, will personal use be permitted? If so, to what extent? Will employees be prohibited from downloading apps (in order to minimise the risk of installing malware)? Will excessive personal use require the employee to reimburse the company for any expense, or will it have disciplinary consequences? Are there restrictions on the type of data that can be accessed by employees via their smartphones? Is password protection mandatory? Are there processes in place for notifying the company of loss or theft?

Further reading

If the use of personal smartphones is unavoidable, then companies need to consider putting in place specific policies addressing such devices so that employees are made aware of their obligations from the outset. Accessing or protecting company data is likely to be difficult unless the position has been very clearly spelt out in the appropriate policy. For example, will the company be permitted to wipe an employee’s smartphone remotely if it has been lost, stolen or otherwise compromised?

Monitoring employees

What are an organisation’s rights in relation to monitoring data on a smartphone used by an employee?

Smartphones are essentially miniature computers and can contain the same sort of data as a desktop PC, laptop or tablet (emails, texts, voicemails, client contacts, company documents, spreadsheets and so forth), in addition to varying amounts of employee personal data.

Is an employer allowed to monitor all this data? When considering this issue it can be helpful to distinguish between employer data and employee data.

Examples of employer data include employer account emails (unless they are clearly personal) and company documents. Examples of employee data include text messages sent from/received by a smartphone, or personal email accounts accessed via the smartphone (but hosted outside the employer’s network).

In the UK, the Data Protection Act 1998 (DPA) requires an employer to “process” its employees’ personal data fairly and lawfully. This generally requires transparency so that employees have an expectation as to what an employer will do with their personal data. This is one of the reasons why having a clear policy in place makes so much sense.

An employer has an obvious legitimate interest in processing employer data in order to protect and conduct its business. However, the employer data is probably already on the company’s server, meaning that in the context of smartphones the employee data is likely to be of greater interest.

The concern with an employer processing employee data is that the surveillance is far more intrusive into the privacy of the employee and thus far less likely to be “fair”. For example, the Information Commissioner’s Employment Practices Code states: “If workers are allowed to access personal email accounts from the workplace, such emails should only be monitored in exceptional circumstances”. 


Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

37 %
27 %
15 %
21 %