A smartphone policy should nevertheless reserve the right for an employer to process employee data in exceptional circumstances - for example, where there is an allegation that a smartphone has been used in order to impact negatively on the employer, or in relation to allegations of harassment or discrimination in the workplace.
The Regulation of Investigatory Powers Act 2000 (RIPA) also prohibits, in certain circumstances, the “interception” of communications. If an employer were to read unopened employee data in an inbox or sent items folder on a smartphone, the activity would possibly constitute “interception” caught by RIPA (in addition to “processing” under the DPA). Contravening RIPA could have serious consequences for an employer. In addition to possible criminal sanctions, it could also affect an employment tribunal’s view of the fairness of a decision to dismiss an employee where the evidence presented against that employee during the disciplinary process has been gained in a manner prohibited by RIPA.
Geo-location data on smartphones - which can be obtained from either mobile phone antennae, handsets with inbuilt Global Positioning System chips or when smartphones connect to Wi-Fi access points - also enable the movement of the device to be monitored, again raising questions about users’ right to privacy.
Can an organisation use such geo-location data in order to “geo-fence” employees? Geo-fencing refers to creating a digital perimeter around a location - which could be an office, city or country - potentially enabling the employer to become aware when the smartphone crosses the electronic boundary. If an organisation does use a company smartphone to geo-fence an employee, does it have to inform the employee? Can it attempt to geo-fence the employee 24 hours a day, or only during business hours?
Any surveillance activities of employees are potentially illegal, particularly if the surveillance is covert. Redress could include an action by the employee for misuse of private information, penalties under the DPA or even criminal sanction under the Protection from Harassment Act 1997.
For an organisation to gather, control and ultimately process geo-location data, the starting point is that it should have prior informed consent from the smartphone user. The EU’s Article 29 Working Party on Data Protection has offered the following clarification as to the nature of such consent:
• It should be positively obtained before the data is processed.
• It should be specific for the purposes for which the data is being processed.
• Location services on smartphones and apps should be switched off as a default. An opt-out mechanism is not adequate for obtaining consent.
• Consent should be limited in terms of time and employees should be periodically reminded that their location data is being processed.
Further, and regardless of consent, an organisation can only lawfully seek to geo-fence an employee if it has a very good and specific business purpose for doing so (for example, to check a particular delivery route undertaken by a driver). Finally, geo-fencing an employee during off-duty hours is very unlikely ever to be justifiable.
Liability for employees’ actions
The risks of using smartphones for business purposes aren’t limited to security. What is an organisation’s liability if an employee uses a company smartphone as a platform for committing an illegal act? Could the company be sued by a wronged party that claims that the employee was using company equipment, and acting in the course of his or her employment?
To mitigate this risk, organisations should specifically prohibit in their smartphone policies employees from using company-issued phones for any illegal activities, or activities that would be likely to result in a civil action. This helps to protect the organisation by providing tangible evidence that the employee was acting outside the scope of employment.
Overall, the use of smartphones for business purposes presents many opportunities, whilst also exposing companies to a variety of new risks. There are plenty of issues to think about. Employees have an important role to play in ensuring that smartphones are used securely, but it is vital that the employer develops appropriate policies and provides its employees with training on how smartphones should be used.
John D McGonagle is senior solicitor for technology, information and outsourcing at law firm Brodies LLP