HR needs to safeguard personal and company data as more staff work on their own smartphones and tablets
A recent survey by IT analysts Ovum revealed that 67 per cent of employees who own a smartphone, and 69 per cent who own a tablet, use them for work purposes. It may increase productivity and flexibility for employees, and reduce costs for employers, but there are drawbacks. Another survey, by recruitment specialist Modis, showed that over half of all employees never consider the security implications when uploading or downloading data to their device.
The increase in ‘bring your own device’ (BYOD) in workplaces can present considerable risks for an organisation, which HR should not leave to the IT department alone to resolve.
Control
As the employer does not own the device, it may not have effective control over how company information is stored and used on it, and may not be able to monitor the information. This raises security risks and with it the potential misuse of company information if the device is either lost or hacked. The employer, as a data controller, is also responsible for ensuring that the processing of personal data under its control remains compliant with the Data Protection Act 1998 (DPA). In the event of a breach (whether deliberate or accidental) it would need to show it has secured, controlled or deleted all personal data on a device and guarded against unauthorised use.
Processing
Particular care also has to be exercised where employees store or back up data from their device to the cloud (remote storage), given the prohibition on data controllers transferring personal data outside of the European Economic Area (EEA) without satisfying one of the necessary conditions in the DPA.
Allowing employees to access and use company software without checking the terms of your IT licences may also leave an employer open to claims for breach of contract or intellectual property infringement if the terms of that licence do not allow for their use on such devices.
Support and maintenance providers may also refuse (at least without an extra charge) to support employees’ personal devices, potentially leaving company information and data at much greater risk if the organisation has to rely on employees ensuring they have installed all necessary security patches and protections on their device.
Minimising risks
Organisations should ensure that HR and IT departments collaborate on a BYOD policy which also ties in with the organisation’s IT, data protection, disciplinary and possibly social media policies. The policy should:
- set out clear and well-publicised rules together with the consequences of non-compliance (in the Ovum survey 21 per cent of employees admitted using their own devices despite anti-BYOD policies)
- if the employer reimburses any costs, make clear who owns the device and its contents and who is responsible for what costs
- remind employees of their obligations to keep company information and personal data safe
- explain the security risks and what safeguards must be adhered to
- if possible, prohibit downloading of data to the device
- explain how, when and why monitoring will take place
- put in place a procedure for reporting loss or theft of a device
- require employees to hand over the device and any password for inspection on request and on termination of employment, so that it can be wiped of any company information. The employee should give explicit consent tor this.
Additionally, arranging proper training is essential, because many employees will be oblivious to the security risks. Employers should also check whether their insurance cover would pay out if company information was lost or misused via an employee’s device.
Alternatively, employers could consider protecting data security by:
- having software that separates company and personal data on a device (called ‘mobile device management’), allowing employers to manage and configure it (locking it after a period of inactivity, for example)
- attaching a ‘sandbox’ (a separate container for storing company information)
- using desktop virtualisation software, which retains information on the corporate network and keeps the information on a secure server.
The Information Commissioner has recently issued guidance on BYOD and any policy should be drafted in line with this. The guidance does not have any legal effect but if employees lose data relating to others when using their own device and the guidance has not been implemented, an employer may struggle to show it was DPA-compliant.
Vicky Schollar is a solicitor in the employment team and Sheilah Mackie is a partner in the commercial intellectual property/IT team at Blake Lapthorn.
For more employment law
articles, visit HR-inform