Bring Your Own Device – What Employers Need to Know

February 3, 2014

Commonly referred to as ‘Bring Your Own Device’ (BYOD) many employers have recognised the benefits of allowing staff to use their own personal electronic devices such as laptops and smart phones for work purposes. Employers should, however, be aware of and consider the commercial and legal risks which exist before implementing such a policy.

What are the Benefits?

If implemented correctly BYOD can be an effective way for employers to maintain a flexible and responsive workforce. By allowing employees to connect to corporate resources and work on and access company related data such as emails on their own devices, organisations can increase efficiency, control costs and maintain a mobile workforce.

The perception of flexibility can also boost employee satisfaction and ensure the employer is seen to be at the forefront of developments in mobile communication.

Key Issues

Data security & Employee Privacy

By virtue of the fact that an employee is using a personal electronic device for work, it will therefore contain both personal and company information. Employers must ensure they comply with the Data Protection Act 1998 (DPA) and adopt suitable measures to keep personal data secure by preventing unauthorised or unlawful processing of personal data or accidental loss of personal data, particularly where personal data may end up being stored on company servers for example.

Allowing employees to use their own devices for work will inevitably involve the transfer of data between the device and the company’s IT systems. Employers should ensure their systems are protected from unlawful interception of data being transferred and ensure up to date security measures are in place.

Where employees leave employment or devices are lost or stolen, companies may be exposed to unauthorised access of company data. Although it is possible to remotely wipe confidential data, this may also involve removal of employees’ personal data as well. When implementing BYOD policies employers should gain employees’ explicit consent to access and process such personal data to avoid breaching the DPA. Employees should be advised to keep personal data separate from company data where possible.

Employers should also consider the approach to be taken if they wish to monitor employees’ use of personal devices (for example to ensure compliance with company policies) as it is likely this will differ from the approach taken to monitoring of devices owned by the company. Employers should

Software and emails

Employers should be aware of issues in respect of software licensing rules should company software been installed on employees’ devices for work purposes. Employers should also ensure they consider the risk that they become liable for employee’s use of illegal or pirated software on their device for work purposes. Issues may also arise in respect of emails if employees mistakenly use a personal email for work emails or if appropriate footers and legal disclaimers are not included.

Social Media

Use of personal devices by employees limits employers’ ability to place restrictions on access to social media websites. Alongside any policy for BYOD employers should also implement a social media policy and ensure clear provision is made for what access is permitted during working hours as well as the employers’ expected standards of behaviour.

Practical Steps

Employers should consider the following practical steps to be taken should they wish to allow employees to use their own devices for work purposes:

1. Implementation of a BYOD policy – it is important for employers to set out a clear and well publicised BYOD policy to inform employees of their responsibilities and expectations for
privacy. Employers should include provisions for the ownership and control of company information, how data security will be managed, and procedures for when employees leave the employment of the company or what should happen if devices are lost or stolen. Employees’ expectations should be managed in respect of the impact of BYOD on their privacy and the consequences for any breach of the policy should also be outlined with reference to disciplinary rules and procedures.

2. Under a BYOD policy, any personal device used by an employee for work purposes should be registered with the company to ensure devices can be identified on the system and allowappropriate controls to be put in place for network and data access.

3. Employers should also consider implementing a social media policy and review information and communications systems security policies to reduce risk and ensure these reflect the situation where employees use their own devices.

4. Employers should ensure their IT systems adequately protect against data loss, for example use of anti-virus software, firewalls and encryption.

Jonathan Simpson
T: 028 9027 1304
E: j.simpson@cfrlaw.co.uk

 

Please note: The content of this article is for information purposes only and further advice should be sought from a professional advisor before any action is taken have a clear policy in respect of monitoring and should minimise company access to personal information.