Use the Lexology Navigator tool to compare the answers in this article with those for other jurisdictions.
Employment and privacy law issues
What employment issues must companies consider in deciding whether to switch to the bring your own device (BYOD) model?
Portuguese labour law requires employers to provide employees with the necessary facilities to perform their tasks and job functions, but does not address the BYOD model. Thus, an employee’s use of his or her own device for work should always be voluntary. This could result in a company having two models in place – BYOD for those who choose it and company-provided devices for those who do not.
A BYOD policy should clearly set out the terms and conditions under which it is admissible, as well as the rights and duties of the employer and the employees and the consequences of misuse. Various departments should be involved in drafting the BYOD policy – at minimum, human resources, information technology and legal. In addition, before a BYOD policy is implemented, it must be formally presented to the works council, if one exists, and to the employees.
As the BYOD model involves data processing, the Portuguese Data Protection Authority (CNPD) must be notified of the intention to implement a BYOD model. As sensitive data will be processed (eg, relating to the private life of employees and traffic data), the CNPD must authorise the model before it is rolled out.
Although employee consent is not usually considered to be a legitimate ground for data processing within an employment relationship, in a voluntary BYOD model each employee must agree to the BYOD policy in writing before accessing the company’s network through a personal device.
From the employer’s perspective, the BYOD policy should consider which employees are eligible and which are not, as some job functions do not require network access (eg, receptionists). Among eligible employees, different levels of access should be granted based on:
- who – in some cases only some of the eligible employees should be allowed to access the network;
- what – the data that each level of employee can access;
- where – in some places (particularly when travelling abroad) access may be restricted and ultimately prohibited; and
- when – during or outside working hours.
Particular attention should be paid to working hours, as any work performed outside working hours may give rise to overtime payments and rest days in lieu, unless employees are excluded from the working time regulations, although these are also subject to certain time limits that must be considered as well. These issues also apply to work carried out through network access during bank holidays, weekends and holiday periods.
Further, the BYOD policy should specify how costs will be shared between the employer and the employee.
Companies should ensure that employees are fully informed of their rights and duties under the BYOD model through regular training sessions, which should also raise awareness of the consequences for the company and employees if the BYOD policy is not followed. The policy should indicate the types of behaviour that could give rise to disciplinary proceedings and penalties, regardless of any civil or criminal liability.
Are there any specific issues that organisations with a global presence, or those in highly regulated sectors, should bear in mind?
Companies that operate globally should consider local requirements before developing and rolling out a BYOD model and should be prepared to adapt their policies according to the location.
In addition, companies must bear in mind that many BYOD issues also arise when devices are owned by the employer and given to employees for professional purposes and use, as employees will also use those devices for personal purposes. Under Portuguese labour and data protection laws and rules, the fact that the devices are owned by the employer does not entitle it to, automatically, monitor, access, wipe or manage the data stored on them. Thus, it is important to examine the specific issues and concerns raised by the BYOD model.
Before implementing a BYOD model, companies – particularly those in highly regulated sectors – should conduct a risk assessment to consider the impact that a BYOD model would have on their business, contractual and legal obligations. In this risk assessment companies should consider whether the BYOD model will affect other company polices and pre-existing commitments, as BYOD might not be a suitable option for some companies.
For companies that intend to implement a BYOD model, the key factors to include are a clear and comprehensive policy, regular reviews and training. This is particularly so in Portugal, as the law does not specifically address BYOD models. It is possible that in future the legislature or at least the regulators, including the Portuguese Data Protection Authority, may issue BYOD guidelines to be considered in relation to new or existing policies.
Privacy and confidentiality
How do privacy laws, employment laws and protecting a company's confidential information overlap or intersect on this issue – and how can they be reconciled, given their disparate aims?
In addition to a risk assessment, companies should conduct a privacy impact assessment in order to identify and reduce the privacy risks of the BYOD model for employees without jeopardising the company’s business goals.
This challenge can be dealt with by balancing the company’s right to protect confidential information with the employees’ right to privacy. However, the Portuguese Data Protection Authority (CNPD) has issued no guidelines on BYOD and is not expected to do so in the near future. Nevertheless, the CNPD’s guidelines on the monitoring of employees’ private use of information and communication technology should apply mutatis mutandis to BYOD.
As the goal is to protect companies’ rights, the BYOD policy should clearly define what data can be accessed from and/or retained on the device. For instance, the company should prevent its confidential information and trade secrets from being handled on remote or mobile devices. The same applies to employees’ and clients’ sensitive data processed by the company (eg, personal data revealing philosophical or political beliefs, political party or trade union membership, religion, privacy and racial or ethnic origin, as well as data concerning health or sex life, including genetic data, and credit information, location data and traffic data).
To address these concerns, a company should consider:
- providing remote access to its computing network in order to avoid the storage or processing of company data on employees’ devices;
- implementing strong authentication methods for remote access;
- restricting the ability to store such data on employees’ devices and allowing this only if the data is encrypted and destroyed after use;
- requiring that any transfer of data be made through an encrypted channel such as VPN or HTTPS, and preventing the use of removable media to transfer data;
- making it compulsory for devices to have dual functionality in order to separate company and personal information (ie, sandboxes);
- requiring elementary security measures (eg, a lock for the device, a strong, regularly changed password and use of the most updated versions of antivirus and malware programs and security patches); and
- disabling any interfaces used to connect to other devices (eg, WiFi or Bluetooth) and providing guidance on how to check the security of WiFi networks, particularly when travelling and abroad.
On the other hand, companies shall not restrict personal use of the device by:
- prohibiting employees from using social media;
- restricting use of websites;
- prohibiting the download of apps; and
- using the remote wipe function for all data stored.
As BYOD usually involves an increase in the use of social media, it is also highly recommended that a company establish a social media policy.
Finally, special attention should be paid to the use of personal devices for professional purposes when employees are travelling outside the European Union or to any country that does not offer the same level of protection for personal data, whether for work or personal reasons. In some cases an international data transfer could occur, which raises additional concerns. Thus, the company should consider suspending or restricting employees’ access to the company’s network, depending on the places visited, and should set down clear rules on how access should be carried out, as well as how data can be processed, stored, transferred and retained when travelling abroad.
For those that make the switch to BYOD, how can the confidentiality of both employer and employee be preserved?
The best way to preserve the confidentiality of both the employer and employees is to grant employees remote access only through personal devices, as no corporate information will be stored and processed on their devices. Alternatively, a company can require dual functionality (ie, sandboxes) to separate personal and corporate information on the device.
In all cases, strong and adequate security measures must be put in place and employees should be held responsible for following them closely.
With regards to the preservation of confidentiality, a BYOD policy should set out clearly and precisely:
- what is considered to be adequate use (with practical examples);
- what is considered not to be adequate use and is therefore prohibited (with practical examples);
- guidance on the use of social media and safeguards that must be put into practice by employees;
- guidance on use of the device by family members and precautions that employees should take when they are working nearby (with practical examples); and
- guidance on using the device abroad, particularly outside the European Union and in places where the security level is unknown, in order to enable employees to assess the security level of such jurisdictions.
Separation and ownership of data
How can companies separate out what information sent or received on the device is official and business related? Who owns this information – the employer or the employee? And how can employer access to information be assured?
This issue is the biggest challenge posed by the BYOD model. The company may, if appropriate to its needs and business, allow remote access only through devices owned by employees. In such case the company will ensure that no official or business-related information is stored, processed, transferred or retained on the personal device.
If remote access is not an option, the company should choose dual functionality (ie, sandboxes) in order to separate company and personal information. Under Portuguese law, the company should never allow limited or no separation, as this would put it in a vulnerable position in regard to ownership, access, monitoring and control.
The BYOD policy must be explicit regarding the ownership of information and data, specifying that personal information and data belongs to the employee, while corporate information – including the personal data of employees, clients and suppliers – belongs to the company. It should further state that the employee is forbidden from storing, transferring, retaining or processing corporate information on the personal area, and vice versa.
Under the Labour Code, a company policy takes effect and constitutes a binding agreement between the company and its employees after being notified to all employees. However, the BYOD model should always be voluntary, and consequently each employee should agree to the BYOD policy in writing before it is rolled out. In addition, because it involves the processing of personal data and the privacy of employees, only after such processing has been authorised by the Portuguese Data Protection Authority (CNPD) shall it be put in place.
The BYOD policy should also provide that when using their personal devices for professional purposes, employees should use only the company’s software licences, rather than those available or made available pursuant to the purchase of the device, as such licences, by default, usually, only allow private use.
Finally, it must be clear that the IP rights in any work performed for the company by the employee using his or her own device are owned by the company.
Regarding the employer’s access to information, there are no specific legal provisions or guidance regarding BYOD, and consequently the CNPD guidelines on the monitoring of employees’ private use of information and communication technology should apply mutatis mutandis to BYOD. Under such guidelines (applicable to devices owned by the company and used by employees), the employer shall not undertake permanent and systematic monitoring. Instead, monitoring activities should be one-off and cover, with particular attention, areas or activities that present the greatest risks.
No monitoring of employees who are subject to professional secrecy (eg, lawyers, physicians, health professionals and journalists) is allowed.
Monitoring should be carried out on a random basis. Monitoring for the prevention or detection of trade secret disclosure should be directed exclusively towards employees with access to such information, and only where there are grounds for suspicion.
In case of abusive use, the company should issue a warning to the employee.
Access to the employee’s email should be a final step for the company and should be carried out in the presence of the employee and a representative of the works council or or another person chosen by the employee. Access shall be limited to monitoring the addresses of email recipients and the subject, date and hour. The employee is entitled to identify personal emails and object to the employer reading those emails.
Further, and with particular relevance to the BYOD model, the CNPD guidelines:
- prohibit the use of systems and applications (eg, virtual network computing) without the employee’s knowledge which enable the monitoring of activities and operations performed, including by remote access or sharing graphical environment, either in real time or delayed through recording;
- provide that the employer cannot, in a centralised manner, automatically wipe data (eg, through e-discovery search methods);
- provide that the employer cannot, in a centralised manner and without the employee’s knowledge, search for documents or messages on the basis of selected expressions;
- prohibit the company from accessing personal information stored on the device; and
- prohibit the inclusion of all information on back-up systems and require that back-ups be made only of professional information.
Finally, the CNPD pays particular attention to the security measures applicable for monitoring purposes, requiring the company to:
- create a specific access profile for the purposes of this processing;
- ensure that the systems recording this information are accessed only through user accounts that allow for the unique identification of the user;
- restrict access to servers (physical and logical);
- provide an access record for sensitive information for the purposes of operations control, as well as internal and external audits;
- implement a trusted audit system;
- implement a monitoring system to track access (including who accessed the data, a timestamp and what was done by assigning an identification number to each occurrence and a hash with the following elements: identification, user, date, hour and operation). In order to be valid, logs should also be digitally signed;
- implement an alarm system and a response system in case of misuse; and
- establish a log analysis policy with periodic analysis reports that should be kept for one year for CNPD’s supervisory purposes.
Breach events and departing employees
Handling a breach
What happens in the event of a security breach? Is the employee protected from liability?
It is crucial that the BYOD policy specify and describe clearly and comprehensively the security precautions to be taken, what is and is not allowed, as well as the company’s and employees’ responsibilities, in order to avoid security breaches as far as possible. Training and refresher training are essential to achieve this goal, as well as verification procedures in order to confirm whether the rules set out in the BYOD policy are being respected by all involved. A user helpline is also important, as many issues arise only when employees are using devices, apps, software and network on a daily basis.
Nevertheless, because security breaches cannot be eliminated altogether, the BYOD policy should set out clear rules, procedures and guidance on how users should deal with a security breach.
First, all personal devices should be registered by the company and employees should use their personal devices for professional purposes only if so authorised by the company’s IT administrator.
Second, the BYOD should establish reporting procedures so that all employees know the immediate steps to take, including whom to contact and what information to provide.
Third, the BYOD policy should set out response and follow-up procedures and the company should ensure that quick and effective responses are given in order to minimise, as far as possible, the consequences of the security breach (eg, revoking access).
Finally, the company should have procedures in place in case the security breach is legally required to be reported to any authorities and, in case of a data breach, notified to the Portuguese Data Protection Authority (CNPD) and eventually the data subject(s) affected. Under the existing law, only providers of publicly available electronic communications services must notify any data breach to the CNPD and ultimately the data subjects if the data breach is likely to affect their personal data or privacy adversely. Otherwise, notification of a data breach is not mandatory – at least until EU law change in this respect (at present, it is only a recommended best practice under Opinion 3/2014 of March 25 2014 issued by the Article 29 Working Party).
In order to minimise the impact of a security and/or data breach, dual functionality (ie, sandboxes) that allows for the separation of company and personal information is essential in order to wipe remotely the professional data stored on the personal device in case of reported loss or theft.
As far as liability is concerned, as a general rule the company is liable for any acts performed by its employees, without prejudice to any right of recourse against the employees under Portuguese law. The company is also entitled to initiate disciplinary proceedings against the employee, and ultimately to apply a disciplinary penalty up to and including dismissal, depending on the severity of the infringement. For that reason, the BYOD policy must clearly identify all of the behaviours that may give rise to disciplinary liability, regardless of any civil or criminal liability.
What steps can a company take to prevent an employee leaving the company from taking company confidential information via his personal device? And how can the employee's own personal information be safeguarded in the process?
Dual functionality (ie, sandboxes) that allows for the separation of company and personal information is essential so that both the company and the employees have their information protected in case the employment relationship terminates.
Ideally, the BYOD policy should specify a period of time before termination of the employment contract during which the company and the leaver can ensure that neither takes data and information belonging to the other, and allowing the company to remove any professional information or data from the employee’s device.
However, in most cases this may not be feasible; this is why the segregation of professional and personal information is needed as it is the only way to be able to wipe remotely or recover professional data stored on the personal device in case of termination of the employment contract.
Nevertheless, in some cases there may be a risk of the employee storing professional information or data on his or her own device and disregarding the segregation rule. This risk arises even when companies do not adopt a BYOD model. In this case, under the Portuguese Data Protection Authority guidelines on the monitoring of employees’ private use of information and communication technology, which shall apply mutatis mutandis to BYOD, a centralised remote wipe function is not allowed, even when the device belongs to the company, as the company should expect an employee to use company devices also for his or her own personal use. In a BYOD model, where the devices belong to employees, such a centralised remote wipe function is not allowed.
In addition to handling leavers, companies should include in the BYOD policy procedures regarding device repair, replacement and disposal. If a device breaks and is still under warranty, the employee should be responsible for informing the company with reasonable prior notice so that procedures can be taken to protect and remove professional information stored on the device and to suspend access to the company’s network.
If the employee simply wants to replace the device with a new one and to sell or transfer the old device to a third party, including a family member, he or she shall:
- inform the company with reasonable prior notice in order to remove all professional information stored on the device;
- take all necessary measures to protect such information;
- cancel the registration of such device; and
- register the new device in the company’s system.
Finally, if the device reach the end of its lifecycle, it should be disposed only after the company and the employee have removed the professional and personal data which they want to keep so that afterwards the company can wipe remotely all information stored on the device.