Privacy. Data. Employee Rights. You've seen it on the news and in the papers but what does it mean for you, the employer?
Thanks to all the media coverage of a recent Supreme Court case, employees of all shapes and sizes believe employers cannot search employee mobile devices. In Riley v. California, the Court held that police need warrants to search the vast amount of information on a person's cellphone. Employees have taken this to mean that their employer cannot look at their cell phones. This is not always the case.With proper planning and policies, an employer can access an employee's cell phone for legitimate work purposes.
Why Would an Employer Need Access to an Employee's Cell Phone?
For various work-related reasons. Most obviously is when an employee separates from the company. You probably want to wipe company data and information from their device. This becomes particularly relevant if the employee works for a competitor or if third parties have rights in that data and you could be sued for its loss/transmission. You may also need to install security software, copy data to meet record retention obligations, or investigate a security breach.
What Can Employers Do To Ensure Access?
Here is the rule: an employer cannot violate an employee's reasonable expectation of privacy. So if an employee has a reasonable expectation in the privacy of their cell phone (or any other mobile device), the employer cannot search it.
Historically there has been a difference in privacy expectations between company-owned devices and employees' working on the mobile device through a BYOD (bring your own device) policy. But the blurring of work and home technology creates makes additional protective measures a good idea regardless of which policy your company employs.
So - how do you search an employee's mobile device and stay out of legal trouble? Here are three simple guidelines to get you on the right track.
Set the ExpectationHere is where to start: make it clear in policies, handbooks and agreements that employees should have a reduced expectation of privacy in the devices on which they work. Specify that the company will need access to and knowledge of what employees are doing with work-related data.
The company has to know on what devices employees are working – e.g., cell phone, tablet, laptop. If the employee has company files on their home tablet and you don't know it, your policy or agreement is worthless because you won't know to access the home tablet. In addition, this knowledge empowers you to better control your company information. You can evaluate security and your data flow generally. You can also prohibit certain uses because it is unlikely that all of your employees need to work from multiple (or any) mobile devices.
Big caveat to the discussion: company monitoring and access should only be for legitimate purposes (e.g., installation of security software, copying data to meet record retention obligations, wiping sensitive information). Big brother monitoring is never acceptable.
As with most employment policies, access policies must also be enforced in a non-discriminatory manner. Don't just access all of the [insert any protected class here]'s devices.
How detailed your policy should be and how it should be delivered depends on your business and your employees. Have an informed conversation with IT, management, and your legal team to ensure your policy is effective and doesn't ruffle more feathers than it needs to.