The interest in BYOD (Bring Your Own Device to work) is growing. When an employer decides to allow its employees to use their private devices for work, he or she should be aware of all the issues that may arise. This article identifies how to implement BYOD rules in full compliance with Slovak law requirements.
Employment policies vs. contract
Provisions intended to be binding on the employee should be incorporated into both the employment contract and policies. The employment contract should contain the BYOD rules’ framework and confirm the employee’s consent, while the policies should provide a detailed synopsis of such rules. The Labour Code requires that employees be familiarised with the policies, and that they be easily accessible. It is particularly important for multinational corporations to have the BYOD rules incorporated into their electronic communications or data protection policies.
The BYOD rules will normally cover the practicalities of BYOD: Where the company data is stored? What level of protection is achievable? What are the associated risks? Are data leaks likely to occur? If so, how and where? Collation of such information generally requires involvement from the legal, IT and HR departments.
Personal data security
It is the responsibility of the employer, as the data controller under the Data Protection Act, to ensure the security of the employee’s personal data. Firstly, the employer has an obligation to protect any personal data found on the device or in the employer’s information system against damage, loss, alteration, unauthorised access and disclosure, provision and publication. Therefore, the BYOD rules should include a provision on the remote wipe of data from the device in case of loss, and the employer should clearly advise the employee of the consequences of such wipe. The employee should be bound to report such loss without delay, as this situation may put the employer’s business secrets at risk.
Further, it should be emphasised to the employees (for example through automated messages) that they are obliged to backup any data on the device. The method and location to where data is backed up should be adequately protected against data leaks. For security reasons, it is essential that the device be protected by access codes (changed frequently) and automatic locks or blocking in case of repeatedly entering incorrect access codes. The Data Protection Act requires the data controller to document the security measures that are put in place for the protection of any personal data it processes.
An employer may only process an employee’s personal data with his or her consent, and may do so only within the scope and for the purposes set out in such consent. Applications that make BYOD work, such as MDM or mobile device management, require registration with the Data Protection Office as they are considered ‘filing systems’ pursuant to the Data Protection Act.
In addition, multinational corporations should carefully consider whether some operations, such as collection of personal data in firm-wide data centres, qualify as a cross-border transfer of personal data to countries that do not provide an adequate level of protection. In such case, the employer must inform the employee in advance about the destination country and ensure the security of the personal data by giving adequate guarantees, such as binding corporate rules, standard contractual clauses and, if the transfer is to the U.S., the recipient company should have acceded to the Safe Harbor principles. Without such guarantees, a consent from the Data Protection Office for the cross-border transfer would be required.
Compensation for use of device
The employer may give the employee a one-off contribution to purchase the device, pay some portion of its operating cost or a fixed-amount to compensate for its use. The specific form of compensation is a matter of agreement between the employer and employee, and should be specified in the employment contract. The BYOD rules should contain as much detail as possible, for example: What happens if the employee’s phone is disconnected due an unpaid bill? If the data limit is exceeded? What if the employee loses the device? Would he or she be entitled to another one-off grant? Would the scheme be subject to income tax? By law, grants or compensation may be exempt from income tax if the amount is set on a ‘real costs basis’.
Separation of work and private spheres
A distinct feature of a BYOD policy is the protection of employees’ privacy, which is guaranteed under the Constitution and international treaties. This means that the work and private environments should be completely separate in the employee’s device. This can be achieved, for example, by using different safety modes, blocking or restricting access to certain websites and applications during working hours. A virtual work desktop should be used to help separate the work and private spheres, and prevent company data being stored on an employee’s device. Further, the BYOD rules should clarify the procedures in the event that the employment is terminated. The employee should be obligated to hand over the device (including access codes) to the IT department, so that all company data can be erased.
The Labour Code allows work communications to be monitored provided that the employee has received prior notice, except if the employer has serious reasons for monitoring. However, the employer cannot monitor an employee’s private communications or private GPS location. Employees should be advised to clearly flag communications that are private. Before incorporating a monitoring mechanism, the employer should negotiate its scope, means and duration with employee representatives. The employee’s consent is required for any form of interception or surveillance of private communications (for example, recording, wire-tapping, storing).
Other legal aspects
Messages content and related information, such as sender/recipients, traffic or location data, are considered a ‘telecommunications secret’. Anyone who becomes familiar with a telecommunications secret, including an employer, is obliged to keep it confidential.
Criminal liability should also be considered when implementing a BYOD scheme. The Criminal Code contains several offences that may be applicable. For instance, any person who intentionally breaches the secrecy of information transferred via an electronic communications service shall be liable to a term of imprisonment of up to three years.
When implementing a BYOD scheme, employers should ensure that the rules they devise include the following legal and practical elements:
- Are binding on both employer and employee
- Separate work and private spheres
- Protect employee’s privacy and secure employee’s personal data
- Protect employer’s data and business secrets
- Spell out terms of responsibility for device operation and management
- Include terms of monitoring
- Include terms of payment of related costs
- Inform the employee about the risks attached to BYOD
- Give guidance for various situations, such as loss of device, termination of employment, regular device checks