Acas has recently published guidance on using personal devices such as mobile phones and ipads at work, where companies permit and/or encourage employees to use their own personal electronic devices for work purposes.
Introducing a "bring your own device" or "BYOD" policy can be mutually beneficial for employers and employees, as it can reduce costs for businesses and help to promote flexible working. However, a company permitting any such BYOD policy should also take measures to avoid some of the potential pitfalls associated with this practice.
Keeping data secure
Data security is a prime concern for employers. Employers should ensure that, if the device is lost, the data on the device is 1) kept confidential and 2) retained by use of a back-up facility such as a cloud-based service. Confidentiality is important for two principal reasons:
- Commercially, employers will wish to ensure that sensitive information such as valuable client contact details are not made available to the departing employee or third parties, and to avoid the reputational risks associated with data loss.
- In terms of legal risk, losing data containing employee or client records could result in the company breaching the Data Protection Act, which could leave the company vulnerable to legal claims brought by the employee/client in question or a fine imposed by the Information Commissioner, who regulates this area.
The device should safeguard sensitive data by password protection. Employers should also consider putting in place a facility to delete information held on the device remotely, should it go missing or should an employee leave.
Employees will generally be responsible for protecting their personal devices from viruses with appropriate software. However, as their devices will be synchronised with the company's systems it is essential to ensure that the software is kept up to date and that any additional protection and filters are put in place by the employer. If an employer neglects to do this, a personal device could unintentionally open the way for hackers or viruses to enter into the employer's IT system.
Blue sky thinking: using the cloud
No data need be stored on a device if the cloud is used, as the cloud holds data centrally. Use of the cloud comes with legal considerations to bear in mind, however, and the most important of these relates to personal data. In order to comply with the Data Protection Act, the party responsible for deciding the purposes and manner in which personal data are processed (i.e. the employer) must ensure that when the processing of personal data is sub-contracted, the terms of that contract require the subcontractor to process personal data only in accordance with the employer's instructions, and to ensure that appropriate technical and organisational measures are taken to keep the personal data secure. Advice should be sought to ensure that the contract is adequate for this purpose.
Other data management considerations
Data mapping (keeping a record of where information is stored) would aid an employer in tracking the location and proliferation of information. Employers should also consider what happens to the information contained on personal devices when an employee leaves employment, bearing in mind that the device itself remains the private property of the employee (or ex-employee).
As well as incorporating the issues above, a well-drafted BYOD policy should address the division of use of the personal device between the personal and the professional. In addition to a BYOD policy, employers are advised to introduce detailed social media policies, given the multitude of issues that can arise.
Acas gives further guidance on developing effective policies for issues associated with new technologies in the "social networking" area of its website.