BYOD (bring your own device) is a hot topic in the boardroom and for IT managers. BYOD involves allowing employees to use their own mobile devices for work purposes. Mobile devices include smart phones, tablets, storage devices and laptops. With shifts in culture and technology, people are now managing their lives more and more through their personal devices.
Implementing a BYOD policy in an organisation can make sense on a number of levels, including operationally and financially; it can also increase employee satisfaction and productivity. Allowing employees to use their own devices can reduce technology refresh costs, training costs and software costs. BYOD policies also recognise the fact that many people will use personal devices for work purposes, whether or not they are authorised to do so.
However, there are risks associated with giving BYOD formal approval, including business and legal risks. These issues can be managed, but thought needs to go into the policies used to govern the use of personal IT equipment in the workplace.
Confidential Information and Trade Secrets
- Organisations must take steps to protect their business assets from competitors. Often business assets take the form of confidential information, e.g. price lists, tenders, customer lists and revenue details. Data has become incredibly portable and mobile. This is very useful in many ways, but this also means that an organisation's ability to control confidential data is more challenging. Organisations must protect confidential business information by keeping it secure and ensuring that only authorised individuals have access to it. They should impose restrictions on those with access to confidential business information, and set out the purposes for which such business assets may be used.
- If a device holding confidential information is compromised or misused it can pose a significant risk to a business. Lost business data may attract unwanted publicity and can lead to the erosion of customer and employee confidence in the organisation's ability to manage its business.
- Where organisations choose to use BYOD they must manage these risks. Risk and liability issues, which were manageable in a closed or managed network context, are less manageable when an employee owns the networked device and can use it independently. It may not be appropriate for some organisations to facilitate BYOD for certain data for that reason.
- Data protection laws in Europe impose obligations upon data controllers to keep personal data secure and to take appropriate technical and organisational measures against unauthorised processing or accidental loss or destruction of personal data. Quite a few legal problems can arise for organisations that do not take adequate measures to manage and protect personal data appropriately. Certain organisations are legally obliged to notify data security breaches to the Data Protection Commissioner. If an employee device is lost, and the organisation’s personal data is lost or compromised as a result, the Data Protection Commissioner will regard that as a breach of the organisation’s data protection obligations. It is not a defence to point to the fact that a breach occurred in connection with an employee-owned device or in connection with private use of the device, or that the organisation does not know about a breach because it happened on an employee-owned device.
- Technical and organisational safeguards dealing with data loss should be implemented in all organisations, and due account given to BYOD arrangements. Organisations need to ensure that their BYOD policies are robust enough to ensure that they can continue to comply with their data protection and confidentiality protocols and that they become aware of any data security breach.
Data Protection and the Employee's Right To Privacy
- An individual has a right to privacy in his or her personal life, not only morally, but legally. These rights are enshrined in the Irish constitution, in the European Convention on Human Rights (which is part of Irish law) and are also recognised in data protection laws. Personal data about the employee (and maybe their family) might be stored on a BYOD device which may attract these protections.
- The task of keeping personal data secure and preventing unauthorised or unlawful processing becomes more complex where private employee data enters the equation and becomes accessible to the organisation. Great care must be taken when accessing, processing and managing personal and private data of an employee.
- One important consideration for employers is that by implementing a BYOD policy, it will, in most cases, involve a certain degree of employee monitoring and access to private employee data. In order to comply with data protection requirements, organisations should set out clearly what information on the BYOD device might be monitored and/or accessed. An organisation with a BYOD policy should be able to demonstrate that the affected employees have given fully informed and unambiguous consent to the organisation to access and process their personal data. Particular focus should be placed upon any security or access software to be installed on their device. The employee should be briefed in order to ensure they understand how the software operates, and so that there is no doubt about the nature of the consent given to its use.
- Like any other data subject, an employee should be provided with assurances and details concerning the steps that the organisation has taken to protect their private personal data, what it can be used for and how long the information collected will be retained. They should also be informed of their right to revoke their consent at a later date if so desired.
Ownership, Network Contracts and Network Costs
- Usually an employer operating a BYOD policy will provide some financial incentive to the employee to agree to and support a BYOD policy. This could involve funding, insuring or subsidising the purchase price of the employee device or payment of network costs.
- What happens when an employee wants to sell their device? What happens when an employee loses the device? Does the organisation have the right to buy the device from the employee on termination of the employment? It is important for an organisation to make sure that its BYOD policy anticipates the life-cycle of the device. It should answer these questions clearly and should include appropriate provision for contingencies that might arise.
- In terms of network contracts, the employer needs to consider which entity should have the contract with the network: the employer or the employee? The BYOD policy should clearly set out how the business and personal uses of the device will be differentiated and paid for. Tax advice may be needed to deal with benefit in kind issues associated with BYOD.
Intellectual Property Ownership
- An official BYOD policy also increases the likelihood of staff doing work on their personal devices outside of usual working hours. It would be sensible to review existing policies relating to ownership of intellectual property rights to make sure that account is taken of those facts.
What should the policy contain? What training should take place?
- What approach should an organisation take if it wishes to introduce BYOD? Organisations should make sure that the policy is relevant and addresses how devices and data are really used in that particular business.
- A BYOD policy should include some or all of the following information:
- an acceptable use policy, dealing with the purposes for which the device and data may be used in terms of the business, technologies which may be used on the device, network access and any other restrictions;
- details of the security measures that the organisation will take to protect business and private data on the device;
- when monitoring of the device can occur and the procedures that are place for accessing an employee's device;
- informed employee consent allowing the employer to access, back-up, audit and monitor the device, and the different types of data on the device;
- the device and data loss policy, dealing with what happens where the device is lost or is compromised in some way, and the related obligations of the employee;
- ownership of the device and the contract with the mobile phone operator; and
- management of the device, data and business software on the device on termination of the employment relationship.