As technology continues to advance and ownership of tablets, smart phones and laptops is on the up, so increasing numbers of employers are allowing employees to use their own electronic devices for business purposes.
There are undeniable benefits of a “bring your own” (“BYO”) scheme. Obviously, it saves money, cuts down on the number of gadgets an employee carries around and employees are more likely to be familiar with how the device works, hopefully lessening the inevitable IT headaches! However, practical difficulties include the following:
- Potential loss of control of the company’s data, as this is no longer stored on its own network;
- Reduced ability for the employer to monitor employees’ use and misuse of data;
- Security risks if the device is unlocked, shared, lost or stolen;
- Employees are likely to expect a greater degree of privacy when using their own device.
From a data protection point of view, employers should also remember that they are the ‘data controllers’ of at least some of the data on the device, meaning that there is a responsibility to take appropriate security measures so that personal data (for example, names and addresses of customers) is not lost, unlawfully accessed or accidentally destroyed.
Best practice is to have a properly drafted BYO policy, covering these bases and setting out your expectations of employees unambiguously. It’s important that employees agree to hand over the device and allow the employer to review its content if necessary. If this is not dealt with, attempting to investigate allegations of misconduct, for example, is going to prove difficult. If an employer uses an employee’s password to access the device without consent, then they are likely to fall foul of the Data Protection Act 1998 and could even be committing an offence under the Computer Misuse Act 1990, so ensuring that your policy deals with these issues is paramount.
Employers should invest in mobile device management software which allows management of the device remotely, for example by locking the device after a period of inactivity, tracking its location and preventing installation of unapproved apps. A “sandbox” or separate secure location for company data can be created, clearly separating business from personal information and therefore allowing company data to be wiped (for example when the employee exits the business) without affecting personal content. However, the success of this sort of software depends on its ease of use; there’s no point investing in this if the employee finds it too much hassle and ends up saving everything to their own files!
Other practical steps include:
- Assess risk, including what sort of data is held and where, as well as the potential for leakage;
- Impose controls such as access codes, PIN numbers and encryption;
- Keep up to date with advances and keep a list of approved models of device;
- Ensure that deletion is safe and secure; don’t delete employees’ personal data!
- Consider how monitoring company activity can be balanced with the employee’s need for privacy;
- Ensure your BYO policy is properly drafted, up to date and well publicised.
There’s no reason why a BYO scheme cannot work well for both parties, but proper consideration needs to be given to the detail before data is let loose!