Bring your own device (“BYOD”) is a practice that allows employees to use personal mobile devices such as smartphones, tablets and laptops for business purposes. Many employers are delighted by the concept – employees are able to work longer hours because they can interact with the systems they need late at night and early in the morning rather than waiting until they are in the office. But employers should not be lulled into a false sense of security. There are legal and commercial risks that arise with BYOD and employers are advised to consider the issues carefully and implement a policy to manage these.
Here we look at the issues around data security and employee responsibilities and risks which need to be addressed in a BYOD policy.
Security
Wherever there are new access routes to data there are new security concerns – and BYOD is no exception to this. As well as concerns associated with the loss or leaking of commercially sensitive data, employers also have legal responsibilities around the security of certain data under the Data Protection Act 1998. The Information Commissioner’s Office has made it clear that these responsibilities apply “regardless of the ownership of the device used to carry out the processing”.
Research has shown that amongst those employers that have allowed BYOD, around 50% have experienced a security breach.
There are some key steps that employers can take to help control these risks:
Employee Responsibilities and Risks
Employee responsibilities should be carefully addressed in a BYOD policy. Issues around misconduct, discrimination and confidentiality which may arise where there is improper use of an employer’s IT systems are usually already addressed in an employer’s IT Policy. However, a BYOD policy will need to consider further issues:
Of course it is one thing including these requirements but quite another trying to police them. One of the risks around BYOD is that it may be more difficult to detect or demonstrate that an employee has taken or misused commercially sensitive information. The BYOD policy should include a requirement for the employee to hand over any personal device that has been used to access the employer’s information as and when an employee resigns or is dismissed in order to allow the employer to check whether confidential information has been properly and permanently deleted.
Finally, it is worth bearing in mind that enforcing the BYOD policy will depend upon being able to demonstrate that the employee was aware of the policy and that they accepted the terms. By far the clearest way to do this will be will a clear signed statement from the employee to this affect. The easiest and most comprehensive way to ensure this is done may be to make signing an agreement a pre requisite to obtaining the necessary password and or access details.
If all of these issues can be worked through, BYOD will be one route to help both employers and employees in the steady march towards an increasingly flexible workplace.
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.