This article first appeared in Computers & Law, published by the Society for Computers and Law, of which Nigel Miller is a Fellow.
One of the more significant trends in the workplace so far as IT is concerned is “BYOD” (bring your own device) where employees are allowed to work on and access company information and applications from their own personal devices such as smart phones and tablet computers.
Depending on their attitude to risk, organisations are either embracing, tolerating or restricting BYOD schemes. For the majority of business organisations, the implementation of BYOD is irresistible. When so doing, their attention must turn to risk management, as BYOD schemes give rise to a number of legal and technical issues that need to be considered before a scheme is implemented.
A win-win situation…?
In most schemes, the employees choose, pay for and own their own devices; they then use the device for both personal purposes and also for work. In that way the organisation transfers the cost of work devices to the employee and potentially reduces its own spend on IT, although some organisations offer a subsidy to employees towards the cost of the device.
With employees having the flexibility to engage in work tasks – check emails, review documents, access enterprise apps, etc. – wherever they are and on the move, the theory is that BYOD increases efficiency and productivity. Studies have shown that employees who use their own devices for work put in more hours than those who do not. Organisations also have the opportunity to roll out apps to encourage and enhance mobile working.
For the most part, employees see it as something of a benefit to be permitted to use their own device of choice rather than have to carry separate devices for work and personal use. This results in higher levels of employee satisfaction with IT departments. On the surface, it appears to be a win-win situation for everyone.
…or zero sum game?
The big risk factor for organisations with BYOD schemes is the loss of control over the devices being used. This leaves organisations in the dark in terms of knowing what data are stored on the devices or in the cloud, what data security vulnerabilities there may be and how to secure access themselves. This potential loss of control opens the door to a host of privacy and data security issues.
For the employee who has to share control of the device with an organisation looking to protect its data assets, he could be forced to allow the organisation access to his own equipment, often without compensation, and face the risk that the organisation could access his private information, lock him out of the device and wipe his data.
The Data Protection Act
When implementing BYOD, organisations need to consider their obligations under the Data Protection Act 1998 (DPA). The organisation’s customer or client personal data may be accessible from, or stored on, the employee’s BYOD device. In addition, the employee’s own data stored on the device will inevitably include “personal data” as defined under the Act. This may be in the form of photographs, personal emails, text messages, call histories, voicemail, and similar content accumulated as a result of the average person’s mobile phone usage. There is also the possibility that this data will include “sensitive personal data” (i.e. data relating to the employee’s racial or ethnic origin, political opinions, religious beliefs, sexual life or health).
In March 2013, the Information Commissioner’s Office (ICO) issued guidance titled “Bring Your Own Device (BYOD)” in which he notes that BYOD raises a number of data protection concerns. The key point is that an organisation remains responsible for compliance with the DPA in respect of personal data for which it is the data controller and which is processed on the device by its employees, irrespective of the ownership of the device. At the same time the organisation has some responsibility towards the employee’s private data stored on the device.
Unsurprisingly, the key concern raised by the Information Commissioner relates to data security. The guidance states that, in the event of a security breach, you must be able to demonstrate that you have secured, controlled or deleted all personal data on the device.
The source of this is the seventh data protection principle which requires that: “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Due to the nature of BYOD and the loss of control that comes with it, there is an increased risk of breaching this principle. Organisations need to assess the risks and consider what data security arrangements should be implemented to prevent personal data and confidential business information being lost or exposed to hacking, viruses or malware. Such measures may include:
- Implementing a mobile device management (MDM) solution to manage the device as a whole (configure settings, monitor corporate policies, and remotely wipe or lock devices); or a secure container (sandbox) approach for specific business related apps on the device;
- Restricting the use of cloud-based apps in respect of the organisation’s data;
- Encrypting confidential or personal data stored on the device;
- Requiring the use of auto-lock and “strong passwords”;
- Having the ability to change the user’s passcode, and remotely lock or wipe a lost or stolen device.
There will be circumstances in which it is necessary for the organisation to have access to data held on employee-owned devices. For example, should the organisation find itself in litigation or under regulatory investigation, it will need rights of access that it can exercise quickly and efficiently in order to gather and preserve evidence. Should the organisation receive a subject access request or (in the case of public sector organisations) a Freedom of Information request, it may become necessary to search employee-owned devices to find relevant information.
However, as well as the need to be able to meet these requirements, organisations also have an obligation to respect their employees’ privacy. Submitting employee devices to auditing, scanning and searching raises issues of employee privacy as, unless the employee’s and the organisation’s data are effectively segregated on the device, some of the information searched would constitute the employees’ own personal data.
Employee monitoring is addressed in some detail in the ICO’s Employment Practices Code. This notes that it can be intrusive to monitor your workers and that workers have legitimate expectations that they can keep their personal lives private. Employees must be made aware of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified. Monitoring must be justified based on an assessment of risk, proportionate and not excessive, and not overly intrusive of private data. Monitoring of electronic communications – such as unread email, voice-mail and internet access – could also potentially involve “interception” of a communication, which is potentially outlawed by the Regulation of Investigatory Powers Act 2000 unless undertaken in accordance with the Lawful Business Practice Regulations.
Where possible, organisations should consider implementing technology to keep separate enterprise and personal applications and data on the device such that the organisation can only have access to enterprise apps and data.
A key concern is what happens should the device be stolen or lost, not least because losing customer or client data stored on or accessible from the device could leave the organisation in breach of the DPA and in particular the seventh data protection principle. The ICO has repeatedly shown itself to be willing to fine organisations that lose devices containing unencrypted personal information. Aside from the financial penalty, this can lead to adverse publicity and reputational repercussions for an organisation that suffers a data security breach.
Similar concerns may arise if the employee leaves the organisation on bad terms or to join a competitor. In that case, the organisation is looking to defend its data that are on or accessible from the (former) employee’s device to which it may be unable to gain physical access.
In such situations the organisation needs to be able to trace and / or disable the device or at least access its own data and apps. Where a device is stolen or lost, the interests of both parties may be aligned in that data wiping protects both the organisation’s information and the employee’s private information from being compromised. However, any remote wiping policy must be balanced with the duty to take care over the employee’s own private data on the device. Organisations should encourage employees to ensure that their personal data is backed up so that employees can recover their data in the event that a device needs to be wiped.
Under the Computer Misuse Act it is a criminal offence for anyone to secure unauthorised access to any program or data held in a computer. Sending an instruction to remotely wipe a mobile device belonging to a third party could constitute unauthorised access where the organisation does not have express authority from the employee to do so. In order to acquire such authority, some organisations require employees to sign a consent and waiver form, to confirm the employee’s authority for the organisation to execute remote wiping where required and excusing the organisation from any liability.
Furthermore, in order for remote wiping to comply with the first data protection principle, at least one of the “conditions for fair processing” set out in Schedules 2 and (in the case of sensitive personal data) 3 of the DPA must be met. The condition most commonly relied upon is that the individual has consented to the processing in question. In the case of sensitive personal data, a higher standard applies and the consent must be “explicit”. “Consent” is not defined under the DPA. However, the UK courts are likely to interpret “consent” by reference to the EU Data Protection Directive 95/46/EC, which requires that consent must be unambiguous, freely given, specific and informed.
In the context of an employer – employee relationship, it can be problematic to rely on employee consent to satisfy the condition for fair processing. The ICO has expressed the view that consent within an employment context can only be relied upon to a limited extent because it is unlikely to be seen as “freely given” where the employee does not have a real choice whether or not to consent.
In relation to BYOD schemes, however, it is arguable that employees are able freely to give consent as BYOD schemes are optional and in fact the demand to participate in the BYOD scheme usually comes from the employee. As such, employee consent to a BYOD policy, including remote wiping consent and waiver, should be effective. To reinforce this, however, it would be desirable to recite that the employee is being admitted to the BYOD scheme at the employee’s request and option.
Is it “fair” to BYOD?
Aside from data security considerations, BYOD has other implications under the DPA. Consideration must be given to how the organisation can comply with each of the data protection principles. For example, the first data protection principle requires that personal data must be processed “fairly and lawfully”. For compliance with this principle, it is necessary to provide data subjects (the organisations clients or customers) with any information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair. This normally involves disclosing anything that data subjects may find unusual or objectionable. Does this mean that organisations must inform their clients or customers that their personal information may be stored or accessible on multiple mobile devices, owned by third parties, in multiple locations including outside the EEA?!
By way of further example, in the case of BYOD devices that accompany employees on holiday or business outside the EEA, principle eight has to be considered in case a transfer of personal data outside the EEA is involved. In its guidance on principle eight the ICO take the example of an employee who travels outside the EEA with a laptop containing personal data connected with their employment and comment that, as long as the information stays with the employee on the laptop, and the employer has an effective procedure to deal with security and the other risks of using laptops (including the extra risks of international travel), it is reasonable to decide that adequate protection exists. This pragmatic solution to a potential issue with principle eight therefore hinges on the data security arrangements that have been made under principle seven.
While there are many benefits to BYOD, it also increases legal risks. So how can organisations mitigate the BYOD risks? In essence, this is a combination of implementation of security technology and development and communication of a corporate BYOD policy.
The starting point is to carry out an assessment of the particular risks for the organisation according to the data and apps which will be accessible on the device, and then consider the data security arrangements to be implemented.
This informs the development of a BYOD policy that should be clear and detailed. The policy will educate employees about the potential dangers, for example with public cloud services and wi-fi networks. It will describe the data security arrangements that have been implemented and any employee obligations in respect of them and acceptable use. The policy will set out the information required to comply with the DPA, as well as to manage the employee’s expectations regarding privacy of the employee’s own data.
So far as possible organisations should use technology to remotely manage and secure the device, or partition the device so that, in the event of remote wiping, an organisation is able to delete only enterprise data and apps and avoid any complications arising from deleting employee private data.
The policy will also outline the organisation’s rights of access to the device in limited circumstances, for example for security procedures or to access data in the case of legal or other need. It will also address how on-going compliance with the policy will be audited and monitored and the consequences in terms of possible removal from the scheme or other disciplinary action for employees who breach the policy.
Some organisations may wish employees to sign consent and waiver forms to accept the policy.
With appropriate arrangements and policies in place, BYOD democratizes IT and can be a win-win for both employees and their organisations.