Personal devices in the workplace: Should we increase IT security?Posted in : Business Legal on Data Security on 7 September 2017
David Fagan of Business Legal examines the recent trend to allow employees to use their own devices at work. This means the device is connected remotely to the company systems, normally email and file services. David discusses the risks and obligations involved when dealing with non-business devices, including the increased need for IT security, the risk of confidential proprietary information going missing more easily and the legal risks involved, such as compliance with the requirements of the Data Protection Acts. David identifies various protection methods that employers may wish to implement in order to safeguard company data, namely, the requirement to have a strong password on the device, encryption, automatic data deletion or deletion by remote access and he offers advice should the device itself become physically lost.
Note: David Fagan is speaking at the Data Protection Update: Ensuring your HR Department is GDPR-Compliant conference at the Radisson Blu Hotel, Dublin Airport on 6th March 2018. Book now to secure your place!
There is a recent trend to allow employees to use their own devices at work. Essentially, this means that the device is connected remotely to the company systems, possibly email and perhaps connected to file service and so on and so forth. There are risks and opportunities in this. I suppose on the business risk side, the most obvious one is that the employee's personal device can be lost or stolen. And the company has less control over the employee’s device than it would have over its own devices.
There’s obviously risks of damage to the business in terms of the increased need for IT security when dealing with non-business devices, the risks of confidential proprietary information going missing more easily and obviously the corporate reputation that follows from that. There are legal risks as well. Firstly, the device is not owned by the company but it is responsible for the personal data belonging to the company that may be on that device. So it has to comply with its requirements of the Data Protection Acts, but it has to do so on a device over which it has no ownership. So therefore, it doesn't have full control of this device.
So it is absolutely vital that if a company allows its employees to use their own devices at work, that that company has in place policies and possibly contracts between that employee which address the main issues so that in the event that the company requires to take some form of action with regard to that device, that in fact that it is contractually entitled to do and the employee doesn't simply say, "No, that’s my phone or my tablet and you may not access it.”
So the first thing that needs to be done is that the employee’s device obviously needs to go to the company's IT, so that the company can apply whatever security measures it deems prudent with regard to the device. Some companies try and segregate the company's data from the employee's personal data. That is to say there will be a specific way of accessing information and the device. But it’s becoming quite common for devices such as iPhones or Android phones to simply have connections via the local native mail applications on those devices.
Should, for instance, the employee be required to have a strong password on their device? Should there be encryption on the device? What about automatic data deletion or remote data deletion? That is to say data being deleted according to a timetable, schedule, or data being deleted by remote access from the employer?
Do employees understand what type of data can and cannot be stored on their device, bearing in mind the company's reputation is now at stake with regard to that device? Is the device automatically locked after a period of inactivity, screen locks and the like? What about monitoring staff when they're using their mobile device tablet or phone? It is, after all, the employee’s device. So the company has to think long and hard before it would be allowed to monitor via that device, and again, it would require to give itself that ability via contracts or staff handbooks.
It's important when a company is running a “bring your own device” policy that the business benefits of this are clearly explained to the employees, and this may include some business/personal benefits for the employees such as the ability to work remotely, as opposed to having to be on site, etc. It's important that the company be proportionate in dealing with these issues. For instance, it would be very difficult to enforce rules and regulations governing periods when the employee could be expected to be using the device in a purely personal capacity, such as the evenings or weekends for a 9 to 5 worker. And it's important that the company be flexible in how it deals with the employee because it is, after all, always going to be the employee's phone or tablet.
What happens when in the case of a physical loss of such a device?
Well, the company will need the ability to delete information remotely. Many companies simply have an ability to delete their information remotely, which means that if the employee loses his device, his own information is gone but the company hasn’t lost, but the company may be able to either recover or delete the company's information. These sorts of issues should be explained clearly to the employees so that the employee doesn't believe that the company will be able to protect the employee’s personal information as well as the company's information.
So it's no more of a fad, at this point it is quite common. It's not going to go away. It poses a lot of risks for companies. There are a complex range of issues that need to be tackled. Some of these are non-minor issues, or many of these are not minor issues. So, before deciding to allow an employee to use their own device, it needs to be carefully considered by the company. The company's response to this evolving situation should be comprehensive policy terms and that policy should be enforceable and reasonable because an unreasonable policy generally is not applied.
And you need to back that up with an enforcement mechanism. This may include occasionally the use of disciplinary procedures against employees for the use of what is, after all, their own device and it is important that the company take that into account when it decides to bring in such a policy.
Have you trained your staff to help prepare them for GDPR?
Did you know... Legal-Island has worked with a team of data protection experts and lawyers based in Ireland to develop Data Protection eLearning compliance training which covers:
- The General Data Protection Regulation (GDPR)
- The Data Protection Acts
- 8 Principles of Data Protection
- Information Security
Find out more on our Data Protection in the Republic of Ireland Workplace webpage, or email email@example.com for complimentary access.
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.