The legal and HR issues associated with ‘Bring your own device’
Over recent decades there has been a marked increase in the number of employees using their own personal devices for work purposes. Gone are the days of company cars. Today’s employees not only drive their own cars to business meetings, they often use their own mobile phones and configure their laptops and home PCs to enable them to access company systems remotely from their own devices.
While this trend could be said to be driven in part by the recession and businesses trying to reduce overheads and capital expenditure, there are also a growing number of employees who are looking to their employers to enable them to use their own devices for work purposes for reasons of flexibility and user preference.
With the number of businesses operating “bring your own device” (BYOD) initiatives set to rise, this article looks at some of the legal and HR issues associated with BYOD and offers some suggestions for mitigating the risks.
BYOD initiatives multiply the number of networks, applications and user interfaces through which data is accessed. These are the three main points in an IT system where data is most vulnerable so it is important that companies are mindful of the data security risk and put mechanisms in place to mitigate that risk.
At the most basic level, compared with PCs and networked systems, there is a greater risk that mobile phones and laptops could be lost or stolen and then used to access or store confidential company data. Also, as employees use devices for their own social purposes as well as for work, accessing websites and uploading photographs and other content, they could unintentionally infect their device with viruses or malware that could provide a backdoor into the company’s systems.
IT teams should work closely with other stakeholders within the company to establish a structure which capitalises on the benefits of BYOD without exposing the company to unnecessary security risks.
Closely connected with security, is the issue of data protection. The Information Commission Office (ICO) has recently published guidance for companies to help them avoid potential breaches of data protection laws when encouraging staff to use their personal devices for business purposes.
The ICO’s guidance recommends a number of security measures which employers should put in place to avoid breaching their data protection obligations, these include:
- auditing the types of personal data being processed and the devices used to access that data;
- denying or restricting access to sensitive data on devices which lack a high level of encryption; and
- controlling access to data and/or devices using passwords or PIN codes.
The guidance also provides that businesses should have remote locate and wipe facilities in place to maintain the confidentiality of data in the event of loss or theft and should, where possible, avoid the use of public cloud-based sharing and public backup services if the services have not been fully assessed.
The licensing implications of a BYOD initiative can often be overlooked entirely, putting the company in breach of its software licence terms. Or, companies can fail to fully consider the licensing implications until after they have committed to a BYOD initiative, resulting in the company having to pay licence fees which it had not budgeted for. For example, access to Microsoft products from personally owned mobile devices or laptops may require the purchase of additional licences which may be calculated on a per device basis rather than a per user basis.
Companies looking to introduce a BYOD initiative should consider the licensing issues from the outset when formulating the initial strategy to ensure that the company budgets for any additional licence fees and remains compliant with its software licence terms.
Allowing employees to work remotely or to use their own devices for business purposes raises a number of issues for HR departments.
Employers need to consider how the cost of the device is shared. Who purchases the initial device? Who pays the monthly contract fee? Who is responsible for anti-virus updates? etc. In some EU countries, employers are required to provide all of the tools that an employee needs in order to do their job. This means that an employer could be legally required to pay for its employees to have smartphones or other mobile devices if they become necessary for the employee’s role.
A number of data protection and privacy issues will also need to be considered from an HR perspective. For example, to what extent can an employer have access to an employee’s personal device (and the data stored on that device)? Is it easy for data to be segregated between company data and personal data? Also, what kind of monitoring and audit access is going to be used?
An issue which is becoming increasingly topical is the implications of BYOD on an employee’s work-life balance. Across most of the EU, there is a 48 hour limit on a working week, but it is well reported that employees regularly read and respond to work e-mails in the evenings and at weekends, even while on holiday. A BYOD initiative could increase the likelihood that employees will send and receive e-mails outside of work hours and, if this becomes an employer’s expectation or an employer does not take steps to discourage such working practices, they could face issues with employees claiming that their employment rights are being infringed or with employees being absent from work due to burnout or stress.
Another issue is what to do when an employee leaves the company. It is not easy for employers to make sure that any confidential or sensitive information has been deleted from their devices, particularly if an employee leaves on bad terms or goes to work for a competitor. Where a device will be the employee’s personal property, and will be in the employee’s physical possession, it will be difficult for that device to be accessed by an employer and for the storage of information on that device to be policed.
Ultimately, a BYOD program will not succeed unless employees are willing to use their personal devices within the rules set by their employer. However, employers should not think that placing a blanket ban on personal devices will solve the problem because employees are likely to end up using their own devices anyway in an unapproved and unmonitored manner.
It is advisable for companies to put in place a BYOD policy which allows employees to access their own devices for work purposes and controls the risks associated with such use. The policy should detail who pays for what, how much control the company gets over devices and what happens if the device is lost or stolen or the employee leaves the company.
As with all policies which relate to rapidly developing technological advices, BYOD policies should be reviewed on a regular basis and should be clearly communicated to employees to ensure that they remain fit for purpose and are followed by those to whom they apply.
Reviewed in 2015