Bring Your Own Device (BYOD) refers to the growing trend of employees using their personal laptops, smartphones and other communications devices in the workplace or elsewhere for work-related purposes. The related Bring Your Own App (BYOA) is essentially the software version of BYOD, where an employee uses personal (often cloud-based) software for work purposes, which could be something as simple as forwarding work-related emails to a personal Gmail address. According to recent research, more than half of UK workers have already adopted BYOD, and employers are increasingly asking their lawyers for advice on managing the employment law aspects. Both BYOD and BYOA throw up similar issues concerning security, privacy and ownership.
As well as helping clients deal with the implications of BYOD and BYOA, law firms obviously have to be aware of the issues for their own practices, with a study of American law firms finding that 62 per cent of law firms already have BYOD policies in place. Furthermore, there is evidence that many job seekers view organisations which embrace the BYOD culture more favourably, so firms looking to recruit the cream of the crop will be well advised to cater for this trend.
Data protection and security
Depending on the sector and type of company, employees may have access to extremely valuable data sets, sensitive client information and trade secrets. Although some element of security control can be retained over company issued laptops, particularly if they are connected via a well-managed corporate network, staff using their own laptops which contain confidential company data are potentially exposed to far greater risk of hacking and data loss. Without a clear BYOD policy which requires employees to follow adequate security procedures (such as installing anti-virus software or using a company VPN when connecting from wi-fi hotspots), personal devices are only as secure as the user is IT-savvy and risk averse.
The ICO has prepared guidance on BYOD issues pertaining largely to the 7th principle of the Data Protection Act which states that: “appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data.” It emphasises the importance of a BYOD policy to help secure this data – irrespective of whether it belongs to clients or employees.
Further guidance on BYOD has also been published by the Centre for the Protection of National Infrastructure.
It is not only company data which needs to be protected. Employees bringing their personal electronic devices into the office and connecting them to the company network need to be aware of whether their own personal data could be breached, either on purpose by their employer or due to hacking by a third party. For example, some employers routinely monitor internet use by their staff; if this transpires in an employee getting sacked due to viewing inappropriate websites, they might be able to argue that this was an invasion of their privacy. The recent ECHR Barbulescu decision confirms that any monitoring must be carried out for a legitimate business purpose and be proportionate, so a careful balance must be struck.
The ICO guidance includes tips on dealing with the situation where workplace monitoring converges with BYOD. It says that employers should consider the Employment Practices Code when forming a BYOD policy and notes the delineation between work and personal use during different times of day. The situation can become complicated if, for example, an employee uses their personal smartphone on company wi-fi during their lunch break – or even more so if they access an inappropriate website at home using a 3G data plan paid for by their employer.
Ownership of hardware and data
Sometimes an employer will offer to contribute to the purchase price of laptops and other devices, or reimburse the employee upon certain conditions (eg that they work for the company for a minimum period of time). Alternatively, members of staff may be given brand new laptops or mobiles for both work and personal use. In these types of scenario, it’s important to clarify who owns the devices as well as the information it holds – particularly if an employee leaves the company. At the very least, a BYOD and/or data protection policy should require any departing employee to erase any company data upon terminating their employment. Conversely, if a device needs to be handed back to the company, the employee should be given the chance to save any personal data. Care must be taken with remote wiping utilities as, if the employee does not give their consent, this could potentially be a breach of the Computer Misuse Act.
INL: David Flint, BYOD is no fun for SysAdmins
SCL: Nigel Miller, BYOD: Win-win or Zero-sum Game? (subscribers)
Tech Radar: What is BYOD and why is it important?
ICO: Information Security Principle 7 (with BYOD Guidance and Employment Practices Code PDFs)
Centre for the Protection of National Infrastructure: BYOD Guidance
Alex Heshmaty is a legal copywriter and journalist with a particular interest in legal technology. He runs Legal Words, a copywriting agency in Bristol. Email firstname.lastname@example.org. Twitter @alexheshmaty.
Image: By miniyo73 on Flickr.