By Sarah Burke, Solicitor, Thomas Eggar LLP
With sales of tablets and smartphones on the rise, it is no surprise that many employees are now using their own devices in the course of their work rather than using company equipment, a phenomenon often referred to as “Bring Your Own Device” or “BYOD”. Even where employees are not actually taking their devices in to the office, they may be syncing their smartphones and tablets to their employers’ systems in order to allow them to work more flexibly when at home or travelling.
Allowing BYOD can be beneficial in that it can allow for greater flexibility, has the potential to reduce business costs and can help ensure that employees are more easily contactable out of hours. However, employers are quickly realising that there are some particular challenges presented by BYOD which, if not correctly dealt with, are capable of having a serious impact on the business.
Data protection and privacy
A key characteristic of BYOD is that personal and business data are stored on the same device. This throws up two potential risks under data privacy laws. Firstly, other people’s personal data controlled or processed by the business will very likely end up stored on employees’ personal devices, which if lost or stolen significantly increases the risk of a data privacy breach. Secondly, employees’ own personal data (including details of their personal lives) could inadvertently end up on company systems, whether through backup policies or through misfiling. The risk to employers is real; the Information Commissioner recently took action against the Royal Veterinary College following an incident in which a memory card containing personal data was stolen from a camera owned by a member of staff.
Security and confidentiality
The biggest challenge with BYOD is the consequent loss of control over company data. Once stored on a personal device, data is only as secure as the security measures in place on that device. Most personal devices are not encrypted and it is therefore trivial for any person with physical access to the device to access the information stored on it. Furthermore, many personal devices will automatically store copies of data in consumer cloud services such as Apple’s iCloud or Microsoft’s OneDrive (formerly SkyDrive). Those data are then only as secure as the employee’s password for those services.
A good way to handle this problem is to require that employees submit their devices to security configuration by the IT team, or to use a “walled garden” product such as MobileIron, or Android Knox to enforce separation of business and personal data on the device. However, it is important to obtain employees’ consent before deploying these measures.
Intellectual Property (IP)
Generally, the law provides that the rights in works created by employees in the course of their employment are owned by the employer. However, it will be more difficult for an employer to prove that a work was produced in the course of employment where an employee has produced it outside of normal working hours and on their own device.
Where an employee creates works on their own device it will also be more difficult for the employer to find out that those works exist, because the employee could argue that the device is personal and so it should not be subject to search when they leave the business.
In order to tackle this problem, employers should review their policies and employment contracts to ensure that they have adequate provisions to cover rights in works created outside of normal working hours and on other devices.
Businesses will also need to consider whether their software licence terms allow employees to use company software on their own device, without the need for further licences. For example, most Microsoft Office licensing programmes allow employees to sign up for the “Home Use Programme” but require payment of an additional fee.
Employers will also need to consider their employees’ work-life balance and whether the ability for employees to work round the clock could result in a breach of the Working Time Regulations. Across most of the EU, there is a 48 hour limit on the working week (unless an employee has opted out of this). However, it is becoming increasingly easy and everyday practice for employees to check their emails during the evening or while on holiday. Employers could therefore face issues with employees claiming their employment rights have been infringed or faced with fines and prosecution if the company is in breach of the Regulations.
Importance of a good BYOD policy
While the above issues may have you running off to your friendly reseller to buy equipment for your employees to work on, rather than allowing BYOD, it is not all doom and gloom. The most important element in addressing the issues identified in this article is a well drafted, clear and up-to-date BYOD policy which is effectively communicated to your employees. You will also need to review and update the policy regularly to ensure it continues to provide adequate protection. Because the issues involved touch upon a number of different disciplines, it would be sensible to involve at least management, IT, HR and legal in formulating your BYOD policy. Employers would also be wise to review their employment contracts to ensure that issues such as confidentiality and intellectual property are expressly dealt with.