“Bring your own device” (BYOD) is common practice in many organisations today, but it can leave businesses exposed to risks surrounding data security or health and safety. And the risks go beyond mobile phones and tablets to include employees using their own kettles or toasters at work. Albert Bargery, employment solicitor at Parrott & Coales law firm, explains these risks and how to eliminate them.
One of the biggest concerns with staff downloading information onto their own device is the security, confidentiality and ownership of the data.
Certain information, for example personal health data, is protected by the Data Protection Act (DPA) 1998 and needs to stay that way otherwise companies could face substantial fines. To remain compliant with the laws of the DPA, companies must ensure their IT systems are able to restrict access where required.
Ensure you have a policy on control of information
Whether or not data is restricted to certain individuals, in a BYOD policy, the concern with any data and the use of personal devices lies in where this information goes once it is downloaded. Information can very easily be transferred onto an employee’s home computer. This could leave companies open to cyber attacks if there is inadequate security on the home device.
The key to managing and safeguarding data is to have a “control of information” policy in place which should incorporate the eight principles of the DPA. These principles set out what information is to be held and how, and details of authorised access.
Under a control-of-information policy, devices should be approved before they are permitted for work. This could include limiting who is authorised to install third-party software on the device and disabling some of the interfaces such as WiFi or Bluetooth, which might be used to connect to external devices in public places.
Also, some devices may offer an automated back-up facility to the user’s cloud-based account or to the user’s personal computer. In this case, appoint a data controller to ensure that, if this facility is enabled, it will not lead to an inappropriate disclosure of personal data.
Health and safety risks
Approving devices is not only essential for data protection but also for the safety of staff against possible electrical faults, which could leave employers open to breaches of health and safety Regulations.
Under section 2 of the Health & Safety at Work Act 1974 (HSWA), employers have a legal duty to ensure, so far as is reasonably practical, the health, safety and welfare of their employees. This safety applies to devices being brought in from outside the business and used for work purposes, and especially electrical items such as kettles and toasters.
Employers should regularly review and keep a record of all devices for approval, and ensure that staff are clear on their responsibilities to keep equipment, as well as data, safe. Keeping an audit trail, for at least three years, will provide useful evidence in court should an incident occur and a claim be made such as a personal injury claim or a breach of the DPA.
Consultants or contractors
When considering a policy on BYOD do not forget to include third-party contractors and consultants. They are not employees so a company will normally have less control over their activities but they are legal visitors to the premises. A business has duties of care to visitors, which includes the use of devices that employees have brought on site as well as the contractors themselves.
Treat contractors in the same way as paid employees, setting out clearly in their contract the terms and conditions of your BYOD and control-of-information policy. Ensure the policy explains their roles and responsibilities and the requirement to keep data and equipment safe, and include an agreement that no information will be retained after their contract has finished.
Introduce a policy whereby all contracts for consultants must be checked for a signature and authorised first by an HR director as well as a senior manager before any equipment is used or brought on site. It may sound obvious but an unsigned contract can easily slip through the net and will provide little evidence in court to show that you take your duties seriously.
BYOD policies usually focus on security and the protection of data, but may overlook other important factors such as who will pay for charges on an employee’s devices relating to business use. Another issue is who will be responsible for supporting the device and ensuring that, for example, its operating system is up to date and the latest security patches are installed. Many employees would expect to be reimbursed for such costs so it is important to set expectations from the outset.
Of course, employers cannot force employees to use their own devices without risking constructive dismissal, unless it is a contractual obligation but that could be regarded as unreasonable.
However, for those that do adopt BYOD, the introduction of an effective policy with clear user guidelines and device safety approval processes, will help reduce the potential problems.
BYOD policies should be clear and concise, workable in practice and communicated to employees through appropriate training to ensure employers and employees enjoy the rewards of BYOD in a safe and pleasant environment.