Some employers appear to be encouraging this as it offers employees’ greater flexibility in accessing information outside of normal working hours, employees are using devices they like, and on the face of it is cheaper for the employer. However, Jane Crosby specialises in employment law and commercial litigation at law firm Hart Brown explains that there are serious risks for employers and their ability to control and protect access of information and the information itself.
As a result of this change in the workplace the information commissioner has published guidance for employers to help them reduce the risk of breaching the provisions of the Data Protection Act.
The information commissioner has highlighted concerns about the risk to personal data when using personal electronic devices for work purposes especially if there is no formal written policy or guidance in place at work to control the access to information.
One of the risks which the information commissioner has identified is that the user of a personal device “owns, maintains and supports the device and this means that the data controller has significantly less control over the device that it would have over a traditional corporately owned and provided device”.
The guidance by the information commissioner recommends a “Bring Your Own Device Policy” and suggests that the policy should cover the following points:
- Who will be responsible for monitoring the policy?
- What type of personal data can be processed on the personal device and if it is stored on the device how can this be safely deleted when not in use
- Strong passwords to secure devices
- Automatic locks on devices to prevent unauthorised access of information, ensure the user knows when to delete information and maintaining a separation between personal data and data used for the purposes of work
- Which documents are allowed to be accessed through a personal device?
- How controls can be put in place if the device is lost of stolen
- Who pays for the cost of maintaining the device if it is being used for work purposes?
- What happens on termination of employment?
Recent surveys have revealed that over 40 per cent of employees are using their own devices for work without any guidance in place by their employers to ensure that they comply with the Data Protection Act. This guidance is therefore particularly helpful.
If businesses are unable to provide their employees with their own electronic devices then they should consider implementing a Bring Your Own Device Policy.