In a recent case an employee lost a camera which contained six job applicants’ images. The employer was criticised for having no policy on how to handle work information stored on personal devices.

As more employees use personal technology for work, new legal and ethical issues arise. Employers should consider implementing Bring Your Own Device (BYOD) policies to take advantage of BYOD, while minimising risk.

1. Recommendations

The United Kingdom Information Commissioner recommends employers take the following steps to protect personal information stored on employee’s private devices:

  • Be clear about what may be accessed on personal devices,
  • Use strong passwords,
  • Encrypt data,
  • Ensure devices lock if incorrect passwords are inputted too many times,
  • Use public cloud-based or sharing services with extreme caution, and
  • Register devices with remote “locate and wipe” facilities to protect data if a device is lost or stolen.

2. Protecting sensitive information

Certain information is sensitive. This includes personal information about employees or customers, trade secrets, confidential information, and information held under licenses or contracts. As seen recently with various government departments leaked spread sheets containing client details can explode into PR nightmares.

Employers should carefully consider what information should be accessible. Take all reasonable precautions to secure data if sensitive information is accessed on personal devices. Files could be hosted on secure private servers rather than on devices or as email attachments.

Employees should also agree to protect corporate information. For example by not accessing information in places where others could read over their shoulder.

3. Employee privacy

Generally employers can keep tabs on corporate owned devices where the employment agreement allows that and there is a genuine reason to monitor employees. But employees expect privacy when using personal devices, email addresses, or home computers.

Employers can, and do, get into trouble when they try to monitor personal devices. An employer who finds something when updating an employee’s personal laptop may be accused of invading privacy if they initiate disciplinary action. The Courts have also penalised employers who access personal email.

A BYOD policy should let employees know about any potential monitoring. Generally employee privacy should not be needlessly breached.

4. Who pays, and for what?

One benefit of BYOD is employees bear some of the technology costs. However, employers cannot usually make employees buy devices or keep technology updated or insured. If employees must have the latest technology, the employer will need to cover or share costs.

Some BYOD policies require the employer pay for technology updates and insurance, protecting the employer if devices are stolen or lost or security updates needed. When employees work from home, rent savings sometimes justify extra technology investment.

5. Choose your own device

With choose your own device (CYOD), an employer funds some or all of a device. In exchange an employee may pick a device from options presented by the employer.

CYOD increases employers’ control and ownership over devices and technology. An employer could fund 49% of a mobile device so employees retain ownership rights and responsibilities. Alternatively, some employers feel more secure owning devices.

6. Post employment

Employment agreements should protect an employer’s intellectual property and corporate information. An employment agreement should also require return of corporate owned devices.

Employers should consider who owns apps and accounts when employees leave. If the employer and employee are clear from the start who owns the DropBox, GoogleDocs, or Skype account, they can avoid a dispute when an employee leaves.

It is best practice to consider information on personal devices lost when employees leave. For this reason, BYOD policies may limit what information can be stored on personal devices.

7. The benefits

BYOD creates flexibility. Employees happily work remotely and use preferred technology wherever they work. Employers may further benefit if customers see them as modern and responsive, and employees self-fund technology upgrades.

Employers who wish to take advantage of BYOD ought to consider their policies and consult experts to properly manage the transition. When implemented thoughtfully, employers, employees and customers will share BYOD benefits.