‘Bring your own device’ (BYOD) arrangements allow employees to connect to their employer’s IT network using their own devices, such as their laptops, mobile phones or tablets. Most employers realise there are benefits to BYOD arrangements, although it is advisable to approach the issue with caution, particularly since BYOD presents a number of challenges in relation to security and data protection.
Organisations stand to benefit by implementing a BYOD policy as it generally does away with the need to procure, maintain and manage additional devices. It also provides flexibility and reflects the way in which technology is used. It can also aid productivity, thereby benefiting employers. Employees stand to benefit by not having to carry two similar devices where a single device can manage both personal and work matters and will generally take greater care of their own personal devices than they might with company devices, where any loss or damage is borne by the employer.
BYOD solutions take many forms and companies should consider which is best for them, taking into account the cost, security considerations, technological capabilities and any regulatory requirements. By way of illustration, an employer might seek to provide authorised employees with direct access to their network, which will require little in the way of set up and maintenance but gives rise to security issues if a device is lost or stolen. In contrast to this, virtualised access allows an employee to access the company’s IT network but does not allow for data to be saved on the device. This allows the employer’s data to be separated from the employee’s personal data, although there are likely to be greater technical hurdles to overcome, such as a device’s operating system or its specifications. This issue is exacerbated by the fact that devices quickly become obsolete and may not be supported in future.
In both examples above, employers can take steps to safeguard their data by drafting employment contracts in a way which require employees to cooperate in deleting company data if their devices are lost or stolen or if their employment is terminated. It is also useful to provide training in best practices for security and device safety, as well as refresher sessions as required. Wiping a device remotely, for example, would work well where virtualised access has been granted, as the company will generally be able to remove access to their network without affecting any the user’s data on the device. Direct access, however, does not provide the ability to discriminate between the owner’s data and the employer’s data. Any remote wiping would therefore delete all data, which would not necessarily be welcomed by an employee who later manages to locate their device.
The use of BYOD also allows employers to track devices, even though this may not be their aim . In order to comply with the Computer Misuse Act 1990, all employers should ensure employees have expressly consented to employer access to their device and should define the scope of that access as much as possible. For instance, access should not be used to monitor an employee’s location or activities outside of the workplace where such information is clearly of no relevance to the employer.
A good BYOD policy will reflect the needs of the business and will address the legal and practical challenges posed by such an arrangement. A BYOD policy should be reviewed and refined over time to ensure employers are best placed to address the balance between the security needs of their business against employees’ rights and their reasonable expectations of privacy.