The Government has published guidance for employers on the risks associated with allowing employees to use their own devices at work.
The guidance includes an executive summary setting out key aspects for employers to consider, including:
- Understanding the risks – particularly the importance of data protection laws and taking appropriate measures to prevent unlawful or unauthorised processing of data. Employers should remember that in the work context they, not the owner of the mobile device, are likely to be responsible for any breach of the law.
- Develop a well drafted BYOD policy – employers should start by ensuring that only authorised devices are permitted to access organisational information and should limit access to information they are willing to share in this way. The policy should be communicated to all staff and regular reminders issued, with staff required to sign and confirm receipt and understanding. Training and educating staff on their responsibilities when using a BYOD product will help them to distinguish between personal and work use.
- Limit the information shared by devices – in particular automated backup of device data to cloud based accounts which can result in unauthorised disclosure of data.
- Put appropriate procedures in place for when staff leave the company –to remove all business confidential information.
- Anticipate increased requirements for device support - employer systems may be accessed by different types of device so IT arrangements must be able to cope and provide increased support if needed.
- Consider alternative ownership models – rather than allowing staff complete freedom over type of device, offer them a selection of approved devices purchased and controlled by the business. As an alternative, staff could be permitted to use business-owned devices for personal tasks, subject to appropriate training and security arrangements.
- Plan for security breaches – loss or theft of mobile or BYOD products is not unusual. The media has reported cases of countless government officials or contractors who have lost or had remote devices stolen, whether in restaurants, from cars or on trains. These issues are equally real for private businesses and should be foreseen and planned for in advance. Disaster recovery plans should include immediate action to limit losses; planned measures to limit consequent security breaches or disclosure of confidential information, by swiftly revoking access and planning what will be done in respect of information remaining on the device, e.g. by a remote wipe feature; and incorporating lessons learned in updated policies and procedures.
Two of the points above are key: first, develop a full and well drafted policy, communicated to all staff, backed up by training; and second, plan for security breaches before they happen.
When developing the policy ensure it reflects your existing relevant policies such as data protection. If staff are already using BYOD products without a policy in place it’s vital to address this now and develop a policy without delay.
If you would like advice about how to manage the risks involved with mobile devices being used at work, contact one of our employment team.
