BYOD - Bring Your Own Device
by Tina Reissmann, Attorney-at-Law
1 - What employment issues must companies consider in deciding whether to switch to the BYOD model? If companies are considering switching to the BYOD model, it can be worth considering implementing a clear IT policy regulating which devices the employee is allowed to bring and how to use them with the company's IT system. The company must consider the employee's rights and responsibilities under the employment relationship and any employment consequences the employee might face in case of breach. The employee can be met with the usual employment sanctions such as warnings or terminations depending on the breach and any prior warnings. Having defined clear sanctions in the company's IT policy can be helpful when dealing with an employee's breach of the policy.
Another issue is that when company data is stored on employees' private devices, it is unclear how much data an employer is allowed access to on the device. A company should therefore consider how the data is stored and if it is possible to restrict their access to work related data only. Furthermore, it can be an issue if the company does not have clear rules for which security measures the employee needs to take, e.g. what data the employee may store on the device if he wants to use his own device for work.
The company must also consider and have clear rules to what measures that needs to be taken if the employment contract is terminated and obtain the needed consent from the employee to take such measures. It should be noted that consent is only a viable option where consent is freely given, e.g. where the employee may choose to use private devices for work related purposes without being forced to do so and without the risk of employment sanctions if consent is not provided.
Lastly, the company's IT policy should explain what charges related to the private device the company will reimburse.
2 - Are there any specific issues that organisations with a global presence, or those in highly regulated sectors, should bear in mind?
For companies that have a global presence and those in a highly regulated sector, privacy and confidentiality laws might pose a bigger problem than for other companies.
For companies with a global presence, different privacy and confidentiality laws can be applicable when the company operates in multiple countries. Furthermore, different employment laws might also limit the company's possibility to have a uniform BYOD policy in the company group.
For companies in a highly regulated sector, more strict privacy and confidentiality laws might limit how the company is allowed to handle data and might restrict implementing a BYOD model.
3 - How do privacy laws, employment laws and protecting a company’s confidential information overlap or intersect on this issue – and how can they be reconciled, given their disparate aims?
If the employer monitors the employee's work related email and internet use along with other company data, it can pose a problem when the employee also uses the device for private use. As a main rule, an employer will not be allowed to monitor the employee's private emails and other private use. Moreover, the company might be covered by a collective agreement regulating the employer's right to implement control measures. A clear policy on how to separate the employee's own data and the company's data can be essential so that the employee's privacy is not violated. This poses more of an issue when the employee uses his own devices than a company owned device, since an employer's control over the device will be more limited in these cases. Moreover, the employer cannot assume that most of the data on the employee's private device is work related and must therefore be more aware of the employee's privacy.
Pursuant to data protection laws, the employee must be informed beforehand that the employer reserves the right to monitor the employee's work related emails, text messages, internet use etc. This information must clearly state the purposes of such monitoring, e.g. IT security purposes and employee monitoring. The employer must also gain consent to access the employee's private device.
If the company data contains information about clients or other individuals, they are obligated to implement appropriate technical and organisational security measures to protect the data. If the data is stored on employees' private devices, the protection and monitoring of the data can be hindered by employment and privacy laws. The company should therefore have clear IT rules that control which programs the employees are allowed to install on their devices where company data is stored and which security measures they should take in order to protect company data in accordance with the company's obligations to protect personal and/or confidential data.
It is recommended that the employer obtains the employee’s prior consent to be able to manage the employee’s devices to secure company data. This could be consent to install certain programs, perform security updates or remotely wipe the device if the device is lost.
4 - For those that make the switch to BYOD, how can the confidentiality of both employer and employee be preserved?
By having a clear IT policy, the employees will be informed on how much information the employer will have access to on their private devices and how to store private information. This way the employee will be able to take appropriate measures to avoid that the employer gains access to personal information. Likewise, the employer will easier be able to gain access and retrieve company data on their employees' private devices without violating the employees' privacy.
It can also be an advantage to have clear security rules regulating how the devices should be used and what security programs should be installed so that the employer will be able to protect company data from a security breach and be able to delete company data remotely if the device is lost. The company should also have clear guidelines on when and how employees should report lost or stolen private devices if the devices have access to company data.
5 - How can companies separate out what information sent or received on the device is official and business related? Who owns this information – the employer or the employee? And how can employer access to information be assured?
Work related information will as a main rule belong to the company. However, if it is not clear what data belongs to the company and what data is the employee's private data, it can become a problem if the employer wishes to gain access to the information. A possible solution would be to have a clear IT policy that stipulates how the employee is supposed to handle and store company data and information. If the data is clearly separated and the employer is able to access and delete company data without gaining access to private data, the employer will be allowed to access work related data on the employee's devices if he has informed the employee beforehand. This could also be done by having mandatory separate accounts or programs that can keep the data separate from each other. If the data is mixed together, it will pose a problem as the employer may not access and read private messages etc. pursuant to the Danish Criminal Act.
6 - What happens in the event of a security breach? Is the employee protected from liability?
In case of a security breach, the company might be met with a tort claim if the data belongs to another company. The claim can either be based on the company's own fault or the employer's liability for damage caused by its employees. Furthermore, a security breach might also cause damage to the company.
If the damage is covered by the employer's insurance, the employee will be protected from liability unless the security breach was caused intentionally or with gross negligence. In other cases, the employee's liability for any damages is based on what is fair considering the employee's negligence, his position in the company and the general circumstances. The employee will therefore in most cases be protected from liability to some extent for any damage caused by a security breach.
7 - What steps can a company take to prevent an employee leaving the company from taking company confidential information via his personal device? And how can the employee’s own personal information be safeguarded in the process?
Since the company does not own the employee's private devices, they cannot require the employees to hand them in when leaving the company. The company must therefore have clear rules on how to handle and delete data stored on private devices. It can be unclear whether the employer is allowed to wipe the device for data in some circumstances. A possible solution would again be to have company data and private date stored separately so that company data could be accessed and deleted without gaining access to private information, e.g. by use of a special app, files or programs. If the wiping of data cannot be contained to files, programs or apps exclusively used for work related purposes, the employer must secure consent from the employee beforehand. When implementing a BYOD model the company should make sure they get the employee's consent to delete and retrieve company data on their devices when needed.