Why Your Employees’ Smartphones May Be Putting Your Company At Risk
Everyone seems to carry a smartphone these days. Many of these are owned by employees, and are used to access their company’s private information. This raises key issues relating to security and data protection. Is your company exposing itself to risk?
Before we look at this (below), it’s worth summarising some of the principal general rules relating to data protection.
Personal Data
Data protection law governs the collection of ‘personal data’. This is data relating to a living individual that identifies that individual. Names and addresses are obvious examples of personal data (see Data Protection Act 1988 s2).
This article deals with UK data protection but you should also consider the countries your data subjects live in and what laws might be relevant to the protection of their data.
The Data Protection (DP) Principles (UK)
The Information Commissioner’s Office (ICO) sets out a useful explanation of the DP Principles. In brief, data protection law imposes a number of requirements on businesses collecting or processing data. These are known as the Data Protection Principles, and are summarised as follows:
- Data must be processed fairly and lawfully:
- You must have legitimate grounds to collect data
- You cannot use data to the detriment of the subject
- You should be open about how you intend to use data
- You must handle data in ways which would be reasonably expected
- You must not do anything unlawful with the data
- Data must be obtained for specified and lawful purposes. You must tell individuals why you are collecting data
- Data must be adequate, relevant and not excessive
- Data must be accurate and up to date
- Data must not be kept longer than necessary for the purposes
- Data must be processed in accordance with the rights of the data subjects
- Right to access copies
- Rights to object to processing causing damage or distress
- Right to prevent processing for direct marketing
- Right to object to automated decisions
- Right to have inaccurate data rectified, blocked, erased or destroyed
- Right to claim compensation for damage caused by breach of data protection law
- Appropriate technical or organisational measures must taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data
- Personal data shall not be transferred outside the EEA unless that country affords the same levels of protection for data
The Data Protection Principles will apply differently to each business, depending on their customer or user base and how they use their data.
Sensitive Personal Data
The definition of ‘sensitive personal data’ is also relevant. This is information relating to:
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Physical or mental health
- Sexual life
- Criminal records (or other information relating to alleged offences, court proceedings etc.)
A data controller is not permitted to use a person’s ‘sensitive personal data’ at all unless the subject gives explicit consent to the collection, processing and use of that data.
Databases and your employees
It is essential to consider how these laws impact you if you have employees or use freelance workers.
For a start, recruitment, selection and employment monitoring all involve the collection of data. Much of this will fall within the definition of sensitive personal data. It is therefore important to have robust policies in place for the secure collection, storage and processing of data about potential, past and current employees. The consent your employees give for their personal data is likely to differ hugely from the consent you get from your customers or website users. Databases need to be constructed and managed accordingly.
Another aspect of employment and data protection is the use and access of business data by your employees. As an employer, you are responsible for any breaches of data protection law by your employees. So, you need to provide your staff with adequate training on data protection and have policies in place to manage your employees’ use of data and databases in the workplace.
Bring your own device – BYOD
Which brings us back to our question at the start of this article. Is the use by your employees of their personal devices in the workplace exposing you to risk? Many employees now own personal devices such as tablets, smartphones, and laptops that they use for business purposes. This practice is known as Bring Your Own Device (BYOD). However, security mechanisms for these devices might not meet the standards established for security of a business’s data and databases on its own servers. Businesses that permit employees to use their own devices will need clear policies to manage:-
- Security of data stored on the device – passwords, encryption and automatic locking should all be considered
- Transfer of data between secure servers and the device. Are there certain types of data that should not be accessed on a device? Can data be stored on external devices, accessed on a cloud network or sent by email? Can employees use public access WiFi connections?
- Remote mobile device management. Should a business be able to lock or wipe a device or prevent installation of unapproved apps or programs?
- Monitoring use of a device. Since monitoring use potentially involves the collection of data, a business will need to ensure any monitoring complies with the Data Protection Principles.
- Locating and/or wiping devices in the event of loss or theft of the device.
It’s important to work out how to balance the interests of your employees with those of your data protection obligations when drafting a BYOD policy for your business. For example, a key issue is what happens if an employee loses their device. You as employer will be expected to demonstrate that you have appropriate security measures in place for such situations. You may want to remotely wipe the data, in which case you should have arranged for this in your policy. Any wiping policy must be balanced with the duty to take care over the employee’s own private data in the device.
The ICO will fine organisations that lose devices containing unencrypted personal information. Quite apart from the financial penalty, this can lead to reputational repercussions from the adverse publicity.
I would advise companies that have not already done so, to manage this risk by implementing an appropriate policy.