This is the next in our series of articles based on a report on data processing at work by the Article 29 Working Party (‘WP29’), an independent European advisory body on data protection and privacy, and, as promised last week, this time we’re talking about BYOD.
Implementing BYOD effectively can lead to a number of benefits for employees, including improved employee job satisfaction, overall morale increase, increased job efficiency and increased flexibility. However, by definition, some use of an employee’s device will be personal in nature, and this is more likely to be the case at certain times of the day (e.g., evenings and weekends). It is therefore a distinct possibility that employees’ use of their own devices will lead to employers processing non-corporate information about those employees, and possibly any family members who also use the devices in question.
In the employment context, BYOD privacy risks are commonly associated with monitoring technologies that collect identifiers such as MAC addresses, or in instances where an employer accesses an employee’s device under the justification of performing a security scan, i.e. for malware. In respect of the latter, a number of commercial solutions exist that allow for the scanning of private devices, however their usage could potentially access all data on that device and therefore they must be carefully managed. For example, those sections of a device which are presumed to be only used for private purposes (e.g. the folder storing photos taken with the device) may in principle not be accessed.
Monitoring the location and traffic of such devices may be considered to serve a legitimate interest to protect the personal data that the employer is responsible for as the data controller; however, this may be unlawful where an employee’s personal device is concerned, if such monitoring also captures data relating to the employee’s private and family life. In order to prevent monitoring of private information appropriate measures must be in place to distinguish between private and business use of the device.
Employers should also implement methods by which their own data on the device is securely transferred between that device and their network. It may be the case that the device is therefore configured to route all traffic through a VPN back into the corporate network, so as to offer a certain level of security; however, if such a measure is used, the employer should also consider that software installed for the purposes of monitoring pose a privacy risk during periods of personal usage by the employee. Devices that offer additional protections such as “sandboxing” data (keeping data contained within a specific app) could be used.