This week’s article looks at mobile device management (MDM), specifically in relation to employees. It is the next in our series of articles based on a report on data processing at work by the Article 29 Working Party (‘WP29’), an independent European advisory body on data protection and privacy.
Mobile device management enables employers to locate devices remotely, deploy specific configurations and/or applications, and delete data on demand. An employer may operate this functionality himself, or use a third party to do so. MDM services also enable employers to record or track the device in real-time even if it is not reported stolen.
A Data Protection Impact Assessment (DPIA) should be performed prior to the deployment of any such technology where it is new, or new to the data controller. If the outcome of the DPIA is that the MDM technology is necessary in specific circumstances, an assessment should still be made as to whether the resulting data processing complies with the principles of proportionality and subsidiarity.
Employers must ensure that the data collected as part of this remote location capability is processed for a specified purpose and does not, and could not, form part of a wider programme enabling ongoing monitoring of employees. Even for specified purposes, the tracking features should be moderated. Tracking systems can be designed to register the location data without presenting it to the employer—in such circumstances, the location data should become available only in circumstances where the device would be reported or lost.
Employees whose devices are enrolled in MDM services must also be fully informed as to what tracking is taking place, and what consequences this has for them.