On 7 March 2013, the UK Information Commissioner’s Office (ICO) issued new guidance for employers on the use of personal devices for business purposes.  The guidance is largely informed by a survey commissioned by the ICO and carried out by the market research firm YouGov.  According to the survey, 47 percent of adults in the UK use personal smart mobile phones, laptops or tablets for work purposes, but less than 30 percent are given guidance on secure use and the risks relating to loss or theft.  However, even when an employee uses a personal device, an employer may still be liable in the UK for the loss of data relating to individuals that the employer is required to protect.

UK companies have in recent years been increasingly amenable to allowing employees to use personal devices for business purposes, a practice known as “bring your own device” to work, or BYOD.   The driving forces behind the trend for BYOD include cost considerations and a rise in flexible working practices.  The ICO guidance reminds employers that their responsibilities as data controllers apply equally in the context of BYOD.  In other words, employers remain liable for any data loss, theft, or damage to personal data that occurs, regardless of whether processing takes place in their secure corporate IT environment or on the personal devices of their employees.  

In light of the inherent security risks, the ICO recommends that companies which permit BYOD carefully consider the types of data held; where data may be stored; how data are transferred; the blurring between personal and business use; the security capabilities of personal devices; what to do if the person who owns the device leaves employment; and how to deal with the loss, theft, failure and support of a device.     

In its guidance, the ICO has proposed a number of practical steps that employers can adopt to mitigate the risks associated with BYOD.  These include:

  • Acceptable Use Policy.  An Acceptable Use Policy should clearly set out employees’ responsibilities, including by specifying the types of data that may be processed on a personal device and the data that can only be processed in a secure IT environment.
  • Social Media Policy.  Employers should consider implementing a Social Media Policy, particularly where the use of social media for corporate purposes is allowed or encouraged.
  • Data security and access control.  The use of strong passwords and encryption is key to effective access control to data (and the device).  Some devices may also offer the ability to restrict access to certain applications and data types based on geographical location or an additional level of authentication.  Devices should lock automatically if inactive or if multiple incorrect passwords are entered.  Where possible, a clear separation between personal data processed on behalf of the data controller and data processed by the device owner for personal purposes should be maintained, for example, by using different applications.
  • Securing data transfers.  Transferring all data through an encrypted channel, such as a VPN, will minimize the risk of interception, but may have privacy implications in respect of information shared during periods of personal use.  Employers should use public cloud-based storage and back-up services with extreme caution.  Any monitoring technology should be deployed only if proportionate to the pursued aims.  
  • Controlling and securing devices.  Employers should consider how to manage personal data on an employee’s personal device on termination of employment.  Devices can be registered with a remote locate and wipe facility to ensure data security and confidentiality.  However, employers should ensure that data collected as part of the remote facility is not used for ongoing monitoring of users or for other unrelated purposes.  The choice of devices should be limited to those the employer has deemed sufficiently secure for the type of personal data processed.  

While monitoring devices may seem a sensible risk mitigation measure, it will have privacy implications and employers should ensure that any monitoring is “proportionate” and justified by real business need and benefits.  As outlined in the ICO’s Employment Practices Code, employees have “legitimate expectations that they can keep their personal lives private” and that they are entitled to some privacy at work.  Therefore, employers should normally conduct an impact assessment and also notify employees in the appropriate company policy before carrying out any monitoring.

Photo of Helena Milner-Smith Helena Milner-Smith

Helena Milner-Smith helps companies navigate complex international HR-legal compliance issues.

Helena advises clients across a range of industries on all aspects of UK and international employment law, including the HR aspects of privacy compliance and human rights regulation.

Helena has particular expertise advising…

Helena Milner-Smith helps companies navigate complex international HR-legal compliance issues.

Helena advises clients across a range of industries on all aspects of UK and international employment law, including the HR aspects of privacy compliance and human rights regulation.

Helena has particular expertise advising on the HR-legal aspects of multi-jurisdictional transactions. She also regularly assists clients seeking to protect their business and increase international compliance by designing and implementing global policies, employment contracts and restrictive covenants.

Helena has been recognised by Legal 500 UK for her “exceptional service” and “responsive and practical” advice.

In addition, Helena has gained valuable in-house experience while on secondment at three large multinational corporations – a pharmaceutical company, an oil company and a leading investment bank

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.