1 BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe
2 3. BYOD and existing Policies 4. Legal issues to take into account when implementing BYOD Policies 5. Practical TIPs for BYOD Policies ABSTRACT This document offers a practical and concrete legal overview on the BYOD s trends around Europe from a data protection perspective. The scope is twofold: (i) to highlight the main privacy and personal data protection legal issues related to BYOD; (ii) and to point out the main elements to be taken into account when drafting an effective BYOD Policy. This will help companies and entrepreneurs to better understand the relevant legal framework, to assess current policies, and to implement effective BYOD corporate standards.
3 AUTHORS Paolo Balboni, Ph.D. Founding Partner ICT Legal Consulting Domenico Converso, LL.M. Senior Associate ICT Legal Consulting 1. WHAT IS BYOD? Mobile devices are consumer products that are starting to dominate the business world and change the way people do business. Nowadays, we are experiencing a huge rise in mobile devices popularity, uses and capabilities. For these reasons, many employers are increasingly dealing with demands from their employees wishing to use their devices in the workplace to carry out their activities. This trendis commonly known as Bring Your Own Device (BYOD), an expression that refers to the employees use of their own personal mobile devices to access, store and process corporate information and applications. BYOD, in other words, refers to the use of employee owned devices to access enterprise content or networks. The definition of BYOD, however, needs to be improved, by clarifying the meaning of its three core elements: 1. mobile devices, 2. employees and 3. corporate information 1. First of all, the definition of BYOD is strictly connected with the concept of mobile device, which is intended as an handheld computing device with an operating system (OS) and equipped with different IT capabilities (Wi-Fi, Bluetooth, GPS, camera, etc.) running various types of application software, also known as Apps. There are many types of mobile devices. In the BYOD s definition we should restrict the approach only to mobile phones, smartphones, PDAs and tablets.
4 2. The BYOD s definition, furthermore, includes also the concept of employee which also requires a short clarification. This term, indeed, it is not used in a proper way due to the fact that it literally implies the existence of an employment agreement. However, in BYOD cases, we should refer to a broader category of workers, to be intended as individuals who work for an employer, whether under an employment agreement, or any other contract where an individual undertakes to do or perform personally any work or service. For example: agency workers; short-term casual workers; freelancers; etc. 3. The concept of corporate information, instead, simply refers to information and personal data of the involved organization. More precisely, in case of personal data, the organization acts as Data Controller (in the meaning of the applicable European Data Protection legislation) that is responsible and liable for unlawful data processing, even if the processing operations are carried out by its employees/workers. 2. BENEFITS AND RISKS OF BYOD IN EUROPE In Europe, BYODis a trend that can bring enterprises both substantial advantages and considerable risks. Benefits With regards to benefits, employers should seriously take into account that BYOD determines a high increase of productivity and innovation. Employees, indeed, are more comfortable and efficient with their own personal devices, which tend to be more cutting-edge. Furthermore, users upgrade to the latest hardware and software more frequently. Companies benefit from the use of such advanced and updated devices. Allowing employees to use personal devices also helps them avoid carrying multiple devices, with relevant consequences in terms of employee satisfaction. From a cost-savings perspective, instead, BYOD allows companies to save budget by simply shifting costs to the user, with employees paying for mobile devices, applications and data services.
5 Lastly, BYOD gives employers the opportunity to embed data protection at the core of their business activities and to raise overall standards, for example by specifying the types of personal data that can be stored on particular devices and which should not (for example, the storage of sensitive data). 1 Risks Risks, on the other side, are represented by the mixed (i.e, personal-professional) use of devices. Translated in a data protection perspective, employees own, maintain and support the device while employers must comply with data protection obligations. In particular, employers need to assess, as clarified by the Information Commissioner s Office (the first European Data Protection Authority to issue guidelines on BYOD), the following aspects: what type of data is held; where data may be stored; how it is transferred; potential for data leakage; blurring of personal and business use; the device s security capacities; what to do if the person who owns the device leaves their employment; and how to deal with the loss, theft, failure and support of a device. In fact, it is important to underline that employers are considered to be data controllers, which implies they need to remain in control of the personal data for which they are responsible/liable, regardless of the ownership of the device used to carry out the processing. If companies allow BYOD, they will have significantly less control over the device than they would have over a traditional corporately owned device. In this respect, the present document will help data controllers to ensure that risks associated with BYOD are appropriately managed. 3. BYOD AND EXISTING POLICIES 1 See Information Commissioner s Office, Bring your own devices /Practical_application/ico_bring_your_own_device_byod_guidance.ashx
6 In many cases, an employer already has certain corporate policies in place that may relate to or address some BYOD concerns (see, for example, corporate devices policies, social media policies, wireless access policies, and internet policies, etc.). Consistency between existing policies and BYOD policies is of fundamental importance! Many current device policies regulate configuration and security requirements on the assumption that the company owns and centrally controls the device. These policies may in fact apply to all mobile devices, without distinguishing between company-owned devices and personally owned devices. However, to set the same rules for personal devices as for company-owned devices is a big mistake. At the same time, drafting different policies for personal devices could create confusion and disproportion. Therefore, regardless of the choice made by an organization on policy structure, in many cases existing policies will need to be modified to ensure that proper distinctions are being drawn between personally and company-owned devices, and that existing policies are not over- or under-inclusive when it comes to addressing BYOD issues. 4. LEGAL ISSUES TO TAKE INTO ACCOUNT WHEN IMPLEMENTING BYOD POLICIES In order to draft an effective and strong BYOD Policy employers have to deal with the numerous challenges, such as: the company does not own or physically control the devices; there is a wide variety of personal data to consider; personal data and information can potentially reside in multiple locations; safeguarding and retrieving the data can be difficult. These elements give rise to a significant number of data protection legal issues that we practically summarise below. Distinguishing privacy roles First of all, it is important to underline that employers, under the European data protection legal framework, are personal data controllers. It follows that they have to put in place, on non-corporate devices, appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing operations.
7 In fact, in this respect, the so-called European Data Protection Directive (Directive 95/46/EC) specifically requires that: the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected (see article 17). It follows that employers (and not employees) despite the absence of physical control over the device are obliged to comply with data protection rules. Managing multiple categories of data Another essential legal issue to take into account when drafting effective BYOD Policies is represented by the multiple types of personal data that can be processed with the employee s device. From a BYOD Policy perspective, an interesting way of categorizing those types of data is to distinguish them between corporate and non-corporate information. The first are data (also personal) associated with the company, such as corporate s, documents, and text messages. The second, instead, refers to data (also personal) that individuals create or store on the device for purely personal purposes (such as personal s, pictures, phone numbers, etc.). The problem is that employee s devices used in a corporate environment will likely contain both corporate and non-corporate information/personal data. For example, all s, pictures and documents - both personal and corporate - may be stored in the same database on the privately owned device, which is under the sole privacy-responsibilities of the employer. Despite the fact that usually current devices architecture and operating systems do not support the native separation of those types of data, companies have to implement solid BYOD Policies. There, employers need to accurately specify which data are allowed to be
8 stored on the device and which data need to be processed in a more restrictive environment (for example, by using different apps for business and personal use or to store corporate data within the corporate network instead of on the device). Maintain a clear separation between personal data processed on behalf of the data controller (employer) and the ones processed for the device owner s own purposes, can minimize privacy responsibilities while simplifying and improving data collection. Dealing with different purposes of data processing Usage of BYOD could also increase the risk that personal data are processed for purposes different from the ones they were originally collected, kept for longer than necessary or not up to date. For example, if copies of data are stored on many different devices, there is an increased risk that personal data will be used for incompatible purposes, become out-of-date or inaccurate over time. There is also an increased risk that data will be retained for longer than necessary, due to the fact that it is more difficult to keep track of all copies of the data. Additionally, if multiple copies of data are stored on many different devices, it is more difficult to enable effective exercise of data subjects rights. For example, it may be problematic to guarantee compliance with data subjects access or deletion request if one is not aware of all the devices on which personal data may be stored. It is therefore strongly recommended that BYOD Policies will impose an obligation on employees to: 1) connect to a central corporate repository of data when processing corporate information; 2) process corporate personal data only for corporate purposes. Understanding where data might reside data location Personal data processed via a personal device may primarily reside in three locations: 1) on the device; 2) on a server within the organisation s IT network or in a private cloud; or 3) in a community or public cloud.
9 The better solution might be to use the corporate network or a private cloud: in this case, in fact, employers are able to meet the privacy requirements and compliance obligations without needing access to the employee s device. Notes that certain types of data are practically impossible to retrieve. For example, current devices do not usually store unlimited call history, text message data, browser history and cache. Telecommunication carriers may have more complete data available; however, such data are in principle accessible only to law enforcement agencies or to employers but only on the basis of a court order. Therefore BYOD Policy should set out procedure providing for regular backup and/or synchronization on the corporate network (or private cloud). Unlawful access In the case devices get stolen employers should take appropriate technical and organizational measures to protect data against unauthorized or unlawful access. As pointed out by ICO 2, such measures can include: controlling access to the data or device using a password or PIN (or) encrypting the data. It is fundamental to consider the security of the access credentials in the event of loss or theft of the device. In fact, if a device is used to access a cloud service or an IT network and permits users to remain logged in between sessions, unauthorized access to the device could easily result in an unauthorized disclosure of personal data. Control of the device In the case not recommended where personal data are stored on a device, it will be important to consider the safe and secure deletion of the data throughout the lifecycle of the device, and particularly if the device is to be sold, gets stolen, lost or is transferred to a third-party. Employers, therefore, shall ensure the confidentiality of any personal data stored on the device. 2 See Information Commissioner s Office, Bring your own devices /Practical_application/ico_bring_your_own_device_byod_guidance.ashx
10 For example, as it has been suggested by ICO, most modern devices offer the possibility to locate personal data remotely and delete data on demand. Such operations can also be managed by third-party software - known as Mobile Device Management ( MDM ). MDM services, however, allow employers to record and track the device in real time. In legal terms, this is a really delicate issue, involving European Member States specific employment legislation. The risk is to fall within the remote monitoring and surveillance of workers, which is in principle not allowed throughout the European Union. Employees, in fact, have legitimate expectations that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment. As it has been clarified by Article 29 Working Party in its Opinion 8/2001 on the processing of personal data in the employment context 3 : - any monitoring must be a proportionate response by an employer to risks it faces taking into account the legitimate privacy and other interests of workers; - any personal data held or used in the course of monitoring must be adequate, relevant and not excessive for the purpose for which the monitoring is justified. Any monitoring must be carried out in the least intrusive way possible. It must be targeted on the area of risk, taking into account that data protection rules and, where applicable, the principle of secrecy of correspondence. - employees must be informed of the existence of the surveillance, the purposes for which personal data are to be processed and other information necessary to guarantee fair processing. The transfer of personal data Another issue to take into account when implementing BYOD Policy regards the transfer of personal data between the personal device and the IT corporate system. The transfer process, in fact, can present significant risks of interception. Employers, thus, might consider forcing all traffic through encrypted channels (such as a VPN or HTTPS for individual services) in order to offer some security when employees are using un-trusted connections (for example Wi-Fi network). 3 See Working Party Article 29, Opinion 8/2011 on the processing of personal data in the employment context.
11 A good practice, on this point, might be to include in BYOD Policies specific guidelines to employees on how to assess the security of Wi-Fi networks, such as those found in hotels, cafes, restaurants, etc. Moreover, it is worth noticing that pursuant to Article 25 of the EU Privacy Directive (Directive 95/46/CE), transfers of personal data to a third country outside the European Economic Area can only take place where the third country ensures an adequate level of protection for the data. Article 26, however, sets out derogations including instances in which: the data subject has given his consent unambiguously to the proposed transfer (or) the transfer is necessary for the performance of a contract between the data subject and the controller (or) the transfer is on the basis of standard contractual clauses approved by the Commission as providing adequate safeguards. etc. In this respect, it should be borne in mind that many transfers of personal data are from a data controller in the EU (for example, the employer) to a data processor outside the EU (for example, the Cloud Provider). 5. PRACTICAL TIPS FOR BYOD POLICIES 1. KEY DEFINITIONS Make distinctions between company-owned devices and personal devices. 2. PROHIBITED INFORMATION/DATA Specify what types of information/personal data are allowed/prohibited and can/not be stored in the device. BYOD Policies, for example, may state that employees cannot download sensitive data or privileged information into their personal devices unless they are downloaded into an IT corporate folder or network. 3. SECURITY INCIDENT Set an obligation (within the BYOD Policy) on employees to promptly report any actual or reasonably suspected incidentsof hacking or unauthorized disclosure of information contained on the device.
12 4. SECURITY Address device/data security (e.g., devices must be password protected; encryption of data; secure connections, etc.) 5. INTERATIONAL DATA TRANSFERS Consider personal data flow/ transfer due to the use of cloud services and social networks: e.g., transferring of data to countries outside the EEA which do not offer an adequate level of data protection 6.DEVICE SYSTEM REQUIREMENTS AND LIMITATIONS Require to employees a minimum set of requirements in their own personal device. Device configurations should prohibit, for example: - automatic back-up or cloud storage; - the use of personal device as a mobile hotspot; - certain specific application installations (such as, jail-break or unauthorized modding of devices). 7. SOCIAL MEDIA Consider employees social media use and coordinate Social Media Policy with the BYOD Policy 8. LABOUR LAW Consider Labour Law implications/limitations vs. Mobile Device Management tools. For example: - involve employees and their representatives in the development of a BYOD Policy; - identify the purposes behind the monitoring of workers; - inform employees about the purpose and the reasons of any monitoring; - clarify that despite employees have reasonable expectations of privacy on their personal devices, the employer has the right to monitor or access the device for specified corporate reasons. 9. APPS
13 Clarify whether employees can download, install and use Apps. Companies may also use technology for preventing downloads of questionable apps or copyright-infringing content on the device 10. IT DEPARTMENT BYOD Policies should provide that the employee must present any mobile devices to the employer's IT department prior to connecting to the company network, and that the employee consents to the employer installing proper security protocol and necessary office software. CONCLUSION As pointed out by ICO 4, an effective BYOD policy can lead to a number of benefits including improved employee job satisfaction, overall morale increase, increased job efficiency and increased flexibility. By considering the risks to data protection at the outset, employers have the opportunity to embed data protection at the core of their business activities and to raise overall standards. Paolo Balboni, Ph.D. Founding Partner ICT Legal Consulting Domenico Converso, LL.M. Senior Associate ICT Legal Consulting 4 See Information Commissioner s Office, Bring your own devices /Practical_application/ico_bring_your_own_device_byod_guidance.ashx