By KT
Lindberger-Schmidt, General Counsel, International Decision Systems*
For today’s tech-savvy workforce, one of the most
popular and demanded policies is BYOD (a/k/a “bring your own
device”). Employees want to work when they need to, on their preferred
device. Employers want their employees to work on projects and respond to
emails without regard to time of day, location, or the equipment they have with
them. But like every business decision, the decision to allow employees
access to company data on personally owned devices is one that involves a
risk-benefit analysis.
Flexibility, reduced cost, and employee satisfaction are
some of the major benefits of BYOD policies. The single biggest risk of
embracing a BYOD policy is to a company’s data security – a complicated subject
for another day. There are other important risks to consider, however,
including those relating to employee privacy. When company data and
personal data live side-by-side on a single device owned by an employee,
privacy issues are hard to avoid.
Does employer access to corporate data on an employee’s
device create access to personal data? Could it? Should an employer ever make
access to personal data a condition of allowing employees to use personal
devices for work? And if an employer has or gains access to personal data
because of a BYOD policy, should that access ever be used? All questions to
consider carefully before your BYOD policy is put in place.
As you consider what you can and should do with BYOD,
remember that the fact that something is technologically possible does not
necessarily make it a good idea. However tempting it might be to access
and use an employee’s personal data for business purposes, it strikes me as a
legally risky idea. If access to personal data can or will happen in your
organization, it’s critical that your BYOD policy says so explicitly. Even more
critical is that you can demonstrate that your employees understand and
acknowledge, in writing, that they are giving up the privacy of the personal
data on their device in exchange for the flexibility that BYOD offers
them.
Employees, especially younger workers, may be willing to
forego some privacy in exchange for the flexibility of using their own device
for work. Given that, and all the sharing of social media, some employers
may wonder if they still need to be concerned about employee privacy. In fact, the
courts are currently giving increasing scrutiny to privacy issues. There have
been recent U.S.
Supreme Court decisions protecting cellular
phones from warrantless searches and cars from GPS tracking, and increasing
protections afforded employees and applicants on their private
use of social media. In addition, companies
doing business in other countries are realizing that privacy laws, including
laws protecting employees, differ significantly from those in th U.S. and may
in fact be far stronger in other jurisdictions.
Navigating the privacy concerns, among
others, associated with BYOD is a balancing act. What an employer
needs to recruit, retain, and engage employees may include the flexibility and
ability of employees to work when and where they want to, on the device they
prefer supported by BYOD. On the other hand, security of corporate data and
intrusion on employee privacy should be serious considerations when
implementing a BYOD policy. If employers wanted to avoid all risk,
they would never hire a soul. Instead, we take risks every day, doing our
best to be thoughtful and balanced in our approach. Developing and
implementing a BYOD policy that incorporates the concerns laid out here is no
different.
*The Employment Law Navigator welcomes its first guest
blogger, KT Lindberger-Schmidt, and thanks him for his contribution. KT can be contacted at .
