It is quite possible that many of your employees will receive new smartphones, tablets and laptops as Christmas gifts. It seems timely, therefore, to take a moment to consider what issues might arise from allowing employees to use such gadgets in the workplace.
Gadgets used for company business
Given the increased tendency for employees to work from home, or on the move, it is likely that there will be occasions when employees will use their own devices to access company information. You need, to consider, therefore:
- Whether you will allow employees to access company information on their personal devices. Do you want to restrict their access to certain material only? For example, do you want to insist that they never access the personnel database from their own device?
- Who will be responsible for protection against viruses and similar problems. If you are going to encourage employees to use their own devices it might be appropriate to provide virus protection.
- The requirement for password protection. If company data is being accessed and, particularly, if it is being stored on the device then you must ensure that there are adequate security settings.
- Whether you will restrict the use of the device when the employee is travelling. For example, you might want to insist that company data is never accessed over an unsecured network. You might also insist that certain company data is never accessed in a public place.
- What procedures will you follow if the device is lost or stolen? Although it is not a company device, and hence the insurance is not your responsibility, you might want to take some action if company data is stored on the device. You might want to warn employees that your IT department might remotely wipe company data from the device (if that is possible) and that might impact on any personal information that is held on the device.
- What type of data you will allow the employee to store on a personal device. If you do place restrictions on this you will need to consider how you would police this. It could be difficult to insist that you have access to a personal device to check the contents. If you are going to insist on this you will need to make it clear in your company policies.
- Whether you will contribute to the cost of the personal device, particularly if you are expecting the employee to use it for company business. For example, if you are expecting the employee to access the internet from home to carry out company work you might want to consider whether it is appropriate to contribute to the cost of the employee’s broadband connection.
- What procedures will be followed when an employee leaves the organisation. You might want to insist that the employee takes their device to the IT department so that they can check that there is no company data left on the device.
Gadgets used for personal reasons
Most employees, if not all, are likely to have a personal phone or other device with them in the workplace. As well as thinking about the use for company business you need to be clear about what personal use is allowed in the workplace, particularly during working time.
- You might want to insist that there is no personal use of devices during working time. However, if you take that view you need to consider what you will do if an employee makes a personal call, or makes a personal text. If you do decide to take disciplinary action if an employee persistently uses a device for personal reasons you must ensure that there is consistency across the organisation.
- If you decide to allow employees ‘reasonable’ use of personal devices during working time you must ensure that there is consistency in defining what ‘reasonable’ means.
- You might decide that no employee can access certain websites during working time. It would clearly be reasonable to ban the access of sites containing material such as pornography, but you might also want to ban access to online shopping sites, unless the employee is taking a recognised break. Clearly, if an employee is shopping they are not working.
- It might be appropriate to insist that an employee does not use a webcam or camera on their device in the workplace without prior permission.
The legal issues
The Regulation of Investigatory Powers Act 2000 makes it a civil wrong to intercept communications on private and public systems. However, Section 3 of this Act does allow for interceptions if the parties to the communication have consented to it. The Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 does allow an organisation to intercept communications for legitimate business purposes.
To ensure compliance with this legislation it is essential to have a company policy clearly setting out what employees are and are not allowed to do, and making it clear how an organisation might intercept communications. For example, if you are going to reserve the right to carry out a spot check of a personal device that is brought onto company premises this must be clearly stated in your company policy.
It is also important to have regard to the Data Protection Act 1998, and to remind employees of their responsibilities under this Act. In particular, employees must be made aware that a wide range of data might fall under the Act (remember that it is not just personal data about employees that is covered) and there is a requirement to ensure that the information is processed and stored lawfully. If employees are storing company data on a personal device the manager responsible for data protection in your organisation should be aware, and is responsible for ensuring that the data is adequately protected and is stored lawfully.
Forbury People Consultant