Many employers allow staff to use their own devices, such as smartphones, tablets or computers, to carry out their work (also commonly known as “BYOD”). The benefits are clear: increased productivity, a more efficient way of working, flexibility and improved employee morale. But what are the pitfalls?
Recent research performed by YouGov, commissioned by BAE Systems Detica, found that 73% of office workers use one or more of their personal devices to do their work. Worryingly, however, 34% of office workers with a personal device have failed to update their personal device security in the last six months, while a further third of those (11% in total) have never installed or updated security for their own devices.
Why is this worrying? Surely it’s not the employer’s concern? Well, actually, it is. Earlier this year, the Information Commissioner confirmed in its guidance on BYOD that the liability for lost personal information remains the employer’s – not the employee’s – regardless of where the information was stored. And that’s an expensive prospect, with fines for serious breaches of the Data Protection Act 1998 mounting to up to £500,000. The employer may also incur criminal liability.
Another report, carried out by YouGov SixthSense, shows that although 65% of IT managers say that their organisations currently allow BYOD, only 23% say that their organisation has a formal BYOD policy that covers matters such as data back-ups, prohibiting access to particular types of data and data encryption on local and removable devices.
Employers that allow the use of BYOD should, if they haven’t already, implement a robust policy that sets out clearly employees’ obligations in relation to work-related personal data accessed on their own devices. XpertHR has published a new policy on the use of personal devices for work/bringing your own device to work that helps to ensure that employees who use their own computers or other devices to work from home or bring such devices into work do so in accordance with the requirements contained in the Data Protection Act 1998. We have also improved our data protection policy which you can use to ensure that employees in your organisation use personal data appropriately and in accordance with the Act.