04 June 2014
Topic proposed by: Neil Rosolinsky, Deputy General Counsel, Litigation and Employment, Executive Vice President, Citizens Bank
Many companies are moving towards a new communication model whereby they recall all company BlackBerrys or smartphones and instead ask employees to install an application on their own device for business use. While there are obvious savings to be made on hardware costs, this development has caused some consternation among the employment law community in relation to issues such as increased access to personal employee information, as well as potential difficulties in retrieving relevant company-owned information in the event of litigation.
What employment issues must companies consider in deciding whether to switch to the bring your own device (BYOD) model? Are there any specific issues that organisations with a global presence, or those in highly regulated sectors, should bear in mind?
The main issues concerning the BYOD model relate to:
From a regulatory point of view, generally speaking, the only major issue is the need to verify compliance with the regulations of each country in which the organisation operates. A specific point to consider is exposure to criminal offences (eg, for the transport of pornographic material through devices), which will vary from country to country.
How do privacy laws, employment laws and protecting a company's confidential information overlap or intersect on this issue – and how can they be reconciled, given their disparate aims?
The main issue to consider is the monitoring of employees through devices, which is governed by Article 4 of the Workers' Statute (Act 300/1970). The use of BYOD implies the need either to conclude specific agreements with trade unions or to request authorisation from the Territorial Directorate of Employment in accordance with the law. Article 4 prohibits the use of audiovisual equipment or other equipment designed to monitor workers remotely. Moreover, Article 4 emphasises that where organisational or production reasons require the use of devices that could facilitate such monitoring, installation or use of the device requires the prior agreement of trade union representatives. In the absence of such agreement, the employer must submit an application to the Labour Inspectorate.
The use of any device that could potentially monitor employees also constitutes a criminal offence. Section 113 of the Personal Data Protection Code (which is identical to Section 4 of the Workers' Statute) provides that breaches will be penalised pursuant to Section 38 of the Workers' Statute, which governs criminal provisions.
For those that make the switch to BYOD, how can the confidentiality of both employer and employee be preserved? And who owns the information on the device – the employer or the employee?
The concept of an 'internet environment' under Italian law should be borne in mind, in order to ensure adequate protection of the data contained on internet-enabled devices.
Section 615ter of the Criminal Code makes it a crime to access a computer system without authorisation, and penalises parties who unlawfully break into a computer system that is protected by safety measures and who continue to access the computer against the will - whether tacit or express - of the party that is entitled to prohibit such activity.
Pursuant to Article 14 of the Constitution, which protects the home (ie, an individual's domestic environment), criminal law treats the 'internet environment' as a domestic space, provided that appropriate security measures are in place which establish the confidential nature of the information stored in the processing unit. Access to this internet environment must be limited to persons authorised by the owner. In this context, the employer is the owner of the business information stored on the device.
Where a clear distinction between the employer's software and that belonging to the employee has not been established on the employee's device, the employee may refuse to subject the device to monitoring. In this case, the employer can monitor the use of business data only by invoking the criminal law provisions, which requires the involvement of a judge and the employer's compliance with all requirements for this type of protection (eg, subjective unlawful purpose). The BYOD model thus diverges from the traditional model governing business devices: under the BYOD model, the company may not be in a position to ensure adequate protection of business-related information.
In order to ensure adequate protection of an employee's domestic internet environment, the employer and employee should delineate the areas which each may access and use through the establishment of job descriptions, policies and technical boundaries. Once the employer has established certain limits, any use of the company IT system which breaches these established rules can constitute a violation of the employer's organisational arrangements.
Protection of the company IT system is severely impaired if the device is owned by the employee, as under the BYOD model, because the employee has the right to exclude others from his or her internet environment. In this respect, the employer-employee relationship is reversed when compared with the traditional model, where the employer owns the device.
How can companies separate out which information sent or received on the device is official and business related? And how can employer access to information be assured?
The BYOD system necessitates the installation of a specific browser to access company email exclusively and also requires a specific disk section reserved for the use of company data. As a consequence, the employer must reach agreement with the employee on both the partitioning of personal and company systems and the exclusive use of the disk section reserved for company purposes. The agreement must provide for compensation to the employee.
Despite these measures, the employee may still be able to steal or pass on company information through other browsers without the employer's knowledge or consent.
What happens in the event of a security breach? Is the employee protected from liability? What steps can a company take to prevent an employee leaving the company from taking company confidential information via his personal device? And how can the employee's own personal information be safeguarded in the process?
In this respect, and in light of the conditions discussed above, the employee's liability is the same as if a company device were used. The formal protections can be extensive and depend on the specific agreements in place; therefore, protection with immediate effect is evidently impossible.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.