Bring Your Own Device – do the risks outweigh the benefits?
By Barry Warne, head of employment law at Keebles
The healthcare sector continues to witness an unprecedented increase in the use of mobile devices which bring a myriad of benefits including flexibility, workflow efficiencies and cost savings.
But with these advantages come significant risks and concerns about privacy and security.
The medical arena has confidentiality at its heart. Data protection and keeping patient information safe is a fundamental part of what practices strive to get right.
They treat the integrity of their data very seriously by investing time and money in firewalls, password protection and anti-virus software along with maintenance arrangements to keep security measures updated.
Personal devices are unlikely to have this level of protection, which could lead to sensitive information falling into the wrong hands. If this occurs, employers could find themselves in breach of data protection laws unless can demonstrate that they have made reasonable attempts to keep the information secure – such as having robust remote working security protocols or automated defence mechanisms in place. The privacy factors have been further heightened by the introduction of the General Data Protection Regulation (GDPR) on May 25 this year which has added a layer of complexity onto the issue of Bring Your Own Device (BYOD).
Under GDPR, practices are required to draw up ‘privacy notices’ setting out clearly and comprehensively what data is collected, how and where it is stored - and who is able to access it.
Where information is downloaded onto personal devices, this will need to be fully explained and documented. Penalties for serious breaches can be up to €20 million or 4% of annual turnover – not to mention the reputational damage. Another potential downside to BYOD is falling productivity. There is a clear temptation for staff using their own devices in company time to be distracted by personal messages and notifications unless contracts of employment are explicit about what constitutes acceptable BYOD use.
BYOD can likewise lead to a company’s valuable IP being stored on an employee’s personal device – a potential risk if that person leaves or is dismissed.
The law is clear that company data on a personal device belongs to the practice and, in most circumstances, the copyright for work generated by an employee will also rest with the company.
Even so, it pays to have clear policies relating to the compulsory deletion of data, or an electronic solution installed such as a remote device management system that can automatically wipe a device’s data.
In extreme circumstances an employer can resort to taking out an injunction to compel the return of its data.
Having a watertight policy ensures employees know that actions, which include giving their colleagues access to secure information or sharing passwords, are prohibited. This evolving area, driven by technological advancements, brings a minefield of potential risks. If in doubt take professional legal advice.
Made with FlippingBook Online newsletter