25 June 2014
Topic proposed by: Neil Rosolinsky, Deputy General Counsel, Litigation and Employment, Executive Vice President, Citizens Bank
Many companies are moving towards a new communication model whereby they recall all company BlackBerrys or smartphones and instead ask employees to install an application on their own device for business use. While there are obvious savings to be made on hardware costs, this development has caused some consternation among the employment law community in relation to issues such as increased access to personal employee information, as well as potential difficulties in retrieving relevant company-owned information in the event of litigation.
What employment issues must companies consider in deciding whether to switch to the bring your own device (BYOD) model?
There are no specific rules on the use of employees' private devices for business purposes in Poland. Polish labour law allows for the use of employees' own cars and, in the case of remote working, their own equipment. In such cases the use of the employee's car or equipment should be regulated in a written agreement with the employer (in the case of remote working, an internal policy is also required). In both of these scenarios, the employer is obliged to compensate the employee for the use of his or her property for business purposes. Furthermore, the Labour Code allows for employees to use their own clothes as their work outfits. No additional agreement with the employee is required in this regard, although the employee is entitled to an allowance.
While this is not expressly required, it is recommended that these statutory examples be followed when introducing a BYOD policy. The use of employees' private devices for business purposes should thus be regulated in an agreement with the employee. The employee will also need to be remunerated in return for using his or her private device for business purposes. The BYOD model may thus have tax implications for both employees and employers.
Employers should further be aware that the employee need not own the device used in the BYOD model. Given the increasingly short lifecycles of electronic devices, instead of buying the necessary equipment, employees may consider leasing such devices or storing the content sent or received on their devices in the cloud. The employer may thus be unaware of who actually owns the device on which its data is stored and who may obtain it if, for example, the employee does not perform his or her obligations under the agreement and ceases to have the device in his or her possession. Even when the employee owns the device, it may be difficult for the employer to lawfully take possession of the device – in particular, in order to copy or review employment-related files – without the cooperation of the employee.
Storage of and access to information held on devices by the employer will be allowed if:
Normally, the employee's consent will be granted through the software settings installed on the device upon service configuration. However, within the context of the employment relationship, there may be doubts as to whether such consent will be sufficient.
Are there any specific issues that organisations with a global presence, or those in highly regulated sectors, should bear in mind?
Healthcare providers are obliged to protect data contained in medical documentation. Medical documentation may be provided in electronic form, as long as certain requirements are met – in particular, the data must be protected against damage, loss or unauthorised access. At present, only medical professionals can access and process data contained in medical documentation. Medical professionals are obliged to keep such data confidential (medical secrecy). There are doubts as to whether data that is subject to medical secrecy may be outsourced. There may thus also be doubts as to whether, for example, the doctors employed by a healthcare provider can use their own computers or phones in order to access, process or store patient data.
Regulated entities such as banks and brokerage houses are subject to certain prudential requirements, including with regard to their technical and organisational measures. These prudential requirements aim, in particular, to guarantee sufficient protection of professional secrecy and ensure the stable and prudent operation of the regulated entity. Although Polish law does not prohibit employees from using their private devices for business purposes, the internal policies of regulated entities usually prohibit or at least restrict such use. Moreover, pursuant to certain recommendations of the Polish regulatory authority, banks are obliged to educate employees on threats relating to use of their private devices for business purposes.
How do privacy laws, employment laws and protecting a company's confidential information overlap or intersect on this issue – and how can they be reconciled, given their disparate aims?
By voluntarily agreeing to participate in a BYOD programme, the employee confirms that he or she is willing to give up certain freedoms and rights in exchange for the possibility to use a particular device in the work environment. For its part, the employer must accept that it will have less control over data stored on or accessed from employees' devices than over that stored on devices which it provides to employees, in exchange for greater employee satisfaction and, often, improved performance.
The key to striking the right balance between the rights and freedoms of the employer and those of its employees is, first and foremost, proper information about:
Participation in the BYOD programme cannot be obligatory. Further, participation should be on an opt-in rather than opt-out basis. Employees should also be allowed to withdraw from the programme at any time without any negative consequences.
For those that make the switch to BYOD, how can the confidentiality of both employer and employee be preserved?
One of the biggest threats to the employer's confidentiality is a feeling among employees that they are being forced to use their own devices for the employer's purposes, as this may lead to recklessness and failure to take due care to protect the employer's information. Thus, employers should ensure that the BYOD programme is truly voluntary for employees.
Where a BYOD programme is introduced, legal/organisational and technical measures should be implemented to protect the confidentiality of the employer and employees.
Before the programme is introduced, the employer should carry out a risk assessment analysis in order to identify, in particular, those categories of employee and types of information that should be excluded from the programme due to either regulatory restrictions or the sensitivity of the information.
The employer should also prepare a policy which specifies in detail the terms and conditions for the storage and access of its data, as well as the measures to protect employees' privacy. The policy should clearly outline when and under what conditions the employer may access content stored on employees' devices and the technical measures it will implement to eliminate the need to obtain the employee's consent before doing so.
The employer should ensure that employees know the rules of the BYOD programme before enrolling. In particular, it should provide for training prior to enrolment and temporary training once employees have joined the programme.
The employer is also recommended to install dedicated applications on employees' devices in order to store, process or access content. This solution will also help to protect employees' privacy, as the employer will know where its data is located.
Employees' enrolment on the BYOD programme should be recorded in writing before their devices are used for business purposes. The employee's consent to use his or her personal device for business purposes should be a prerequisite for participation in the programme.
How can companies separate out what information sent or received on the device is official and business related? Who owns this information – the employer or the employee? And how can employer access to information be assured?
Technical solutions should be used to separate personal and business information sent or received on the device, and to allow the employer access to such information. The BYOD policy may require employees to install special apps on their devices and use them when they want to send or receive the employer's information. The employer should continually review and monitor its IT systems, in particular to identify non-standard behaviour (eg, large downloads or data transfers). The BYOD policy should also specify how the employer will access its information and the kind of support required from employees to allow it to perform such actions.
If it is clear that the information relates to the employer's business and has been received or sent by an employee participating in the BYOD programme within the scope of his or her employment duties, this information is deemed to be the employer's information.
What happens in the event of a security breach? Is the employee protected from liability?
With the exception of publicly available telecommunications service providers, Polish law imposes no specific obligations in case of a security breach. In particular, it does not oblige them to notify the data subjects or state entities. Publicly available telecommunication service providers that introduce a BYOD programme are obliged to notify the data protection authorities of a security breach immediately, and in any case within three days, upon detecting a breach. Therefore, such employers should ensure that employees notify them in a timely manner of any security breach involving their devices, and provide them with all information and assistance required to mitigate the damages resulting from such breach.
Regulated entities (eg, banks and brokerage houses) and their outsourcers are subject to certain internal incident reporting requirements as specified in their internal policies. Regulated entities are also expected to report material security breaches to the regulatory authority.
Under the basic principles of Polish law, the employer is liable for damages caused to third parties by its employees. Employees are exempt from such liability.
According to the Labour Code, an employee bears limited financial liability for damage caused towards the employer, which is capped at three times the employee's monthly remuneration. However, if the damage is inflicted deliberately, there is no such limitation of liability. In case of BYOD, the damage that the employer suffers due to a security breach should be evaluated from the perspective of the employee's obligations under the employment agreement, the respective internal policy and the BYOD agreement. Under Polish law, an employee who has been entrusted with property is free from liability for the loss of such property if the employer has not equipped him or her with adequate means to protect it. Similarly, when implementing a BYOD programme, the employer should accept that an employee may not be held liable if the employer contributed to the security breach. If the BYOD is correctly introduced, the employer may consider disciplinary action or even the termination of employment, should the employee breach the obligations connected with participation in the BYOD.
What steps can a company take to prevent an employee leaving the company from taking company confidential information via his or her personal device? And how can the employee's own personal information be safeguarded in the process?
Employees should consent in writing to the BYOD policy before their personal devices are used for business purposes. The policy should describe the procedure for deleting data when an employee leaves the company or withdraws from the BYOD programme. Furthermore, it is recommended that an agreement be concluded with the employee which provides for a confidentiality obligation and/or that respective provisions be included in the BYOD agreement. Dedicated applications installed on devices can also support the protection of the employer's data.
Under Polish law, employees' personal information stored on business devices is sufficiently safeguarded if the employee separates this information from business content and clearly marks it as 'private'. As a corollary to this, business content on the employee's device can be separated out by marking it as 'business content', which will help to protect the employee's personal information from disclosure when the employer accesses the employee's device. The procedures for accessing employees' devices in order to delete confidential company information – whether when the employee is leaving the company or at any other time – should further be laid out in the BYOD policy, and preferably also in the BYOD agreement. Any technical measures should be utilised in a way that avoids infringing the employee's privacy when deleting company information from his or her device. The employer is recommended to offer employees dedicated applications which are installed on their device in order to store, process or access the employer's content.
For further information on this topic please contact Agata Szeliga or Karolina Nowotna at Sołtysiński Kawecki & Szlęzak by telephone (+48 22 608 7000), fax (+48 22 608 7070) or email (email@example.com or firstname.lastname@example.org). The Sołtysiński Kawecki & Szlęzak website can be accessed at www.skslegal.pl.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.