Many employers ask or allow employees to use their own technology to conduct business. This practice is known as "bring your own device" or BYOD.
BYOD raises issues on privacy, record retention and employer liability.
I am drafting a form BYOD policy to cover both devices and services. What do you think of the following clauses as part of a BYOD policy?
[BEGIN DRAFT]
Devices
Employees are informed, and employees agree, as follows: When an employee uses his or her own device, such as a computer, a digital tablet or a smartphone, to conduct business within the scope of employment (the “Device”), then:
(a) the Device is creating records that belong to the Company; and
(b) the Company has the right to take possession of the Device to retrieve or preserve records.
Services
Employees are informed, and employees agree, as follows: When an employee uses his or her own service account (e.g. on Twitter, Facebook, Dropbox, Hotmail and so on) to do work within the scope of employment (the “Service”), then
(a) work records in the Service belong to the Company, and
(b) the Company has the right to take control of the Service.
Related:
Bring Your Own Online Service
BYOD part 3: Should employees be given privacy assurances?
Update December 2013: BYOD records | Dividing business from personal
[Again: Nothing I publish in public is legal advice for any particular situation. Use what I publish at your own risk. If you need legal advice, you should consult your lawyer.]
BYOD raises issues on privacy, record retention and employer liability.
I am drafting a form BYOD policy to cover both devices and services. What do you think of the following clauses as part of a BYOD policy?
[BEGIN DRAFT]
Devices
Employees are informed, and employees agree, as follows: When an employee uses his or her own device, such as a computer, a digital tablet or a smartphone, to conduct business within the scope of employment (the “Device”), then:
(a) the Device is creating records that belong to the Company; and
(b) the Company has the right to take possession of the Device to retrieve or preserve records.
Services
Employees are informed, and employees agree, as follows: When an employee uses his or her own service account (e.g. on Twitter, Facebook, Dropbox, Hotmail and so on) to do work within the scope of employment (the “Service”), then
(a) work records in the Service belong to the Company, and
(b) the Company has the right to take control of the Service.
[END DRAFT]
I have posted more draft clauses for a BYOD policy, which has led to an extended discussion on my Google+ page.
Comments invited.
I have posted more draft clauses for a BYOD policy, which has led to an extended discussion on my Google+ page.
Comments invited.
Related:
Bring Your Own Online Service
BYOD part 3: Should employees be given privacy assurances?
Update December 2013: BYOD records | Dividing business from personal
[Again: Nothing I publish in public is legal advice for any particular situation. Use what I publish at your own risk. If you need legal advice, you should consult your lawyer.]
I think your draft of a BYOD policy brings up lots of good points and issues that need to be discussed in any organization.
ReplyDeleteBeing in the medical industry, we are dealing with the bring your own device ( byod ) issue from an HIPAA stand point, and how it applied to hospitals who are dealing with doctors and nurses who are texting patient information and files.
Doctors are going to be resistent to things like the hospital being able to access thier phones and look through all the data.
The bigger issue for us and any business is that your workers BYOD devices not only get hacked, but they are frequently lost or stolen, and much of the emails and texts are on the phone!
Smartphones and iPads are a real problem, since doctors like viewing patient data, files and images on them, and iMessage is not HIPAA compliant, just like email.
It is this sending of patient data to personal devices that can be lost, which opens up a lot of legal issues for hospitals and doctors.
While the large enterprise solutions having a deeply integrates system where the IT department takes control of the device or provides workers with devices, in a hospital and business setting I am hearing that this can be an issue or barrier to these kinds of systems.
Looking around, we did find a way to at least protect text messaging and protect the hospital from lawsuits concerning HIPAA issues related with BYOD by using Tigertext; which while not as integrated as the large enterprise solutions, offers some really good benefits, especially cost and device flexibility.
IT managers, but also employees are really going to have to be aware of all the different solutions available for BYOD and security - especially smartphones and iPADs.
Organization are really going to have to develop good BYOD agreements and policies, since BYOD is only going to get bigger.
Resources:
http://byod.us/bring-your-own-device-importance-of-defining-business-objectives/
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
http://www.tigertext.com