Guide

Your staff, mobile devices, law and liability

Looking at the legal issues around staff bringing their own devices to use at college or university.

Archived

This content was archived in October 2017

About this guide

Published: 1 May 2013
Updated: 9 October 2015

Introduction

Allowing college and university staff to access and use the full range of work ICT facilities via their own mobile devices is a more challenging area for institutions to handle than opening the systems for student use.

Students will not normally have access to confidential, sensitive, or personal data (other than their own) held on the institution’s systems, although it is the case that research, medical, or social science students may very well be undertaking research involving personal or sensitive data and for which they should have had appropriate guidance.

On the other hand, many staff in their day-to-day roles may have access to student data, financial data, confidential reports and employee HR records.

To some extent bring your own device (BYOD) is already happening in your institution. Staff are already using their mobile devices to access their work emails, papers and documents from off campus. In some institutions, staff may also be doing this without a clear indication from their employer as to the extent of permissible use.

Increasingly, staff wish to use their own device in and outside the workplace for full access to all systems in preference to using the institution provided desktops. Meantime the institution’s requirement is that security of systems and information is maintained and that policies on access to systems will be adhered to despite the shift in control which comes with bringing your own device.

Institutions are also seeking to offer their ICT on the most economically efficient basis and this too has brought BYOD into the discussion.

Staff will also expect that a level of support in the use of their particular device will be available from the institution as is the case when using the institution’s desktops. Mobile devices come in many differing forms, resulting in interoperability and other technical and cost issues for an institution which will also need to be addressed (but are not discussed in this paper).

Staff will also expect a different level of privacy in using their own device, containing their own personal data (as opposed to, for example, an institutionally owned device provided to them). This brings issues of data protection, employee monitoring, and security sharply to the forefront of concerns surrounding BYOD. Records management is also an area for an institution to consider since information an employee creates on his mobile device may not always be backed up to the institution’s systems or there may be differing versions of a document.

On the other hand, it could be argued that there is also the risk that not opening the system to mobile use may actually increase the likelihood of unauthorised device use by staff, whereas recognising the risks and managing them will help encourage responsible use, as well as increase confidence in legal compliance. Staff may already use, for example, unauthorised memory sticks, which highlights the fact that BYOD is as much of a people issue as a technology challenge.

BYOD also involves other challenges such as technical issues of harmonising systems, business continuity issues in the event of system crash/incompatibilities, employment/HR issues and responsibility for costs which are not dealt with in any detail in this paper.

Key points to consider in BYOD

An institution’s legal liability extends to own mobile use by staff for work purposes
Under data protection law, an institution remains responsible for the personal information under its control (as data controller), whether it is held on an institution’s device or on the personal device of a staff member
Many staff are probably already accessing work information using their own devices. Whether this is being managed successfully may highlight particular issues or culture to be addressed in your institution when developing a BYOD policy (Word docx)
In BYOD up-to-date technology measures will be essential to protect systems. Adhering to a robust security policy is key and staff should be made aware of the do’s and don’ts, and limits of access need to be set
Policies and procedures should be reviewed to ensure BYOD and mobile use is included.

Comparing the legal risks

This section explores the legal risk spectrum from on-campus desktop access, institutionally-provided mobile access, through to own-device mobile access.

“Opening up the system to staff BYOD increases the risk of compromising the security of the system”

What’s the likely outcome?

Best case: Up-to-date security and compliant staff adhering to agreed policies. Occasional incidents detected and managed with temporary disruption for users.

Worst case: System compromised, complete system crash, resulting in legal liability for data protection breaches, for publication of illegal images introduced via malware, police involvement, breach of duty of care/internet safety duties, staff disciplinary issues resulting in complaints as to inadequate training, grievance proceedings instigated, claim of unfair dismissal.

"Opening up the system to staff BYOD increases the likelihood of their placing copyright infringing material into our VLE for student use”

What's the likely outcome?

Best case: Any infringement is viewed as ‘minor’ by the rightsholder as material was uploaded to the password protected VLE, permission is granted for use, and/or appropriate licence fee paid for use.

Worst case: Major publisher suspects unlicensed material, obtains court order to investigate, institution loses access to key resources through licence breach. Cost implication for institution found liable to pay for the unlicensed access to materials. Unlicensed access extended to external parties resulting in additional costs.

“Opening up the system to staff BYOD will result in loss of personal or confidential data”

What's the likely outcome?

Best case: Staff have legitimately accessed personal data held by the institution in accordance with its policies. The mobile device is lost but has appropriate security, encryption, remote delete etc. The extent of data loss is identified quickly, investigated, and managed as per the agreed BYOD procedures with staff.

Worst case: Major data loss, sensitive data placed in the public arena, distressed data subjects, ICO investigation, finds no BYOD policy, inadequate security, no attempt to educate staff, no control on BYOD access. Substantial monetary penalty imposed by ICO for breach of the Data Protection Act 1998.

“Opening up the system to staff BYOD will increase likelihood of inappropriate comments and materials being found on the network”

What's the likely outcome?

Best case: Any inappropriate material is found, removed, source detected and prompt action taken in accordance with policies and procedures – unlikely to result in liability.

Worst case: Inadequate system security, clearly unsavoury child images found in various places in the system, police involvement and system shut down while investigation carried out.

“Staff BYOD may encourage further blurring of the professional/personal lines between staff and students, resulting in increased internet safety issues”

What's the likely outcome?

Best case: Institution has up to date regularly reviewed internet safety policy and procedures in place including social media training and risk assessment of new activities, deals with any issue promptly, unlikely to result in liability.

Worst case: Tutor expects learners to exchange mobile numbers for discussion task. He makes his own mobile number available. Young learner with history of being bullied reluctantly agrees. Receives unsavoury text messages, lecturer ignores concerns despite having inadvertently received one of the messages, situation escalates, neither learner nor lecturer is aware of college practices and procedures on internet safety. Eventual police involvement and court case which highlights inadequacy of the college practices. Potential for civil action for damages for breach of duty of care.

Much of the above may happen with or without the use of a member of staff’s own mobile device. BYOD may increase the likelihood of incidents occurring and it is data protection compliance that will be the main area of risk for institutions in opening up their systems to staff BYOD.

Legal liability in depth

An institution has a duty of care towards its staff, students and visitors accessing its systems; this means that it must consider what harm is reasonably foreseeable if it did not take care, and it must take reasonable precautions to prevent such harm (or else it will be liable for negligence). This duty of care is a well-established legal principle.

An institution also has statutory duties with regard to data protection, copyright, internet safety, bullying and harassment, and equality (amongst others) and can be held liable for harm or loss caused where the legal duty has not been met. Consumer protection legislation may also increasingly become a factor e.g. where an institution is considering a mobile micropayment system for content. An institution also has a statutory duty to provide information under freedom of information legislation.

Liability, data protection and privacy

This concerns institutional liability for breach of the Data Protection Act 1998 following loss of personal information. There is also a risk that unauthorised employee monitoring may occur where an employee’s personal information on their own device is accessed by the employer.

What’s the risk?

Risk of unlawful processing of personal data resulting in harm to an individual. This results in action by the ICO including imposing monetary penalties and loss of institutional reputation as well as the resource implications of an investigation.

Action

Conduct review/audit of what is currently happening using own devices
Decide what data may be processed on own mobile devices, what needs to be restricted
Use appropriate technical security
Update DP policy to clearly include own device use and where such use is appropriate/inappropriate
Provide help/training for staff in appropriate collection and use of personal data
Provide technical help in use of security measures
Review security of the institution’s systems regularly
Review access restrictions – only those who need to access personal data should do so.

Example two

A college receives a subject access request from an ex-employee for all data involving him. The college is aware that staff are using their mobiles for work purposes but has no BYOD policy or procedures on this.

The ex-employee’s line manager at the college is asked if he has any relevant data stored on his mobile. He says no, but the ex-employee says he has information which suggests that text messages and emails were received from that mobile number and accuses the college of withholding information he is entitled to. The college then asks if they can check the mobile for these work related texts but the employee refuses saying that it is an invasion of his privacy for his phone to be checked. He has checked it and there is nothing there. The ex-employee then forwards the messages he received from his line manager.

The upshot of this is that the ex-employee complains to the ICO that not all information he is entitled to is being disclosed, resulting in an ICO investigation and his line manager at the college is also subject to an internal investigation.

Action

An institution needs to have a clear BYOD strategy and policy agreed with employees
An employee has a level of privacy expectation in the workplace and this will naturally be increased in a BYOD situation. Unless there is a clear purpose and agreement it will be difficult to justify monitoring of an employee’s device
Clear rules need to be agreed with employees regarding use of location aware apps, internet monitoring, remote deleting, password protection and other mobile security
Employees need to be clear on records management: the institution should have procedures for handling, retrieving, storing and backing up work related information which may have been created on an employee’s own device.

Liability, copyright and learning resources

This concerns institutional liability for copyright infringement and secondary infringement where you can be held responsible for the actions of your staff.

What’s the risk?

Risk of an institution losing access (temporarily or permanently) to essential resources through licence breach. Cost implications for institution found liable to pay for the unauthorised and unlicensed access to copyright materials.

Example

A part-time member of staff finds a ‘free copy’ on the internet of an article in an expensive journal to which his college does not subscribe. He downloads and saves it onto his mobile and then uploads it onto the college VLE as a useful resource for his students.

He also runs an independent training company and uses the material with the commercial businesses with which he has training contracts. One of his college students also has a part-time job and shares the material around his workplace including to the company’s office in India. The rightsholder contacts the college stating the material is not licensed and is being used for commercial purposes contrary to the terms of the licence.

The rightsholder seeks recompense and payment for the use including the commercial use by the student’s employer which is costly for the college given the wide circulation of the material. The college admits responsibility for the unauthorised use by the lecturer regarding the VLE and for the student use as he had been provided with no information on copyright.

An institution is unlikely to be able to totally prevent this type of activity, and mobile devices make it more likely to happen. In a desktop situation in the institution’s resource centre, preventative measures are easier. Informality is inherent in mobile use, and the culture and nature of the mobile user often includes the view that anything can be accessed and shared - all of which increases the likelihood of copyright infringement occurring where systems are opened for own device use.

Action

Institutions need to show that staff have been provided with information on copyright
Staff policies and AUP should be in place including clear do’s and don’ts for mobile use
Policies should be enforced to send clear messages on institution’s expectations
Clear notice and take down procedures should be in place for removing potentially infringing material found in system
Institutions need to provide information/help which includes copyright reminders on uploading for staff.

Liability and inappropriate material

This concerns liability for harm to users, and damage to reputation where offensive or illegal material is found on the network, which breaches equality, harassment, obscenity or child pornography legislation.

What’s the risk?

Opening up the institution’s system to access via mobile devices inevitably increases the likelihood of offensive or illegal material being either deliberately introduced, due to perceived anonymity, or accidentally introduced, via malware on a mobile app for example, and there is a technical issue which needs to be managed as far as possible. However, the likelihood of legal liability arising from this is low provided the institution is using up-to-date measures to manage the technical risks and takes action in accordance with its policies when a breach is discovered. Mobile users often have an attitude of ‘always on’ and this in itself increases the security issues. Staff may also have different expectations as to what they can do with their own mobile device, and some activity in their personal non work use may not sit easily or comply with institutional policies.

Example

A college employee accesses the college systems using his mobile, and the college thereafter finds malware on its system (introduced via an app on the employee’s mobile). Extreme obscene images begin to pop up in various places in the system and the system grinds to a halt.

Images are found by a young learner, whose parents report it to the college and the police. The network is shut down pending a police investigation due to the nature of the material, but the college has acted promptly, has appropriate behaviour and use policies and procedures in place and also up-to-date IT systems and security.

Whilst it is possible, it is unlikely that the college would be prosecuted for the unlawful ‘publication’ of the material, given the actions taken, however there may be a resultant staff investigation and potential disciplinary issue depending on the circumstances.

Action

Ensure systems are kept protected with up-to-date security
Consider use of mobile device management software or other technologies for access restrictions
Educate users on behaviours and acceptable use
Have a notice and take down procedure and incident handling procedure

Liability and internet safety

This concerns breach of duty of care with regard to students, and breach of statutory safeguarding duties.

What’s the risk?

Risk of harm to student from bullying and resulting in bad publicity and loss of reputation of the college.

Mobile devices have features such as cameras and location-aware apps, both of which a tutor may wish to use in a class activity, but which lead to the sharing of data between the students. The student culture of always on, easy access, and sharing, makes it increasingly likely that a seemingly innocent and educational use leads to an internet safety issue, e.g. bullying or harassment, where contact details are shared where otherwise they would not be.

Example

A lecturer asks a group of young learners to exchange mobile numbers for group work discussions. His mobile number is also provided for students to text any questions they might have. This is done reluctantly on the part of one learner who then starts getting disturbing texts messages indicating that someone knows where he is and is following him, much to his distress and his college attendance level plummets.

The affected student was previously subject to bullying, which was known to the college, and had previously changed his mobile number several times because of this. The student had also sent several text messages to the tutor who had ignored them.

The college is accused by the learner’s parent of failing in its duty of care to prevent foreseeable harm and in its safeguarding duties. Much publicity is given to the case which results in increased Ofsted scrutiny.

Action

Have a risk assessment procedure for new activities which includes appropriate use of technology. Consider whether other activity options more appropriate e.g. mediated discussion is sometimes a better option
Ensure institution’s data protection and e-safety policies and practices are up-to-date and include mobile activity
Ensure staff are up-to-date on e-safety risks in the institution including using own devices
Ensure staff are aware of their information sharing/management responsibilities regarding work information received/held on their own device

Liability and equality duties

What’s the risk?

This concerns liability for discrimination related to disability under the Equality Act 2010 to the detriment of an employee with regard to the making of reasonable adjustments for the employee to protect against discrimination, harassment and victimisation on the grounds of their disability.

Example

An institution has decided not to open its systems up to staff BYOD as it fears the security risk combined with its lack of technical resource will mean that the risks to the system and its contents will outweigh the benefits, and the institution does provide staff with up to date ICT equipment with assistive technology where necessary.

Despite this, a tutor with a disability finds it difficult to access resources using the institution’s hardware, but has his own iPad which is geared to all his preferences and needs and which he finds much easier and less stressful to use. He would like to access all resources including access to student records using this and there is no doubt that for this tutor mobile access to systems would be of benefit.

The institution and the tutor consult and agree how this could be done technically resulting in the tutor agreeing to changes to his security settings and clarity is provided by the institution on the need to comply with data protection law for example, by not storing personal data for which the institution is data controller, nor other confidential information and papers, on his device.

Action

Ensure staff are aware of the institution’s duties regarding accessibility and discrimination
Encourage a culture of disclosure, where staff feel comfortable in asking for help

Consider what alternatives could be provided for an employee in order to comply with the duty not to discriminate and with the need to make reasonable adjustments, for example, materials placed in an area of the college system where access could be provided

Liability and freedom of information (FOI)

What’s the risk?

This concerns liability for compliance with the FOI obligation to provide information held by the institution even if held on an employee owned mobile device. Failure to locate and disclose due to difficulties in managing and locating information held on mobile devices may result in tying up resources in an ICO investigation, breach of the Act and ultimately compulsion to release the information.

Example

An institution has introduced a BYOD option for its staff. An FOI request is made by an organisation for information it knows was recorded by a staff member at an external meeting. The institution says it does not hold the information but the requester is aware of the recorded notes.

The member of staff goes off on extended sick leave without having got round to moving the information from his personal device and the institution finds itself under investigation by the ICO for non-compliance with the Freedom of Information Act 2000. The ICO also finds that the institution has not provided a BYOD policy for staff nor has it provided any awareness training.

The ICO issues a practice recommendation and the institution signs an undertaking to make appropriate changes to its practices within 3 months and to have appropriate policies and training in place with a follow up inspection by the ICO, all of which has resource implications for the institution.

Action

Consider how access to institutional information is to be managed in a BYOD environment
Ensure staff are aware of the institution’s duties regarding FOI which may extend to information held on personal devices
Ensure records management policies in place to reduce the risk of institutional information becoming ‘lost’ on an employee’s device
Consider what happens to information should a member of staff leave the institution or is away from the institution for extended periods