Bring Your Own Device to Work: Balancing Workplace Confidentiality and Employees’ Privacy

Bring Your Own Device to Work: Balancing Workplace Confidentiality and Employees’ Privacy

1. Introduction

In the wake of the COVID-19 pandemic (the pandemic) and the attendant global economic slowdown, most businesses are now considering pragmatic measures to reduce overhead costs. Part of the measures being embraced include the BYOD scheme which also helps the employer save the funds earmarked for procuring hardware for employees. In addition, employees – owing to the current restriction of movement in major cities in Nigeria, for instance – now work from home. Businesses that utilise desktop computers and other immovable work devices prior to the lockdown are likely to find it difficult to operate remotely from home. Those businesses may have no choice but to resort to the BYOD scheme by allowing their employees to use their private laptops and phones to remotely execute work-related assignments, pending the time normal work schedule can resume. Also, employers that provide movable work devices like laptops and phones for their employees may be unable to remotely track employees’ usage of their personal devices for work. Accordingly, the emergence of the pandemic has contributed to the perceived inevitability of the BYOD scheme in the world of work, and forward-thinking cum survival-seeking businesses are beginning to embrace the scheme.

However, the dark side of the BYOD scheme is that if not properly implemented and regulated, it could result in many issues including data breaches which may threaten the employer’s IT security and possibly result in the infringement of the employee’s privacy. This article considers the legality of such BYOD guidelines in Nigeria and their efficiency in curbing the inadequacies associated with the use of personal devices for work. The first section of the article explains the concept of BYOD, the second section explains workplace security issues that may result from the use of personal devices for work. The second section discusses how the implementation of the BYOD scheme may violate an employee’s privacy. The third section considers the position of the Nigerian courts on the waiver of constitutional rights with a view to determining whether an employee’s right to privacy can be waived when implementing the BYOD scheme.

2. The Concept of BYOD

Bring Your Own Device to Work (BYOD) is a growing concept in the world of work. With rapid improvements in technological trends, businesses experience difficulty expanding their recurrent expenditure in keeping up with yearly technological innovations. This struggle has culminated in the consumerisation of information technology (IT) as most employees prefer to execute work-related assignments on their personal devices, which are usually in tune with the most recent technology. Interestingly, millennials constitute the largest percentage of the global workforce. Millennials consider personal devices extensions of their lives and being able to achieve work-life integration through the use of personal devices increases job satisfaction and productivity. Thus, it is becoming almost impossible for employers to prevent their employees from using their personal devices for work, even in circumstances where employers provide work devices. Consequently, BYOD guidelines are usually implemented in the workplace in protecting the employer’s confidential information and the employee’s privacy.

3. BYOD, Workplace Confidentiality/ Security and Data Protection

Notwithstanding the fact that most employers do not constantly keep up with the use of the latest technological devices for work, they also do not implement state-of-the-art IT security measures in ensuring that work-issued devices are properly encrypted to prevent data leakages in the event those devices are lost or stolen. Conversely, personal devices which are most times state-of the-art usually lack adequate data encryption and as such, are more susceptible to data breaches. Where such unencrypted personal devices are allowed to access the employer’s corporate network, this could result in the possibility of a data breach which could cost the employer financially.  Consider a situation where an employee’s unencrypted personal device contains corporate information and such device is stolen, this would definitely give the culprit unhindered access to the employer’s confidential information and may constitute a breach of data protection regulations.

In 2012, an employee of Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc (Massachusetts Hospital or the Hospital), without the prior approval of the Hospital, loaded his unencrypted personal laptop with sensitive health information of some patients of the Hospital. The laptop was subsequently stolen and the culprit gained access to the confidential health information of the patients of the Hospital. As a result, the Hospital paid the U.S. Department of Health and Human Services $1.5 million to prevent charges under the Health Insurance Portability and Accountability Act.

The above incident would have certainly constituted a breach of the Nigerian Data Protection Regulation, 2019 (the Regulation). One of the objectives of the Regulation is to safeguard the privacy of natural persons to data privacy. Health information of a data subject qualifies as “sensitive personal data” under the Regulation. The health information of data subjects under the Regulation are only meant for lawful processing and cannot be given out to third parties without the consent of the data subjects. The Regulation mandates data controllers like Massachusetts Hospital to secure the patients’ data against all “foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind”. Since Massachusetts Hospital is vicariously liable for the acts of its employees, it would be in breach of the Regulation owing to the thief’s unlawful access to the health information of its patients.

In addition to the data breaches that may occur through lost or stolen personal devices containing employer’s confidential information, employees generally use their personal devices for social purposes like accessing unsecure websites, uploading pictures and other contents. They may in the process unintentionally get their devices infected with viruses or malware. Where such devices are connected to the employer’s network, the viruses or malware may be introduced into the employer’s network thereby creating a backdoor for data leakage. Hence, data leakage is a major issue associated with the BYOD scheme as far as the employer is concerned.

Please read complete article here.