Employers need to get a grip on BYOD!
Many employers appear to have a laissez faire attitude to allowing staff to use their personal laptops, tablet computers or smartphones for work business, which may be placing other people’s personal information at risk.
The survey, carried out by YouGov for the Information Commissioner’s Office (ICO), reveals that 47% of all UK adults now use their personal phones and/or computers for work purposes.
However, less than 30% of those who do so are provided with guidance on how their devices should be used in this capacity, raising worrying concerns for the ICO that people may not understand how to look after the personal information accessed and stored on these devices.
The Office has therefore published guidance explaining some of the risks organisations must consider when allowing personal devices to be used to process work-related personal information.
The guidance explains how this approach, commonly known as “bring your own device” (BYOD), can be adopted safely and in a manner that complies with the Data Protection Act.
ICO Group Manager (Technology), Simon Rice, said: “Our guidance aims to help organisations develop their own policies by highlighting the issues they must consider. For example, does the organisation know where personal data is being stored at any one time? Does it have measures in place to keep the information accurate and up-to-date? Is there a failsafe system so that the device can be wiped remotely if lost or stolen?”
The cost of introducing these controls can range from being relatively modest to quite significant, he warned, depending on the type of processing being considered, and might even be greater than the initial savings expected.
BYOD is always likely to involve the processing of personal information, Mr Rice concluded, and employers would therefore be well advised to read the new guidance.
BYOD and the DSE Regulations
The Health and Safety (Display Screen Equipment) Regulations 1992 state that “display screen equipment means any alphanumeric or graphic display screen, regardless of the display process involved”. They define users as those “who habitually use DSE for the purposes of an employer’s undertaking as a significant part of their normal work”.
Given the design of the devices and duration of use by employees, it is likely that tablets and smartphones are covered by this legislation, and therefore employers are responsible for assessing and controlling the risks from using this equipment for work. It may not matter whether the devices are supplied by the employer or owned by the employee, which the employer allows (and encourages by supplying work-related applications) the employee to use for work purposes.
Employers also need to consider very carefully whether any assessment has to be recorded. HSE Guidance document L26 Work with Display Screen Equipment: Health and Safety (Display Screen Equipment) Regulations 1992 advises that: “Portable users’ risk assessments for, say, half an hour’s work in a borrowed office can be quite informal and need not be written down. Where, however, a portable is in lengthy or repeated use in the same location, it would be appropriate for the user’s risk assessment to be recorded.”
Employers need to look at how and when these devices are being used, which will not be easy given the mobile nature of the workforce. The fact that the equipment is not used for “lengthy or repeated use in the same location” may negate the need to record the assessment.
What are the risks?
The possible risk factors associated with tablets, smartphones and working on the move are mainly those leading to musculoskeletal problems, visual fatigue and stress. The likelihood of experiencing these is related mainly to the frequency, duration, intensity and pace of spells of continuous use of the equipment, in conjunction with factors such as how much discretion the person has over the extent of their use.
Managing the risks
So what are the options for employers? Assessing the devices could be very difficult, and the lack of available guidance does not make this easy. One solution could be to limit what employees can do with their tablet if it is provided by work; this is unlikely to be possible for BYOD tablets.
Whatever we think, tablet and mobile working is on the increase and is here to stay. Employees like using mobile technology, they are potentially more productive when using it and it frees them from being tied to a specific desk. As working practices continue to evolve, providing a dedicated workstation for each employee is starting to look somewhat inflexible and expensive.