Home Phones at Work?
There needs to be a clear line between device use for personal and work purposes. This will include phone calls, emails and application use. There have been recent examples of poor practice at the highest levels of the UK government. In October 2022 it was revealed that Liz Truss while foreign secretary had her mobile phone compromised allowing hackers to eavesdrop on high level government discussions. Around the same time the home secretary Suella Braverman admitted to forwarding government documents to her personal email account.
It might have been expected that large, security conscious organisations including members of the UK cabinet would be following some form of Mobile Device Management solution. These can restrict applications that can be installed and used as well as facilitating remote updates and even device wiping. These solutions do restrict what the individual can do at work and can tempt employees to carry another, personal, device to work. This breaks the security fence set up by MDM and impacts on the work life balance of the individual. Some MDM solutions turn the device into a kiosk device. These are locked down to only provide corporate applications such as a bathroom design service for a retail chain. Any communications outside the business of work might be impossible on such a system.
If a personal device is used for work related communications then it facilitates receiving work calls and emails outside of the working day. A regulated device, provided by an employer could be left at work or turned off when not required.
With the growth in the use of mobile phones many expect instant communications even for matters of a trivial nature. Older readers will recall living without constant connectivity even for emergency use. The BBC was still transmitting emergency contact messages on the radio up until the 1990s. It would be hard to deny the use of a personal phone for real emergencies but this will be an uncommon occurrence.
There is a grey area of the sort of communications that are not essential but lighten the working day and might take place during sanctioned break times. These would be harmless only if no work related activity or data transfer takes place on any personal device. A personal device could be hacked and cannot be remotely disabled or wiped such as within a MDM system.
The means of communication also needs to be considered. Voice conversations can be overheard and recorded if either the sending or receiving device is hacked. Emails containing personal information from within an organisation would be a breach of GDPR if sent to an external not corporate email server. Facebook and WhatsApp chat applications are a real risk as they store data external to the organisation and facilitate communications with ‘friends’ who might only be known by screen names. These individuals might not be who they appear and could compromise security. Certainly caution should be applied before using either for customer focussed contacts. FaceBook and WhatsApp position themselves as a data processor rather than a data controller under the GDPR . This leaves the security issues of personal data passed through their systems within the user’s responsibility.
The overall rules should be to use Mobile Device Management and issue corporate devices where feasible. Often this is not the practical so corporate rules need to set how and when personal devices can be used at work. A system of warnings and potential disciplinary actions needs to be in place to ensure that rules are followed but that employees’ freedom is not unnecessarily restricted.