Data on Your Personal Phone May Be Available to Your Employer
Q: What are personal electronic devices and why do they matter?
A: The use of personal electronic devices (PEDs) in the workplace is commonplace, but it's not without risk for both the employer and the employee. If not managed properly, employers risk the dissemination of their confidential information and employees, perhaps rightly, have privacy concerns.
Q: What can an employer do to protect its business information?
A: Employers need a written PED, or bring your own device policy, signed by employees. Your policy should address several matters: the employer's information always belongs to the employer; upon termination, it must be deleted immediately in the presence of the employer's representative; all communications that go through the employer's server are fair game for the employer and the employee has no expectation of privacy in those communications; only approved websites can be accessed via the employer's server and accessing an unapproved website may result in severing of the server access and/or deletion of data, even the employee's personal data, from the phone electronically; and the company always should have access to/be informed of the employee's password for connectivity between the company server and the PED.
Q: So personal data, including contact lists, phone numbers and pictures, can be deleted from the employee's own phone?
A: Yes, though this area is evolving almost daily nationwide. There are lots of different federal laws and statutes in every state, including common law, which could be implicated. Please consult an attorney before charging ahead. Large companies are moving toward policies that give advance notice to an employee that upon termination if he/she fails to cooperate in the deletion of company information, the company can and will wipe all data from the phone (or other PED) and return it to factory settings. Most of the recent case law out there comes down in favor of the employer and rejects claims by employees under various federal laws, like the Electronic Communications Privacy Act or the Computer Fraud and Abuse Act.
Q: Don't employees have a right to privacy in their own communications, on their own phones?
A: So far, there's no case out there that has found an employer can't, under any circumstances, search a PED for data. Courts looking at whether a private employer has overstepped by searching PED communications do emphasize privacy concerns and they recognize each case is fact specific. But, typically, if that data is coming through a company server, the company can take a look. We recommend the employer narrow any such search to work related/topic specific communications.
Q: Are the rules the same for government employers?
Not really. Governments have to worry about the Fourth Amendment, unreasonable searches and seizures, and more often than private employers, union contracts. So far, most court and administrative rulings favor the government employer who searches a PED, but those cases get close factual scrutiny. Also, in the case of public employees (elected officials included), the Freedom of Information Act and, here in Oklahoma, the Open Records Act, are applicable. Work-related communications, even on a PED, are public records. If a government employer needs to search for and retrieve communications that are work related from a PED, that search is going to be permissible.
Q: What about quality of life and working after hours?
A: If your employees aren't overtime exempt, after-hours texting and emailing should be included in the employees' time records, and they should be paid for it, even if it results in overtime pay at a higher rate. Employers concerned about the increased wage expenditures should consider limiting PEDs use to only overtime-exempt employees. If this isn't possible, a policy should be written and adhered to that results in very limited after-hours communications, and includes clear guidelines on how to account for the time and resulting compensation when those communications do occur.
Q: Do we have to reimburse employees if they use PEDs for work?
A: In some states, the answer is yes. Here in Oklahoma, we don't have a bright line rule requiring reimbursement for an employee who uses a PED to conduct work-related tasks. However, many Oklahoma employers are moving toward reimbursement, or partial reimbursement at minimum.
Q: What about litigation holds on electronic data that may be discoverable?
A: If you've ever had to produce electronic data during the course of a lawsuit, you know that can be very burdensome. You also know that if you're on notice of a potential claim against your company, you will need to be sure the company has policies and practices in place that work to preserve potentially discoverable documents, communications and data. Certainly, if your company's employees are communicating and working on PEDs, there needs to be a process in place designed to reasonably capture and preserve that information, communication and data that may be stored or saved to PEDs, as opposed to a company network server.
PAULA BURKES, BUSINESS WRITER
Published The Oklahoman, July 19, 2016