Employees using personal devices for business purposes can complicate privacy boundaries
By Jeffrey R. Smith
workplaces, like the rest of contemporary life, are very electronic. Technological developments have made it easy and practical to perform both professional and personal tasks using computers, tablets and smartphones. For many jobs, these technological elements have become essential. Where they are essential, many employers provide employees with mobile devices for the employees to use, though they remain the property of the employer.
The rise of mobile technology and the practice of supplying employees with it to do their jobs has also given prominence to the issue of employee privacy. How much should employees be allowed to use their employer-issue mobile devices for non-work-related things, if at all? If they are allowed, is it reasonable for the employees to expect the employer will go snooping to see what the device has been used for?
Two years ago, the Supreme Court determined in the landmark Cole decision involving a teacher’s laptop upon which inappropriate photos of a student were found that even if an electronic device is supplied by and owned by the employer, there is some expectation privacy if the employee is allowed to use the device for personal purposes. However, that expectation is limited with regards to things like normal regular maintenance by the employer. In Cole, the photos were discovered by a technician performed a regular maintenance examination by a technician. It was the employer’s — and later the police’s — further examination of the laptop that raised the privacy issue and the question of whether what was found on the latter investigations was admissible.
But what about if an employee uses her own mobile device to perform work-related stuff? In an age where it’s easy to connect remotely to email and networks, sensitive content can be downloaded or at least pass through an employee’s personal device. What kind of jurisdiction or control can the employer have over this? Probably the best way would be to have specific policies in place to which employees must agree before gaining access to sensitive information, but can the employer really be sure the employee is following protocols?
Obviously, when the device is the employee’s personal property, privacy expectation is significant and the employer doesn’t really have any jurisdiction to check it. But when it contains data that is the employer’s property, should the expectation change?
There have been precedents that when employees do things online on their own time on their own devices but are harmful to the employer – such as posting sensitive information or harmful statements on social media -- the employer does have a right to act to protect itself. Can this concept translate to an employee mishandling sensitive employer data on a personal mobile device? If an employer suspects such misconduct, should it be able to investigate?