What should a company’s corporate policy for the use of personal mobile devices in the workplace include?
It was this question that elicited a number of responses from privacy pros recently on the IAPP’s Privacy List.
One member commented that he had been involved in company deployment of mobile e-mail in two different instances. In one case, the company chose not to allow mobile devices in the workplace.
“If a user had a clear and present need for a mobile device, the organization provided one of two possible mobile devices to them. We developed a dedicated mobile device policy that users were required to read and acknowledge. The policy clearly defined that the mobile device was provided for corporate use only and that the user should have no expectation of privacy on the device,” the pro noted.
In the second instance, personal devices were allowed but, an application was placed on the personal mobile device “that would contain all corporate-related material. This also gave us the ability to enforce a security posture on the app regardless of what security policy, if any, was set up on the mobile device,” the pro wrote.
Privacy pros also often use the list to gain recommendations for goods and services. One recently asked for a recommendation for a forensics investigator in the New England region and was met with four suggestions by her peers.
Later, on the topic of European consent requirements, one pro asked a question that required some thought: If Company A, a data analysis service with servers only the U.S., is used by Company B, and Company B requires an individual (company C) to use the services of Company A, has consent still been freely given by the individual under European Directive consent requirements?
One pro responded that Company B should be safe.
“In my view, and based on limited information to hand, and without knowing the specific data in question (which is important), the arrangement probably would not fall foul...on lack of consent grounds,” he wrote. I suspect that the answer would be similar for other European DPAs. A full and reliable analysis would require more information.”
Another pro speculated that if there was a power imbalance in the relationship between Company B and the individual, then “an aggressive DPA” might decide that consent isn’t valid, but the decision “would be a novel one to my knowledge.”
“Company B has a duty, in my opinion, to let individuals know of the use and transfer of their data. They have the relationship with C, and should disclose, within reason, the uses…and location where C’s personal data is going,” another pro noted, adding that he believes Company A has an ethical duty
—
if not a legal one
—
to know the source of the data it is processing and feel comfortable it has been obtained legally.
Others questioned whether Company A would even be regulated by the European Directive.
The pro who made the original inquiry responded that Company A has “an increasing sales presence in Europe” and that though, legally, European data protection law does not apply, the company doesn’t feel noncompliance is a good selling point when marketing to EU enterprises and individuals.
The Privacy List is a free service for IAPP members only.
