Given the prevalence of portable digital devices, it is no surprise that many employees are using their own personal devices to perform state work. This practice is often referred to as Bring Your Own Device or BYOD. BYOD raises many issues and concerns for records management practices and is not the easy, cost effective solution that some agencies may consider it to be.
A BYOD policy makes it difficult-to-impossible to ensure that proper information practices are being followed by the operator of the device. If an agency finds itself in a lawsuit, an auditor will want to know what steps the agency took to ensure that the data in question was adequately protected on an employee’s personal device.
There is always concern about security when it comes to personal devices.
Lost or stolen devices – One potential security issue that arises with the use of BYOD is the potential for employees to lose their personal devices containing unsecured data. Depending on the scope of work of the employee or the agency involved, sensitive information may land in the wrong hands.
Malware – There is always the potential for an application downloaded to a portable device to contain malicious software that may compromise the device in use and any information contained on it.
Disgruntled employees – Unfortunately, not all employees leave an agency on good terms and, if disgruntled employees have sensitive information on their personal devices, they may choose to publish or disseminate information not meant for the public.
One concern an employee should have with a BYOD plan is the potential for a breach in their privacy. If information on a personal device is needed for legal reasons, a search of the device will not only yield the state records but also any personal records such as email that may be on the device. All the information on the device would have to be preserved for discovery purposes and a “wipe” or complete erasure of data would not be possible because of the legal obligations involved with state records.
An agency with a BYOD policy is potentially opening a Pandora’s Box of legal and privacy issues. If a portable device or laptop computer is needed for an employee to complete essential job duties, best practice would be to issue a state owned device that has the proper IT support to accommodate security and discovery issues.