Is accessing data on employees personal devices out of bounds for employers

Employers sometimes reasonably believe that an employee is sharing confidential information outside of the organisation, or is using their personal device for work purposes. The question arises whether employers can access data from WhatsApp or similar messaging services on an employee's personal device?

This article considers the data protection, employment and financial regulation issues around accessing or monitoring employees' devices in the UK, Europe and Asia Pacific.

Data protection

Monitoring an employee's personal device must be conducted in accordance with data protection legislation in Europe and the UK. Among other things the processing must be fair and there must be a lawful basis for the processing.

Such requirements present challenges when monitoring an employee's personal device. For example, with lawful basis, the two feasible options are consent and legitimate interests. Consent is unlikely to be valid as it must be freely given, and within an employer-employee relationship, there is a power imbalance. Furthermore, consent must be given in full knowledge of all the relevant facts, which may be difficult in an investigation. Finally, the employee must be able to withdraw consent at any time.

The alternative basis is legitimate interest. In some EU member states, legitimate interest can be relied upon if there is reasonable suspicion of criminal activity, for example. Appropriate safeguards must be implemented, such as a strict limitation on the data searched to protect the employee's rights.

Since this is high risk processing, employers in Europe and the UK must prepare a data protection impact assessment (DPIA) before undertaking any monitoring activity. This sets out the actions the employer will take, identifies any related risks and considers whether the employer's risk reduction measures are enough to meet those risks. Where they are not, the search or monitoring should not proceed.

In the UK, the Information Commissioner's Office recently published draft guidance (PDF) on monitoring at work. It does not cover monitoring of personal devices specifically, but warns against reviewing personal messages on work devices. It states that even a ban on using work systems for personal use would not entirely justify accessing the content of personal messages. Employers should investigate workers breaching any ban by looking at network data rather than message content.

In Asia Pacific, even if the employer has a legitimate basis (see below) requiring the employee to hand over their personal device, they will need to comply with their data privacy policies and applicable laws. This can be complex in cross border investigations where different levels of sophistication in data privacy regimes exist.

Employment considerations

In common law countries the employer must have the power to inspect personal devices. It is unlikely that an employer will have an express contractual right in their employment contracts, particularly if they provide work devices.

Instead, the employer must consider whether the requirement is a lawful and reasonable direction. Generally, there must be some real basis for the direction, such as an admission by the employee that they had used their personal device for work purposes. Random checking of personal devices or a mere suspicion of their use for work purposes is unlikely to be a lawful and reasonable direction.

A recent UK High Court decision (FKJ v RVT) also contains some judicial comments on an employer's use of an employee's personal WhatsApp messages in defending claims in the employment tribunal. Subsequently, the employee brought a misuse of private information claim based on the use and retention of the WhatsApp messages.

In refusing the employer's application to strike out the claim the judge stated, among other things, that the employee had a reasonable expectation of privacy in relation to the messages and messages not relevant to the proceedings should not have been kept. Although this is an interim decision, strict parameters apply on accessing employee's personal messages.

Financial regulation issues

Regulated entities' obligations regarding document retention and maintaining records vary across jurisdictions. For example, in Hong Kong the Securities and Futures Commission requires order taking for securities transactions to be done in a recorded manner, but there is little guidance beyond that, except for more general obligations to be able to monitor employee conduct.

Other jurisdictions in which the same financial entity operates or is headquartered, such as the United States, have more onerous obligations to retain all business-related records including communications between employees and their clients or contacts.

Generally financial institutions adopt the most stringent standard in their key jurisdictions and apply this across their business globally. Despite the lack of regulation on this issue in many Asian jurisdictions, the standard expected from employees is set by internal policies, generally prohibiting employees from using personal devices or unauthorised platforms to communicate about work or regulated activities.

In 2022, the U.S. Securities and Exchange Commission charged several regulated entities for failures to maintain and preserve electronic communications, in particular, staff intentionally deleting messages on unmonitored platforms. These U.S. enforcement actions have impacted Asia with clients, for example, putting an increased focus on the use of non-approved platforms in any investigations. Furthermore, this regulation is relevant for employers accessing personal devices.

In Asia there may be a stronger argument that a direction is lawful and reasonable where employers have a bring-your-own-devices (BYOD) policy requiring this as a precondition for their use. However, there will also be pressure to allow access to personal devices as a refusal might be viewed as failing to participate in an investigation raising fitness and propriety questions.

Employees often do not want to provide carte blanche access to their personal device containing personal information unrelated to the employer's business or any issue under investigation. Often an agreed protocol ensures the employer does not have access to information entirely unrelated to their business. This also raises potential complications as chats with other employees or clients can include both business and personal information.

All of this reinforces the need for employers to have clear contractual terms or policies on the use of personal devices for business purposes even if a device is provided for work purposes and to clearly communicate these policies.

In Europe under the General Data Protection Regulation (GDPR) accountability principle, personal devices searches should be conducted in accordance with a pre-defined procedure. Often this is contained in a works agreement, an investigation procedure or a BYOD policy. The data protection officer, a member of the works council or the employee's legal counsel will usually be present when data is extracted from the device.

Any search of a personal device without consent or in an excessive way may result in evidence being excluded in any labour or civil court proceedings.

Practical points for employers

Employers should:

• In the UK and Europe, undertake a DPIA and ensure that monitoring is justifiable before undertaking such activity;
• Consider incorporating an employment contract clause that personal phone monitoring may be undertaken to ensure regulatory compliance — even if devices are provided for work purposes;
• Think about how to deal with employees' concerns about holding sensitive data that is not relevant to the employer's enquiry; and
• Ensure that they have drawn a "line in the sand" on the inappropriate use of personal devices for work related activities, but do not turn a blind eye to such usage.

Authors: Ruth Buchanan, Partner; Andreas Mauroschat, Partner; Rhiannon Webster, Partner; James Comber, Partner; Karen Mitra, Counsel 

First published on Thomson Reuters Regulatory Intelligence.