Workers Using Own Devices for Work Expect Employers to Respect Their Privacy

As more employees use their mobile devices for both work and personal purposes—86 percent own the smartphone they use on the job—there is confusion over what an employer can and cannot see, according to a global MobileIron survey released July 15, 2015.

While a large majority of workers trust their employer to keep personal information on their devices private—the trust level has dropped only 5 percentage points from 2013 to 2015—they’re still uncomfortable with the employer having access to:

• Personal e-mails and attachments.

• Personal contacts.

• Voice mail, texts and instant messages.

• Details of phone calls and Internet usage.

• Lists of all the apps on their devices.

• Information in all the mobile apps on their device.

• The employee’s location.

  Nearly one-third of the 3,521 full- and part-time workers surveyed who use a mobile device for work would quit if their employer could see their personal information.

  Keeping Data Private

  Workers, though, tend to overestimate how much of their personal information is available to their employer, pointed out Sean Ginevan Sr., director of strategy for MobileIron, a California-based mobile device management vendor that commissioned the 2013 and 2015 surveys.

  Employer access varies depending on the mobile operating system and the company’s policy, according to Ginevan. On iOS devices (Apple products), an employer can typically see the carrier, country, device make and model, OS version, phone number, location, list of installed apps, and corporate e-mail.

  Employers cannot see personal e-mails and attachments, text messages, photos, videos, voice mail, and web activity unless that data has been routed through the corporate network. Information in apps also is not visible, unless the app has been built to transmit information to a corporate server.

  Additionally, privacy controls vary depending on the device used. Windows 10 has a corporate VPN app that allows only corporate apps, so the user’s personal apps on the mobile device will not go through the corporate network, according to MobileIron.

  Different Comfort Levels

  Men ages 18-34 and parents with children at home under the age of 18—a demographic dubbed “Generation Mobile” by MobileIron—are more comfortable than others with employers seeing their personal information, the survey found.

  Sixty-two percent of Generation M said they’re comfortable with their employer seeing at least some personal information on their mobile devices, compared to 51 percent of workers. Ginevan theorized this is because Generation Mobile shares so much on social media.

SHRM Online reported in April 2015 that at least once a day during work hours, 60 percent of this generation check or send personal e-mail, 57 percent send personal texts, 53 percent make personal phone calls, and 50 percent check or use social media.

Comfort level also varied among countries and gender, according to the survey that included workers in France, Germany, Japan, Spain, the United Kingdom and the U.S.

French workers were the most likely (71 percent) to be comfortable with their employer seeing personal information on their mobile device. Male workers in the U.S. were significantly more comfortable than female workers in the U.S. with their employer seeing personal information on their mobile device (64 percent vs. 55 percent).

Nearly three-fourths (74 percent) of workers in Germany were the most likely to trust that their employer would keep their personal information on their mobile device private; workers in Japan were the least trusting (53 percent). Female workers in the United Kingdom were more trusting than their male counterparts that employers would respect their mobile privacy (49 percent vs. 35 percent).

But while some workers—especially those ages 18-34—are comfortable with employers seeing their personal information, that doesn’t let employers off the hook, Ginevan said.

Steps Employers, HR Can Take

“Just because the employee is comfortable with the employer seeing the data, the employer still has the obligation to keep that data private,” he told SHRM Online.

“[Chief information officers] need to protect employees’ privacy as fiercely as they protect corporate security. The good news is ... that goal can absolutely be achieved today.”

It’s essential that HR and IT work together to protect information, noted data security expert Nigel Johnson of Zix Corp., in an e-mail to SHRM Online. Zix Corp. provides e-mail data protection solutions.

“By their very nature, HR departments are a treasure trove of data, as they're responsible for protecting employee information ranging from home addresses to Social Security numbers,” he said in an e-mail to SHRM Online.

“To ensure data security, it's crucial for companies to nail the basics, including proper training of employees that come in contact with sensitive information and implementing the right tools, such as e-mail encryption and data loss prevention technology. It is up to HR and IT to work together to ensure the right data protection tools are in place and training is thorough so, at the very least, the communication of sensitive information is secure.”

MobileIron recommends the following employer practices:

• Tell employees what personal information from their mobile devices is—and is not—availableto employers.

  “[Employees] need to understand what’s available in each operating system,” Ginevan pointed out.

• Establish and communicate clear and logical policies that describe what actions the employer can take regarding information that is on the mobile device.

For example, an employer may need to know if an employee is using a device outside the country so it can send roaming alerts to prevent excessive data charges. If the phone is secured by an enterprise mobility management solution, the company can access roaming information and understand if the user is roaming, and in what country. Some HR finance departments may choose to track roaming data in order to manage employee reimbursement or stipends for their bring-your-own-device program, a MobileIron spokeswoman said. More specific location tracking would need to be explicitly opted into by the employee.

• Communicate information on mobile device use when employees are most likely to be thinking about it, such as when they set up their device.

• Advise employees that anything going through the company’s corporate e-mail servers is saved for legal purposes.

• Make privacy information obvious and accessible to employees.

• Use the privacy controls available in mobile operating systems.

“HR needs to be a trusted partner ... setting the policy or helping set the policy [with] legal on what information [the company is] going to view on mobile devices,” Ginevan said.

HR, for example, may not want to be able to view apps on an employee’s device because of personal information they may reveal, such as health issues or sexual orientation, but IT may need to view those apps in order to determine if they pose a risk to the company’s IT system.

HR’s role includes educating and communicating with employees—simply and in a variety of ways—about the actions the employer can take on an employee’s mobile device. Make sure the employer’s policies keep pace with changing technology.

“As new features roll out to devices ... users are going to have concerns [about] how this data is going to interact with corporate systems,” Ginevan said.

“There’s this behavior shift where users are using a mix of personal and work tasks on [their] device, so you want to make sure the policies are in place to enable that behavior.”

Kathy Gurchiek is the associate editor at HR News. Follow her @KathyGurchiek.