The increase in the number of employers permitting and even encouraging employees to use their own personal electronic devices for work purposes, which has become known as “bring your own device” to work (BYOD), has far reaching impacts.
The well-reported positives to be gained from such practices are that they can:
- greatly assist mobility of the workforce and flexible working patterns;
- result in a decreased cost to employers in respect of the ownership of hardware;, and
- when well-received by employees, should lead to increased employee satisfaction and productivity.
The impact of e-disclosure
One issue which employers should consider before allowing BYOD is whether they have the right to access documents stored on their employees’ and ex-employees’ personal electronic devices. In particular, this could cause problems if the employer is embroiled in any subsequent litigation. Discovery and disclosure exercises may well extend to information stored on electronic devices owned by employees which are used for business purposes.
The basics of electronic disclosure, or e-disclosure, are the same as ordinary disclosure. A party to litigation is obliged under the Civil Procedure Rules 1998 to disclose any documents which are or have been in its control and upon which it intends to rely, which adversely affect its case, which adversely affect another party’s case or which support another party’s case.
“Documents” can be “anything in which information of any description is recorded“. Reflecting the fact that most business is now transacted and recorded electronically, there is a specific Practice Direction under the Civil Procedure Rules. This provides detailed guidance on e-disclosure and makes clear that documents include electronic documents, computer records, program and system files, e-mails, text messages, databases, spreadsheets, videos, voicemails and audio files.
The definition of a document also extends to material which is not readily accessible. This could include electronic documents stored on servers and back-up systems, electronic documents which have been deleted but are still retrievable with appropriate software and information stored and associated with electronic documents, known as metadata.
Whether a document is within a party’s control will depend on whether that party:
- has had past or present physical possession of the document;
- has a right to possession of the document; or
- has a right (based on statute, contract or the legal relationship between the parties) to inspect or take copies of the document.
A court may infer that the legal relationship between an employer and its employees is sufficient for the employer to have the right to possession of any work-related documents which their employees have stored on personal electronic devices. It will always be preferable, however, for employers to have this right expressly documented in an agreement with its employees, so that they are able to enforce its terms more easily.
Clearly, such wide ranging obligations could seem never-ending for a party to litigation now that many companies have complex IT systems and employees use a range of personal devices in their work. However, parties are only obliged to conduct a “reasonable search” for documents. What is reasonable will depend on the number of documents involved, the nature and complexity of the proceedings, the ease and expense of retrieval of any particular document and the significance of any document which is likely to be located during the search.
When considering the retrieval of electronic documents, issues to consider include:
- their accessibility on servers or back up systems or in other sources;
- the location of relevant documents;
- the likelihood of locating relevant data as a result of a search;
- the cost of recovering, disclosing and providing inspection of any relevant electronic documents; and
- the likelihood that electronic documents will be materially altered in the course of recovery, disclosure or inspection.
Parties to litigation should consider early on in proceedings whether any third parties may hold documents which might help their case or damage another party’s case. This could extend to documents and data held by employees and ex-employees on their personal devices. If it is identified that third parties may hold data and those documents are not forthcoming following a request, it is possible to apply to the court for an order for disclosure against that party, known as a non-party disclosure order. However, it should be borne in mind that the court has a discretion whether or not to grant such an order and will consider the cost implications for both parties.
Addressing potential issues
In many cases, even if an employer does not have a specific BYOD policy in place, employees are likely to be willing to cooperate with any request by their employee for them to provide relevant information. However, problems are more likely to arise in this regard after an employee has left the company (either in adverse circumstances or on good terms but where they later cannot be easily traced).
In relation to ex-employees who have moved abroad, employers would need to consider what is a “reasonable search”. If the employee’s role was peripheral in the dispute and most of their documents have already been backed up on the work servers then asking them to hand over all their personal devices for a more forensic search is probably unreasonable. This might be different if the employee is a vital witness whose documents, metadata and deleted documents which are not backed up elsewhere are key to the case and/or some information, for example calendar or voicemails, is only available on the device itself.
To assist with the above issues and ensure that an employer can comply with their obligations to conduct a reasonable search for documents and limit the time and expense that this could involve, employers should ensure they have an information governance strategy in place. A vital part of such a strategy should include a written BYOD policy which is agreed by any employees. Ideally, such a policy should:
- detail security measures and backup requirements;
- set out a clear understanding of the ownership of information relating to the company; and
- include a strict requirement for the employees to deliver up their devices upon request either at the end of their useful lives or at the end of their employment. This will allow the employer to take back ups of the necessary information and ensure all sensitive company information is fully deleted.
At any point in time, if litigation is contemplated, employers must preserve disclosable documents. Therefore, regular deletions of documents should not take place during this time and employees should be encouraged to ensure all of their documents are regularly backed up on the main server. Having an IT platform in place which can be easily accessed by a range of devices can help facilitate the swift and regular back up of information. Ideally, the BYOD policy should include an obligation on employees to back up their documents regularly in any event.
Since the introduction of e-disclosure, case law in this area has increased and companies have been subject to costs awards for failures to comply with their legal obligations. This should act as a warning to employers who think that they can ignore this issue, as it can only be a matter of time before the courts specifically focus on employers’ obligations to disclose information stored on their employees’ personal devices. Employers should ensure that these issues are properly considered and addressed when they are implementing BYOD policies.
Nicola McMahon, Solicitor
Charles Russell LLP