Employers’ Control of Data in Employees’ Personal Devices

BYOD and Disclosure in Legal Proceedings

What are the legal risks and issues if employees use personal devices in the course of employment? What are ways to mitigate some such risks? This article discusses (i) the benefits and implications of a formal Bring Your Own Device (BYOD) policy, (ii) technological measures for data security and device management; (iii) whether employers have a right to data in employees’ devices; and (iv) discovery in legal proceedings regarding such device data.

Introduction

1. It has become common for employees to use their personal devices for work.
   Many employees use their personal devices to access their company email and other communication accounts, access and store company information and documents, and access and store work-related contacts.
2. Some employers may also adopt a “Bring Your Own Device” (BYOD) approach, with or without a formal BYOD policy, benefiting from employees’ use of personal devices in the course of their service. However, what are the legal and other risks and issues for employers and employees in this regard?

Securing Data in Personal Devices

3. Employers would generally have a strong interest in ensuring the security and confidentiality of such accounts, information and documents on employees’ personal devices.
4. Employers should thus have a formal written BYOD policy which, among other things, stipulates obligations on employees to comply with acceptable use directions, and to secure and keep confidential data on their personal devices according to the organisation’s security directions. Mobile device security requirements may include the following:
   1. Specific strong password requirements;
   2. Device lock requirements after a certain amount of idle time;
   3. Prohibition against use of rooted or jailbroken devices to access company network, systems, applications or data;
   4. Whitelisting or blacklisting certain devices and models.
5. In addition, employers should consider implementing practical technological measures such as Mobile Device Management (MDM), Mobile Application Management (MAM), and Unified Endpoint Management (UEM) solutions.
6. MDM solutions enable employers to manage company accounts and data on employees’ devices, whether personal devices or company-issued devices, and are agnostic as to the device’s operating system (whether it is iOS, Android, Windows, or otherwise). It generally works by containerization i.e. segregating company accounts and data within the devices from personal accounts and data. MDM solutions would enable employers to remotely configure application and account settings, enforce device encryption, wipe company accounts and data, whitelist or blacklist certain applications, update applications and licences, and obtain device location reports, status and activity reports, and so on.
7. MAM solutions are a form of MDM solutions by way of specific software applications installed on the employees’ devices. Employers’ control is limited to the applications, and not the device generally, although MAM solutions may enable some extent of control over employees’ own non-company data without actually being able to view or access such data for the purpose of protecting the company data on the device.
8. UEM solutions are single-point suites of solutions which enable control of both on-site and off-site devices and security, and include MDM and MAM solutions as well as other security solutions such as anti-malware solutions, web control software, firewalls, etc. UEM solutions enable administrators to enforce policies which are compliant with data privacy regulations, and ensure that only authorized applications with the requisite authentication and privileges can access sensitive data.

Employer’s Right to Data in Personal Devices?

9. Employers may wish to assert ownership over work-related data stored in employees’ personal devices. In this regard, the common law does not recognise ownership over data per se because “data” is not considered “property” and the common law does not presently recognise “intangible property” other than a thing/chose in action,¹Boardman v Phipps (1967) 2 AC 46 at 127, per Lord Upjohn. Your Response Ltd v Datateam Business Media Ltd (2015) 1 QB 41 at (42); Janesh s/o Rajkumar v Unknown Person (“CHEFPIERRE”) (2022) SGHC 264 at (56). i.e. a bundle of rights which can only be claimed or enforced by action.²See UK Law Commission, “Digital Assets: Final report”, Law Com No 412, paras 3.17-3.19. For a discussion on whether data per se should be subject to private property rights, see Hu Ying, “Private and Common Property Rights in Personal Data” (2021) 33 SAcLJ 173.
10. Information and data may nonetheless give rise, or be subject, to intellectual property rights such as copyright. The general default position would be that any copyrightable work created by an employee would be owned by the employer.³Section 134, Copyright Act 2021. However, copyright does not necessitate a right to possession or control of the data.
11. Do employers have a right to access, retrieve, or inspect the information stored in employees’ personal devices?
12. Should an employee refuse to grant an employer consent or access to their personal devices, an employer probably cannot simply take things into their own hands without risking violating the law. This would include offences under the Computer Misuse Act 1993 as well as torts of conversion, detinue or breach of confidence. It is also possible that the implied duty of mutual trust and confidence in the employment relationship would be engaged.
13. As such, employers would do well to include express provisions in a formal written policy duly incorporated into employment contracts which entitle the employer to have reasonable access to company data stored on or accessible through the employees’ personal devices and accounts (such as email, communication, and cloud storage accounts).⁴See Ang Ann Liang, “Employee Investigations – The Limits To Accessing Employees’ Emails And Personal Devices”, (2023) SAL Prac 2. The policy should properly define the scope of company data, such as to include work-related documents and contact information. Consideration should be had to what mode of access and the scenarios where the request for access would be considered reasonable. This may include e.g. access under the employee’s or an independent third party’s supervision, supervised access by an independent third party, or agreed scopes of searches or imaging by an independent forensic professional. The policy should also expressly prohibit employees from deleting or disclosing any company data on their personal devices unless with the employer’s approval.
14. In a contentious scenario where an employee refuses to provide access or surrender company data pursuant to express contractual provisions, an employer may be able to apply to the Court for an order compelling the employee to deliver up and provide access to the company data even if it is stored in their personal devices. In SpaceSATS Pte Ltd v Chan Chia Sern and others [2023] SGHC 40, the plaintiff successfully sued the defendants (including former employees and seconded personnel providing services to the plaintiff) for, among other things, breach of contract to maintain confidentiality and surrender intellectual property and work products, and got an order that the defendants deliver up their personal devices to their solicitors, who were then to deliver them to IT forensic investigators appointed by the plaintiff.
15. Insofar as any data or material “has the necessary quality of confidence about it” and has been “imparted in circumstances importing an obligation of confidence”, such as to engage the equitable law of confidence, the employer may also obtain an order of delivery up of the confidential data or material, apart from an injunction restraining the wrongful disclosure of the data.⁵Clearlab SG Pte Ltd v Ting Chong Chai and others (2014) SGHC 221 at (332); c.f. I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others (2020) SGCA 32 at (56), (67)-(70).
16. Indeed, it is often the case that employers enforcing their rights in legal action in contentious circumstances where the (former) employee has allegedly breached confidentiality would urgently apply ex parte / without notice for search orders or Anton Piller orders against the (former) employees. This would include searches conducted at the (former) employees’ homes (whether or not the home is owned by the employee) or subsequent workplaces.⁶See e.g. Clearlab SG Pte Ltd v Ting Chong Chai and others (2014) SGHC 221 at (22)-(29). Such search orders would involve searches into the (former) employees’ personal devices and the cloning or forensic imaging of the data on the personal devices.
17. It should however be borne in mind that the information and materials obtained from a search order would be subject to the Riddick undertaking.⁷Riddick v Thames Board Mills Ltd (1977) 1 QB 881; Amber Compounding Pharmacy Pte Ltd and another v Lim Suk Ling Priscilla and others (2019) SGHC 269 at (14); Lim Suk Ling Priscilla and another v Amber Compounding Pharmacy Pte Ltd and another and another appeal and another matter (2020) 2 SLR 912 (CA) at (43). In discussing this principle, the Singapore apex court has cautioned against over-expansive search orders, suggesting that independent computer experts would be helpful in ensuring appropriate search terms used in computer searches to meet the legitimate needs of the applicant and to preserve data integrity.⁸Lim Suk Ling Priscilla and another v Amber Compounding Pharmacy Pte Ltd and another and another appeal and another matter (2020) 2 SLR 912 (CA) at (122)-(127).
18. It is worth mentioning as regards search orders in respect of personal devices that generally, the terms of search orders would not allow a claimant to seize items which were not owned or controlled by the defendants.⁹BP Singapore Pte Ltd v Quek Chin Thean and others (2011) 2 SLR 541 (HC) at (64). In BP Singapore Pte Ltd v Quek Chin Thean and others [2011] 2 SLR 541 (HC),¹⁰BP Singapore Pte Ltd v Quek Chin Thean and others (2011) 2 SLR 541 (HC) at (62)-(67) the plaintiff executed search orders at the homes of the defendants and seized the personal devices of the defendants and their family members. The Court commented that if the devices were owned solely by the defendants’ family members, the defendants would have had no right to permit those items to be inspected or seized, and the family members would have been perfectly entitled to refuse to hand over such items. If the plaintiff had intended to also seize items belonging to the defendants’ family members, it should have specified such persons in the search orders, presumably with justification. However, this means that if there is justification for including employees’ family members and new employers in the search orders, such persons may be subject to onerous search orders.
19. This serves as a cautionary tale for (former) employees. Employees who play fast and loose with their employer’s data or confidential information may risk getting themselves, and possibly even their family members or new employers, exposed to onerous circumstances such as search orders, injunctions, and delivery up orders.

Employer’s Discovery Obligations and Personal Accounts or Devices

20. Another scenario an employer may face is when it is confronted with discovery or disclosure obligations in legal proceedings. Here, both employers and employees may face certain risks.
21. If an employer is required to comply with general or specific discovery obligations, and the relevant data which may be required to be disclosed or is in fact required to be disclosed is stored in a current or former employee’s personal devices or accounts, what is the employer and employee to do?
22. The Singapore courts have held that a litigant has a duty to take reasonable steps to search for relevant and material documents and to be satisfied that it has complied with its discovery obligations. Where documents may lie with a third party, the duty extends to making reasonable efforts to request for the relevant documents.¹¹Natixis, Singapore Branch v Lim Oon Kuin and others (2023) SGHC 301 at (32); Saxo Bank A/S v Innopac Holdings Ltd (2022) 3 SLR 964 (HC) at (63); SK Shipping Co Ltd v IOF Pte Ltd (2012) SGHCR 14 at (38); Hai Jiao 1306 Ltd and others v Yaw Chee Siew (2020) 3 SLR 142 (HC) at (47); Phones 4U (in administration) v EE Ltd and others (2021) EWCA Civ 116 at (26) and (28). Otherwise, a litigant could simply come up with a “convenient ruse” for not providing discovery, even if those documents could be easily requested from the third party. Indeed, a particularly wily defendant could even deliberately put documents within the possession of a third party in order to then use that as an excuse not to provide discovery.¹²Natixis, Singapore Branch v Lim Oon Kuin and others (2023) SGHC 301 at (32).
23. Where a litigant has the “practical ability” to access or obtain documents held in the possession of the third party, the producing party may be found to have a sufficient degree of control as to constitute power; the practical ability to obtain those documents is to be seen and assessed in context.¹³Natixis, Singapore Branch v Lim Oon Kuin and others (2023) SGHC 301 at (32); Hai Jiao 1306 Ltd and others v Yaw Chee Siew (2020) 3 SLR 142 (HC) at (46); Dirak Asia Pte Ltd and another v Chew Hua Kok and another (2013) SGHCR 1 at (35)–(37).
24. Insofar as any disclosable document is stored in a current employee’s personal device, and the employer has contractual rights of access to the company data in the employee’s personal device, the employer may possibly be deemed to have the ‘practical ability’ to access or obtain the document and may also be deemed to have the power over the document in question such that the document must be disclosed by the employer.
25. On the other hand, it may not be so clear if a party can be said to have the “practical ability” or power to access or obtain documents in a former employee’s possession, control or power. Again, this may turn on the specific terms of the employment contract.
26. In Pipia v BGEO Group Ltd [2021] EWHC 86 (Comm), at [67]-[87], the Court considered that although the former employee had ceased employment with the defendant, the express provisions of the employment contract entitled the defendant to seek a surrender of the defendant’s confidential information post-termination; this gave the defendant the right to access the former employee’s smartphone used during his employment. Accordingly, the Court ordered that the relevant documents in the phone be disclosed.
27. In contrast, in In re Pork Antitrust Litig., No. 18-cv-2022 WL 972401 (D. Minn. Mar. 31, 2022), the Court declined to order an employer to disclose text messages from the personal devices of its current employees. The BYOD policy terms of the employer did not assert ownership, control or right to access personal text messages of the employees, but merely defined company data as data that is sourced from company systems and synced between the mobile devices and its servers. The mere fact that they were employees of the company did not mean that the employer had the practical ability to demand access to data on its employees’ personal devices. The Court drew a distinction between permissibly asking for documents on one hand, and on the other hand impermissibly demanding them.
28. In Phones 4U Ltd v EE Ltd & Ors [2021] EWCA Civ 116, the Court ordered a litigant to request its former employees or agents to voluntarily allow forensic IT consultants to examine their personal devices for relevant documents, as opposed to an order against those former personnel. The order was to enable the IT consultants to search for work-related communications relating to the employer’s business that would be passed to the relevant defendant for a disclosure review to be undertaken. The IT consultants were to undertake to the court to search the devices and emails for responsive material, not to disclose any other material to the defendant or its solicitors, and to return the devices and emails to those third parties, and to delete or destroy any copies. The court noted that although the third parties’ own data were mixed with the disclosable company-related documents, the inseparability of irrelevant materials does not justify refusal to permit inspection, extraction and copying of relevant material.¹⁴Phones 4U Ltd v EE Ltd & Ors (2021) EWCA Civ 116 at (29).
29. In Fairstar Heavy Transport NV v Adkins [2013] EWCA Civ 886, the English Court of Appeal ordered that the employer/principal had the right to inspect and copy emails relating to its business which its former agent and CEO (although technically he was not an employee, but had provided services pursuant to a service agreement between the principal and his own company) had possession of in his own email account. The Court considered that the order should be for an inspection of the emails on the former agent’s computer, and permission to copy those emails;¹⁵Fairstar Heavy Transport NV v Adkins (2013) EWCA Civ 886 at (50). as a general rule, a principal is entitled to require production by the agent of documents relating to the affairs of the principal, even if the agency had been terminated;¹⁶Fairstar Heavy Transport NV v Adkins (2013) EWCA Civ 886 at (53); c.f. Phones 4U Ltd v EE Ltd & Ors (2021) EWCA Civ 116 at (10), citing Bowstead & Reynolds on Agency (21st edition, 2017). the issue of ownership or proprietary right in the contents of the emails is irrelevant.
30. Accordingly, it appears from the foregoing authorities that much turns on (i) the relevant provisions in the employment contract and BYOD policy; and (ii) the legal nature of the relationship between the litigant and the third party who is in possession of the relevant documents or data. The fact that the employee’s device in question may contain personal data or documents which are irrelevant to the scope of disclosure does not preclude an order for inspection of the device.
31. Where circumstances justify it, privacy concerns and interests of the former employee may be addressed by the appointment of an independent IT forensic consultant and perhaps additionally a supervising solicitor to supervise the inspection and access such that only such data as is required to pursue the legitimate interests of the applicant is collected.
32. It is also worth highlighting that it is likely that the Personal Data Protection Act 2012 (PDPA) does not preclude such access, inspections, or disclosure, where the employer’s disclosure obligations are engaged as a result of legal proceedings. First, if the data in question is in any event not personal data but company data, it would not fall within the scope of the PDPA. Second, in any event, the PDPA provides exemption to consent for collection, use or disclosure of personal data where necessary for any investigation or proceedings.¹⁷Paragraph 3, Part 3, First Schedule, PDPA read with section 17 of the PDPA. Section 2(1) of the PDPA defines “investigation” as “an investigation relating to — (a) a breach of an agreement; (b) a contravention of any written law, or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or (c) a circumstance or conduct that may result in a remedy or relief being available under any law”. And “proceedings” are defined as “any civil, criminal or administrative proceedings by or before a court, tribunal or regulatory authority that is related to the allegation of — (a) a breach of an agreement; (b) a contravention of any written law or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or (c) wrong or a breach of a duty for which a remedy is claimed under any law”.

Conclusion

33. We have considered that the express provisions of a formal written BYOD policy implemented by employers can have a wide-ranging impact on employers’ right of access to employees’ personal devices, maintaining the security and confidentiality of company-related data, and disclosure obligations in connection with legal proceedings. Employers should thus consider these scenarios and risks in developing an appropriate BYOD policy. Technological measures such as MDM, MAM and UEM solutions to manage security, confidentiality and data integrity risks should also be considered.
34. In contentious circumstances, employers and employees should note the possible risk scenarios where personal devices of current or former employees may become subject to search orders, inspection, and disclosure orders. It is therefore pertinent for employers and employees alike to take into account such risks before actively or tacitly adopting any particular BYOD policy or approach.

The post Employers’ Control of Data in Employees’ Personal Devices appeared first on The Singapore Law Gazette.