BYOD Where does institutional liability end ?

26 June 2013RSC Eastern Technical managers Forum

Hello!

Betty Willder info@jisclegal.ac.uk

0141 548 4939

www.jisclegal.ac.uk

http://twitter.com/JISCLegal

About Jisc Legal

• Role: to avoid legal issues becoming a barrier to the use of technology in tertiary education

• Information service: we cannot take decisions for you when you are faced with a risk

“ … 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But less than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity, raising worrying concerns that people may not understand how to look after the personal information accessed and stored on these devices…” http://www.ico.gov.uk/news/latest_news/2013/survey-guidance-on-byod-personal-devices-07032013.aspx

The Issues

Copyright (using other people’s stuff)

Data protection (respecting privacy)

e-Safety (protecting users)

e-Security (protecting the organisation)

The Difference

Not linked to place (mobile!)

Personal, invasive and pervasive

Own device

Combines access and communication

What’s the biggest issue about mobile?

1. Copyright2. Data protection3. e-Safety4. e-Security5. Haggis

1. 2. 3. 4. 5.

0% 0% 0%0%0%

Copyright & Mobile Devices

be ‘appy’ with your appsT&Cs‘Personal use’Per device, per user,multi-use

Do you have a mobile device with copyright infringing content with you?

1 2 3 4 5

0% 0% 0%0%0%

1. Can I call my lawyer?2. Maybe.3. I’m looking around to see

what option others are pressing.

4. Yes.5. Definitely not, guv. Honest.

Data Protection & BYOD

Compliance and privacy

Purposes / purpose creep

Surveillance

Marketing - PECRs

“ … 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But less than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity, raising worrying concerns that people may not understand how to look after the personal information accessed and stored on these devices…” http://www.ico.gov.uk/news/latest_news/2013/survey-guidance-on-byod-personal-devices-07032013.aspx

e-Safety & Mobile Devices

Enables new, pervasive communicationAnonymity and accessDuty of careCriminal offences

e-Security & Mobile Devices

BYODBYOVRDLYODDP, liability,breach of T&Cs

The college/employer legal obligations

• Statutory obligations to comply with

various pieces of law

• Common law obligation of duty of care

Statutory Obligations

• Difficult to meet them if systems are not technically up to date using latest standards etc

• Data protection probably most risky area• Help available on BYOD – ICO guidance

So where does college liability end?1. It extends to all permitted

mobiles2. Only to staff mobiles not

students’3. Not our mobiles – not our

responsibility4. It depends5. In tears

1 2 3 4 5

0% 0% 0%0%0%

The employee legal obligations

• The employee ‘is’ the college• Any personal liability?• College needs to rely on its

employment contracts, behavioural policies and disciplinary policies

• BYOD is about people, not devices

The student’s legal obligations• The student ‘is not’ the college but…• …accesses college licensed materials,

college personal data, e safety, e-security• College needs to rely on its student

contract, behavioural policies and disciplinary policies

• Common law obligation of duty of care

The JISC Legal BYOD Toolkit – what’s in it?

BYOD Toolkit (1 May 2013)

Jisc Legal has published a BYOD toolkit in response to the rise in learners and employees using their personal computing devices (typically smart phones and tablets) in the work and learning environment.

The toolkit includes a variety of resources:

1. Your Staff, Mobile Devices, Law and Liability

To some extent bring your own device (BYOD) is already happening in your institution. Staff are already using their mobile devices to access their work emails, papers and documents from off campus. This paper focuses on the legal issues surrounding staff bringing their own devices.

2. Your Students, Mobile Devices, Law and Liability

Students will increasingly expect that all information and services currently available from a university or college desktop will be available to them via their mobile device. At the same time, institutions will want to ensure that systems and information are secure, and users adhere to policies on access to systems. This paper focuses on the legal issues surrounding student mobile use.

3. Risk, Liability and Mobile Devices

This paper provides a quick reference for managers as to the main legal risks which need to be assessed against your institution’s risk strategy before opening your institution’s ICT system to mobile access by staff and students using their own devices.

4. Bring Your Own Device Policy Template for Further Education

The BYOD Policy template is intended as a guide to help providers write an effective policy that states what their institution's approach is to the use of personally owned devices by staff and learners.

New Guidance

FAQ: Can we seize and forensically analyse a staff or student’s device in the case of suspected misuse?

1 2 3 4

0% 0%0%0%

1. Yes our policy says we can2. No- only the police can do this

under warrant3. Maybe if the circumstances

are serious enough 4. I’m looking around to see

what option others are pressing.

Policies

• BYOD• DP AUP/student behaviour• Staff procedures – dp, copyright,

safeguarding, e-safety… • Disciplinary policies• Publicise and enforce!

Enforcing your policies

• If want to rely on them, need to have them in place!

• Need to be fair – consultation?• Consistently enforced• Very challenging in BYOD• Use technology

Any Questions ?

http://jiscleg.al/BYODToolkit