Whose phone is it anyway?

An ever-increasing proportion of business is conducted outside of the physical office and contracted hours – most commonly on an employee’s mobile device, whether it is their personal device or employer-provided.

Increasingly, employers find themselves frustrated in their attempts to manage their information and business stored on an employee’s device, including when:

• Obtaining information critical to investigations (e.g., alleged misconduct, data breaches, restrictive covenant breaches).
• Protecting confidential and proprietary information, especially from employees who have left the business.
• For those in regulated environments (e.g. AFSL holders), ensuring compliance with their obligations to maintain accurate and complete records of regulated business activities.

These issues are complex and will turn on the nuances of a particular circumstance. However there are steps that employers can take to best position themselves ahead of time.

‘It’s a company device’

Corporate ownership of a device can appear a panacea to these concerns. However, employers should also consider:

• Exclusive use: Does your policy make clear that employees with a corporate device must ensure all remote business is conducted on that device and not on a personal device?
• Technology policies: Employers do not need an employee’s consent to repossess company-provided equipment, but it is important that internal policies clearly state that all data on such devices is subject to monitoring. In Madzikanda v. Australian Information Commissioner [2023] FCA 1445, the Federal Court considered an Office of the Australian Information Commissioner (OAIC) decision not to investigate a privacy complaint related to employer access to personal information on a work device. In determining that the information stored on the device, including the employee’s personal data, fell within the “employee records” exemption from Australian privacy laws, the OAIC delegate placed significant weight on the employer’s technology policy, which permitted monitoring of all data stored on company-issued devices. While the Federal Court wasn’t required to confirm this conclusion, the OAIC view offers useful guidance on what to consider when drafting internal technology policies.
• Use requirements: Are there clear requirements that manage how the device is used? For example, are employees prohibited from using means to prevent record-keeping or delete information (e.g. “disappearing messages” on WhatsApp, apps specifically designed to hide correspondence)?
• Transfer: The use of a corporate device does not guarantee that information will not be transferred across ownership and borders. Employers should consider whether allowing use of particular applications may result in information being stored by other private businesses and/or on foreign servers. In some cases, the information of third parties such as clients may not be permitted to be transferred or stored in such a manner.
• Passwords: While many employment contracts have terms that require employees to cooperate with employers on certain matters, including after termination, procuring a password or PIN from an employee may require an explicit obligation to do so.
• Monitoring and recovery: Are employee devices backed up to an employer-accessible storage system? Can a remote back-up of a device be taken before a particular interaction (e.g. investigation meeting, employment termination).

While requiring employees to use an employer-owned device is a sensible step and, with the right infrastructure, can avoid significant pain, these mitigations can become illusory or ineffective without the necessary, accompanying protections in practice. Accordingly, access to an employee’s personal device may still be required.

‘We need to see your personal device’

For employers who don’t own the device their employee has been using (e.g., those relying on a BYOD policy) or those who suspect relevant information has been stored separately, access to a device and any information on it will typically rely on employee consent or a “lawful and reasonable” direction issued to an employee.

In circumstances where there may only be one opportunity to access or retrieve information, employers should consider the following before issuing such a direction:

• Internal policies: Internal technology policies may include express provisions permitting the company to make lawful and reasonable directions requiring employees to provide access to company data stored on personal devices. The policy should define “company data” and state explicitly that such data remains the property of the company. By narrowing the scope of access, the direction is more likely to be deemed reasonable and within scope of the employment relationship.
• Reasonableness: Whether a direction to inspect a personal device is reasonable will depend on both the basis and the scope of the requirement. For example, where an employer has an objective reason to suspect that company information is stored on a device and the required access is limited to the pursuit of that information, the direction is more likely to be considered reasonable. Conversely, random reviews of employee devices or directions based on mere speculation are less likely to be so.
  Employers should be clear about the information that is sought and consider alternatives to broadbrush possession and access to a personal device. For example, targeted searches (under employee supervision), agreed searches by an independent third party, or a forensic image of a device to only be accessed on subsequently agreed terms, are more likely to be considered reasonable directions.
• Out-of-hours conduct: Directions that seek to regulate “out-of-hours” or “personal” conduct will only be considered reasonable where the direction seeks to protect the legitimate interest of the employer. Applying the same principles to directions that seek to regulate the use of personal property, any such direction must also seek to protect an employer’s legitimate interests.
  Employers should be mindful to clearly state the basis on which the purported direction is made. For example, maintaining safety in the workplace, ensuring compliance with laws, ensuring employee protection from inappropriate conduct, protecting the employer’s reputation, or ensuring the lawful use of company property. A direction that relates to personal property without a clearly articulated connection to an employer’s interest may be unreasonable.
• Alternative direction: Where refusal is anticipated or a basis to require access to a personal device remains uncertain, employers should ensure that employees are expressly directed not to delete, alter or further disclose any confidential or proprietary information in the meantime.

Employee privacy

Despite the best laid (and reasonable) plans, an employee may maintain a refusal to produce their personal device or grant access to information on a corporate device that sits behind a password or PIN.

In these more challenging cases, the above steps and considerations will ensure that an employer is well placed to take consequent disciplinary action and/or defend its approach to a related third party and/or regulator.

Annamarie Rooding is a partner in the King & Wood Mallesons employee relations & safety team in Melbourne. Chris Shelley is a special counsel in the King & Wood Mallesons employee relations & safety team in Melbourne. Michael Swinson is a partner at King & Wood Mallesons in Melbourne. Sienna Hilson is a solicitor at King & Wood Mallesons in Melbourne.