Litigation trend: Employee personal devices

With the ongoing lockdown in the UK and continued homeworking, and the rise of Bring Your Own Device ("BYOD"), an issue that has been gathering increasing attention is the courts' approach to employees using their personal devices for work purposes and how this may impact disclosure exercises. Specifically, this has been considered with respect to:

1. the use by employees of their own personal devices at work;

2. the right of access that the employers have (or do not have) under employment contracts; and

3. the approach that the courts are taking to disclosure applications related to smartphones.

In this article we explore three recent cases in this area of growing interest and importance. 

The increased use by employees of their own personal device at work

There has been an increasing trend over the past few years of employees using their personal devices for business purposes; BYOD. Whilst this has been helpful for the purposes of keeping up with technology changes and providing employees with flexibility in terms of their preferred method of working, it has also presented a number of challenges in respect of data security issues and disclosure processes.

The court in TBD (Owen Holland) Ltd v Simons and others considered the purpose and use of a search order and the correct approach to imaging orders. The search order in this case included an obligation for the Defendant to "hand over to the Claimant's solicitors any of the listed items"; which in this instance included an employee's mobile phone.

Whilst the main focus of the judgment was the breach (via inspection of imaged documents) of the terms of the search order,  the practical issue that this case raised, in the context of BYOD, was that if an employee who was using their personal devices for work-related purposes had since left the employment of the business, the employer may no longer have relevant data available to satisfy the search order.

Businesses should consider this risk carefully - and what happens on termination of employment - when advising / permitting employees to use their own devices for business purposes.

Rights of access to documents under employment contracts

The judgment in Pipia v BGEO Group Ltd provides useful guidance on the rights of access by employers to documents under employment contracts.

Following an application to vary an extended disclosure order (made under the disclosure pilot scheme), the court determined whether disclosure should be ordered in respect of (a) material held on the smartphones of two key witnesses for the defence; and (b) emails held by the defendant.

A key point coming out of this case is that the phones held by the individuals were private property and the individuals were not parties to the proceedings; however the defendant had a contractual relationship with one of the witnesses which gave the defendant the right of access to information on the phone. That individual was formerly CEO of the defendant and the "control" hurdle was met based on provisions set out in his service agreement granting access to documents held on any "computer". Within the relevant provisions, the smartphone was deemed to fall within the term "computer" (as smartphones can hold programmes and data). The second witness was an employee of a subsidiary of the defendant, and while the subsidiary had a contractual right to see data on the phone, that was insufficient to give control over that data to the parent company.

In summary, the extent to which an individual's personal device will fall within the scope of any disclosure obligations will depend on the contractual relationship with the business in question. Businesses need to have a clear understanding of the implications of contractual rights to review data held on employees' devices, both during and after their employment, and to be aware of the impact of those rights on their disclosure obligations in litigation.

The approach that the courts are taking to disclosure applications related to smartphones

The Court of Appeal has recently upheld Roth J's decision in Phones 4U Ltd v EE Ltd & Ors under CPR 31 to order a party to request that its former employees allow forensic IT consultants to examine their personal phones for documents relevant to the dispute.

Whilst the form of the order was unusual in that it ordered a party to request another to do something, the Court of Appeal viewed this as pragmatic and held that if the ex-employees refused, further applications could be made.

One of the most relevant points from this decision was with regards to GDPR requirements. The court said that any data processing undertaken by the forensic IT consultants (i) would be with the consent of the custodians in their role as data subjects (Article 6.1(a) GDPR); and (ii) would also be necessary in order for the IT consultants to carry out their obligations under Article 6.1(c) GDPR "for compliance with a legal obligation to which the controller is subject".

The GDPR will not necessarily be a prohibitive factor in searches on personal devices for disclosure purposes.

Key takeaways

There are four key points that you should consider in order to safeguard business interests:

1. Contractual terms with employees in respect of devices used for work purposes

Businesses will need to make an informed decision as to whether to include a right of access to personal devices, insofar as they are used for business purposes, within contracts of employment. Having such access will ensure the business has access to all relevant data in the event of an investigation or legal proceedings but will also increase the burden of any disclosure request. Phones 4U provided helpful commentary that the courts may look favourably on contractual rights from a GDPR perspective.

2. Using professionals to collect and search devices

Where personal devices may contain communications relevant to the dispute, the business should use certified forensic examiners to forensically collect and search these devices. Not only will this allow you to maintain defensibility in the way the data is collected, but it will also help you avoid any potential data privacy and GDPR issues that might arise from the inadvertent collection of personal information. In Pipia, the judge noted that ensuring the WhatsApp messages were filtered only by qualified solicitors, rather than by a party witness, was "desirable to the point of necessity". This is a good reminder from the Court that it is best practice to not allow parties to the dispute to self-collect their own data. Self-collection can create issues around individual's choosing to determine what data is provided, along with issues around repeatability and defensibility of the collection itself. There are multiple ways in which data can be retrieved and searched depending on each unique matter. It is important that each business establish a protocol to determine which route is best to ensure the accuracy and defensibility of the collection. 

3. Tracking the use of work devices

Consider keeping track of how many employees are using personal devices for business purposes. Whilst this may be administratively complicated, it is a useful statistic to have, especially given that the use of personal devices could have a direct impact on an increased expenditure for disclosure purposes. At the outset of litigation, when taking steps towards document preservation, renew enquiries with witnesses as to whether they have used personal devices for business purposes - as part of a formal policy or otherwise.

4. Policies and procedures

Policies and employment contracts should make clear in what circumstances personal devices (and particular messaging apps on them) may be used for business communications. Prohibiting such use may help to resist requests in legal proceedings for access to employees' devices. Consider ways in which you can check your employees' compliance with these policies. However, the feasibility and practicality of this will clearly vary on a case by case basis, and the need to search personal devices will depend on the facts of the case. Compliance functions should also develop internal communications and messaging regarding the risks of using personal devices for business communications, to both the individual and the business. Having a data retention policy in place that addresses both company devices and BOYD is also important from a compliance perspective.

If you have any questions on these issues, or would like to discuss this article further, then please do get in touch with any of your Simmons & Simmons contacts, or the contacts listed with this article. For an employment perspective on these issues, we would be happy to direct you to colleagues in our Employment practice who will be able to advise you in more detail.