June 8, 2016

BYOD – Managing Information Security Risks and Personal Devices

Published in Australia and New Zealand Education Law Association Ltd (ANZELA NZ) Update June 2016

Schools and teachers are used to managing large amounts of sensitive and personal information, particularly information about students and student achievement. With increasing pressure on teaching staff to work flexibly, and be available out of class time, the use of personal digital devices is increasing. A recent study found an increase in smartphone ownership coupled with a decrease in employers providing devices, indicating that employees are increasingly bringing their own devices to work (“BYOD”), rather than being provided one by their employer.

This brings potential gains in efficiency, productivity and creativity. However, the use of personal devices also creates risks to privacy and confidentiality, especially where personal information about students needs to be accessible as part of the job. Schools therefore need to ensure that all sensitive and personal information contained on teachers’ personal devices is held safely.

Personal devices are at risk of being hacked, lost, or stolen, resulting in information being accessed by unauthorised individuals or lost altogether. Recent studies found that 28.5% of New Zealanders with a smart phone admitted to having lost it. Information on personal devices therefore needs to be protected, by:

  • storing any personal or sensitive information on the device in an encrypted location so that it can be deleted remotely;
  • having guidelines outlining which devices your school will support for security reasons; and
  • requiring teachers to secure their own devices with passwords and by ensuring that a remote locate-and-wipe facility is operative in case the device is lost or stolen.

Schools can also implement a BYOD policy or make additions to any existing Code of Conduct or staff handbook, covering steps to be taken to protect personal devices from viruses and attacks, and allowing for potential disciplinary action for failing to keep school and student information on a device secure.

As well as school and student information, a personal device will almost invariably contain data created by teachers outside work hours, often for their own personal use. In these circumstances, the question of intellectual property ownership may not be clear-cut and subject to dispute, particularly when a teacher ends their employment.

In order to protect the ownership of their information, as well as its security, schools should be aware that they can include provisions in policy documents or a Code of Conduct to ensure that any and all intellectual property created by a teacher on a personal device both at, and outside of work, is owned by the school. Agreement to policy provisions like this can be recorded by getting staff to sign for any updated policy, or as part of a signed letter of acceptance on starting work.

Prevention is often better than a cure, and having a consistent BYOD policy in place will help all schools harness the benefits of personal devices, while managing the risks.

Claire English, Senior Associate, Chen Palmer Partners