What's on your E RADAR?

Using personally-owned devices at work

Will RoebuckFounder and CEO, E RADAR

4 Themes

● Data Access● What data, when, how and by whom?

● Device Risk● Abuse and misuse, malware, by-passing in house security

● Management Risk● Monitoring threats, responding to alerts● Evaluating new operating systems and devices

● Awareness● Staff policies and procedures

Important Points

● The 'bottom line'● Corporate and personal liability● Digital evidence● Misuse of personal devices● Monitoring networked communications● Workers and personal data● Stored networked communications● Implementing a policy

The 'Bottom Line'

● Enterprise, innovation and competition● Balancing supply and demand with risk management● Deploying resources carefully● Smarter business management

● Developing and using the right people skills● Improving business processes; supply and demand chains● Opening up new markets

● Investment in enabling technology● Enabling laws and regulations, standards

Corporate and personal liability

● Legal and regulatory requirements● Registering, filing and retaining records and information

– e.g. Company Annual Returns / VAT Returns– e.g. Notifying under Data Protection / WEEE record retention

● Vicarious liability● Duty of 'reasonable' care towards employee● Prevent improper or illegal activities over business systems

● Personal liability● Directors failing to undertake duties implied by law or as

additional duties in their contract

Evidence – basic concepts

● Evidence (in legal terms) is the way that a fact is proved or disproved in a court or tribunal.

● Law of evidence regulates what is admissible in a court of law or tribunal

● An organisation may need evidence for● Dealing with claims of unfair dismissal of employee● Proving IPR on invention● Proving existence of agreement in disagreement with a

customer

Types of evidence

● Oral testimony● Real evidence in material form (e.g. documents)

● Primary = signed original contract● Secondary = unsigned draft of that contract

● Electronic evidence (primary or secondary)● Hearsay

● Evidence given by a person as to what another person said● Less reliable than first person account but admissible● Rules much tighter in criminal cases

Burden and standard of proof

● Civil cases● Burden of proof is with claimant● Defendants may also need to prove something in case to

rebut accusations● Standard of proof is 'balance of probabilities'

● Criminal Cases● Burden of proof is with prosecution● 'Beyond reasonable doubt'

Digital evidence

● Evidence in electronic format is admissible● Electronic Communications Act 2000● Civil Evidence Act / Youth Justice and Criminal Evidence Act

● Documents can be copied onto own personal devices ● Technology neutral

Admissibility, weight and credibility

● Digital evidence may be legally acceptable but may not be admissible.

● Admissible document must be sufficiently relevant● Court must decide and may give different weight to primary

or secondary evidence ● In civil cases, evidence usually presumed admissible

without further proof● British Standards Code for Legal Admissibility and

Evidential Weight of Information Stored Electronically.

Misuse of Personal Devices

● Abuse and misuse (Illegal, illicit or wrong)● Defamatory remarks● Breach of confidentiality● Using and abusing copyright without permission● Negligence in sending viruses to other business● Sexual or racial harassment

● Criminal Offences● e.g. downloading child pornography● Other illegal images

Monitoring Communications

● Right to privacy – even at work● Regulation of Investigatory Powers Act 2000● Lawful Business Practice Regulations 2000

● Inform monitoring for lawful business purposes● Quality, training and security

● How do you 'monitor' remote workers?● Blanket monitoring of employees not acceptable● Must be justified● Other alternatives?

Data protection

● 8 data protection principles● Principle 7 – adequate security measures● Principle 8 – international transfers

● Cloud computing● Where is personal data● Information Commissioner's Guidance

● Sensitive personal data● Encryption

Retention, deletion and retrieval

● Organisations must have evidence to rely upon it!● Information management policy covering

● Retention, access and exchange (including security), deletion and retrieval

● Why a policy?● Business (cost, time and risk management) ● Legal (e.g. accounting records = 6 years, criminal penalties)● Regulatory (FSA Rules, Food Standards etc)

Key observations

● 3 important elements● Managing IPR including data, information and proprietary

software● Controlling worker behaviour● Security

● Appropriate policies ● Linked to employment contract to enable disciplinary● Otherwise just a management policy

● Don't panic – get on with your business!

About eradar.eu™

● Championing enterprise and the online economy● Promote enabling legal and regulatory environment

● Business networking and compliance hub● Membership Services (over 400 briefing papers/articles)● Referencing ● E-contracting Legal Group

● Premium tracking and scrutiny● Audits and training

Thank you!

will@eradar.euhttp://www.eradar.eu