Marzo 21, 2022

Protecting your personal information and privacy on a company phone

Joel Snyder

When you use a new employer-issued smartphone, or you use your own phone to read your work email, you might ask yourself, “Wait, did I just let my employer look at everything on this phone? Did I just give up my privacy?”

Well, maybe some, but probably not anything that should be of concern. There are three things protecting your information: the technology itself, your employer’s device policy and the law (at both federal and state levels).

Here’s a look at all three — and exactly where you are and aren’t protected.

 

Technology

All smartphones have a number of built-in features that can help maintain the boundary between your work life and personal life. Some of these features are for you to use just to keep things organized on your own phone. Samsung’s Dual Messenger capability, for example, lets Android phone users create two different accounts, such as a work account and personal account, in chat apps such as WhatsApp and Facebook Messenger. But these boundaries are more intended for organization than for actual privacy.

To really isolate things so that your employer can’t access personal data, you need Android’s Work Profile feature — a capability that doesn’t exist in iOS. When you establish a Work Profile on your Android phone, there’s true isolation between this profile and the rest of your smartphone.

In terms of privacy, if your employer has control of your Work Profile — which is how things are normally set up — then the information outside of that profile is absolutely off limits to them. They can’t see any of your private data, contacts, calendar events, messages, emails or camera roll. (Which means that you’ll need to back up these items yourself.)

But from a technological point of view, there are some things your employer can control outside of your Work Profile. For example, your employer may be able to keep you from installing certain apps, even on the personal side of your phone. They can also remotely lock your phone or erase it if necessary.

Your employer’s exact capabilities will depend on how your phone is set up. For example, many employers use a Bring Your Own Device (BYOD) approach to let you use your own phone for work but give them a little piece of the phone that they can protect for work purposes. In a BYOD environment, your employer may be even more limited in what they can do. On the other hand, some organizations use a Company Owned, Personally Enabled (COPE) approach. In a COPE environment, your employer still can’t reach into your private data, but they do have more control over the device settings, such as requiring a passcode to unlock your phone or tracking the device’s location.

 

Company policy and its affect on privacy

Your employer’s specific BYOD or COPE policy is also an important part of keeping your personal data private. In the U.S., employers have tremendous flexibility in what they can regulate. While the employer has the advantage in writing the policy that the employee has to agree with, these policies still have to be very specific in what types of information your employer can look at. If the policy doesn’t address a particular issue, then employers don’t have permission to overstep any privacy boundaries.

For employees, this means their employer’s BYOD or COPE policy must define all of the rules for data privacy. And if your employer says the information on your phone is considered private, then they cannot legally violate their own policy.

In the U.S., employees traditionally haven’t expected much privacy in employer-provided IT systems, such as company email — but that’s changing rapidly. When privacy issues have gone to court in the past, employers have usually won, because employer policies used to say, in effect, “You have no reasonable expectation of privacy on anything you do on our network.” In other words, if the policy says that particular information isn’t considered private, then you’ve been given notice that your employer can look at that type of data on your smartphone. This is true whether the device is personally owned (BYOD) or owned by the employer (COPE); U.S. law allows employers to enforce their device policies as long as the policies are clear and agreed to by the employee.

This imbalance in favor of employer access has changed as more people have started to bring their own smartphones and other personal computing devices to work. People have become much more sensitive to privacy issues, and policies have changed accordingly, giving greater respect to employee privacy and reassuring people that their private information will stay private.

The gray area emerges when an employer’s device policy doesn’t say anything about privacy. If there’s a question in court about what the policy says, the judges will likely ask, “Is there a reasonable expectation of privacy for this kind of information?” Employers can’t easily justify peeking into your smartphone for information that would normally be considered private. But a “reasonable expectation of privacy” can be interpreted very differently in different courtrooms.

 

Legal

Laws and regulations are third in this list because in the U.S. there are very few laws that directly protect your privacy, especially at the federal level. The Constitution doesn’t explicitly list privacy as a right, but the Supreme Court has stated that there are “penumbras” (shadows) within the Bill of Rights that give us a general right to privacy. These penumbras are generally cited when a law goes too far and invades our privacy rights — which is very different from protecting an employee’s right to privacy on their smartphone, no matter who paid for it or who manages it.

Since the federal government offers few protections, privacy rights are now determined state by state. Traditionally, California state law advances these protections faster than other states, but other states are also legislating in this area. The general direction across most of the U.S. is for state legislatures to increase privacy rights, but these rights remain very uneven.

 

Following the rules

Most of us think about privacy as personal protection, but it’s important to remember that we can forfeit our privacy if we don’t follow the established rules. Most BYOD/COPE policies, for example, say that certain device uses and apps are work-specific, and that’s where the employer is allowed to look; everything else on the device should not be used for work and is off limits to the employer.

To stay within the policy limits, you have to only do work within the apps that are controlled by your employer. For example, if policy states that all of your work chats must be in Microsoft Teams, choosing to have those conversations in WhatsApp or Facebook Messenger could cause you to lose some privacy rights to other software or data on your phone.

At the end of the day, your best phone privacy protections come from technology that partitions your work data and employer access from everything else on the device. At the same time, a clear and fair BYOD/COPE policy also helps protect employees’ privacy and sets the limits of what is and isn’t allowed.

 

An aside for HR and IT

To avoid problems with your company’s BYOD/COPE policy, make sure the policy is clear and understandable to your employees, and that employees are trained on the policy. Policies should be certified, even annually, to ensure that employees understand it; and that the policy is consistently enforced across the organization.

 

For more mobile security solutions, discover the array of tools in Knox Suite, Samsung’s end-to-end set of device management tools.