The Australian government recently implemented a ban on social media platform TikTok on all public sector devices. How can HR craft a mobile phone policy fit for the new world of work?
Concerns about popular social media platform TikTok are in the spotlight, as new control measures have risen to a federal level.
On 4 April this year, the Australian government joined New Zealand, the UK, the US, Canada and the European Commission in barring the app from all public sector devices.
The push for a ban in the public sector was a natural response to mounting data security concerns about the video-sharing app, says Michael Byrnes, Employment Partner at law firm Swaab.
“If we assume that what has been asserted about TikTok is correct – which is that there’s a real risk of data breaches, either through TikTok itself managing to take confidential data from a phone, or alternatively through leaving those devices open to attack – then those risks will be most acute with government agencies and government departments,” he says.
HR has placed increasing focus on cybersecurity in recent years. Along with the buzz around contentious apps such as TikTok, surges in cyber crime and a mass cyber skills shortage are only adding to existing concerns about potential data breaches.
According to ELMO’s most recent HR Industry Benchmark Report, HR professionals ranked data security as the second-biggest challenge they expected to face in 2023.
With the issue of software bans on work-issued devices in the spotlight, now is an opportune time for HR to assess the strength of its mobile phone policy, says Byrnes.
“Employers are often very strict about [cybersecurity] when it comes to laptops and desktops – there are usually pretty firm rules about not installing non-system software or applications on those devices. However, those rules can tend to break down a bit when it comes to mobile phones and tablets,” he says.
How much say do employers have in mobile phone usage?
According to Byrnes, public sector employees who oppose the TikTok ban would struggle to defend its use on work-issued phones.
“If the device is issued by the employer, they have great control over what the employee puts on that device. If they wanted to, they could ban all social media, or any non-approved apps at all,” he says.
“The only exception would be if the direction not to have a particular app or programme on a device would mean that the employee can’t effectively perform their work.
“Where it gets tricky, though, is where an employer has a bring-your-own-device [BYOD] policy.”
With a BYOD policy, requesting a ban on any particular app is likely to be seen as an unreasonable incursion into an employee’s private life, he says.
While there may be circumstances in which an employee’s use of social media might put themselves or their colleagues at risk – such as in the case of defence personnel – in the vast majority of cases, employers will not be able to direct employees not to have an app like TikTok on their phones.
“This reflects the inherent problem with bring-your-own-device policies,” says Byrnes. “How can a company really say it’s protected its confidential information in circumstances where it allows that information to sit on a device that it doesn’t own or control?”
Even if employers partially subsidise their employees’ phone expenses to cover the use of their devices for work, they will likely not have the right to bar apps from these devices, he says.
“How can a company really say it’s protected its confidential information in circumstances where it allows that information to sit on a device that it doesn’t own or control?” – Michael Byrnes, Employment Partner at law firm Swaab
Crafting a smartphone policy fit for 2023
A common issue employers face with mobile phone policies is that they are difficult to monitor and enforce. Often, organisations do not become aware of a cybersecurity issue on an employee’s phone until a breach occurs. To avoid this, employers need to proactively remind their people of what’s expected of them when it comes to data protection, says Byrnes.
“There could potentially be some active monitoring that is done either on a random basis or selected basis, but ultimately, it comes down to employees being made aware on a regular basis of the policies and procedures that are in place, and to confirm positively that they are complying with all of the requirements,” he says.
Since the onus is largely on employees to keep their devices secure, it’s also crucial that mobile phone policies are simple to understand and adhere to.
“You don’t want devices and systems so caught up with security measures that they become a nightmare to effectively use,” says Byrnes. “You don’t want people needing to change their password so often that they can’t remember what it is, because that in itself can become a risk.
“You need to have a policy that can be practically implemented, and you need really good, well-informed advice upon which decisions can be made and against which policy can be benchmarked or measured.”
Particularly in cases where employers are considering control measures for TikTok or similar platforms, HR should ensure that they are approaching these policies purely through a cybersecurity lens.
“People hear TikTok, and they think social media, so they think it’s something to address in a social media policy,” says Byrnes.
“It’s actually best to address the issue of downloading particular apps and keeping them on your phone or device in the IT policy, as opposed to the social media policy, which is really directed at a different type of issue.
“The [social media policy] is about whether there is posting or uploading on social media that might be inconsistent or incompatible with the employee’s obligations to their employer. The IT policy is directed at maintaining data integrity, confidential information and the privacy of clients and customers.”
Need help crafting policies that set clear behavioural expectations? AHRI’s short course will help you understand how to structure, write and implement effective policies and procedures.