Data retention and gathering....right questions to ask

Autonomous

Hi,
Hope this is there right place to ask...

I need to get some info on what data is to be gathered and processed by a work smartphone (to be rolled out to fellow employees in 2015)
Now I know the company is supposed to disclose what the device will exactly do and what data is retained...we are forming a technical group to deal with the company ( company is OK with this)

Can I have some examples of sample questions that we may put to the company, thanks.

Autonomous

Found a lot of info on office of data protection commissioner, mainly under guidance for employers. ....
surprised by lack of responses here,
Lots of companies pushing the boundaries in recent years, people need to educate themselves to they're rights.

Manach

My understanding that the key term is that the data is personal: ie can be used to identify an individual and aspects of their personal life. This has been outline both in the initial EU Directive and court judgements since. So practically this should mean that the smart phone can gather data about one's usage during working hours: ie who is being called, what is been accessed, GPS info. etc. But outside working hours this type of data should not be looked at as it falls under the realm of sensitive information and this has a higher level of protection than normal personal data.

Autonomous

This says its all,
"the data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected"

Manach

That is the proportionality element. But that has been at times difficult to quantify. There were fairly recent examples in the UK where local authorities were seeking date on birth dates when collecting taxes. To determine if that was within the relevant and excessive parameters of the data law took several court actions to resolve.

Slydice

The EU directive was stuck out. url]http://humanrights.ie/civil-liberties/cjeu-strikes-down-data-retention-directive/[/url

You don't have to retain any info.

You can decide to retain info. If you do, you should probably inform the person involved and both countersign some agreement about what will and will not be retained.

As you are a business, probably retain the billing costs as it affects your bottom line and you'll want to know who tends to spend too much on their mobile. Have a simple agreement that the employee agrees not to do anything illegal or anything that can bring your company into disrepute.

Autonomous

I'm more interested in a persons rights against data gathering not a companies right to collect all and anything...a previous company i worked for used to try and use a gps tracker on a van as a means of remotely monitoring staff, dispite a understanding that they were installed for van safety only and a company document to that effect was given to staff.

They were caught numerous times breaching this and slapped back in line by the Unions.

Slydice

Ah right. Well sure, here's the website for the rules: https://www.dataprotection.ie

Generally, they shouldn't collect data for you unless it's part of a business reason. It's also a good idea to have an agreement in writing signed by both sides. It should have the business reason stated.

Thoie

Things I think would be perfectly reasonable for a work smart phone:

Gathering, keeping, and reviewing what phone numbers are called, how often and why. Make it clear that work phones are not for making personal calls.

I think it would be reasonable for a company to collect info on what websites are visited (but not usernames/passwords of those websites).

It would be reasonable for the company to know what applications are installed (but not the username/passwords for those applications).

It would probably be wise to suggest that employees set up a separate google account (if Android) for use on the work phone.

Agreements would need to be in place for when/how/where phone and data roaming is allowed. E.g. maybe no data roaming at all, or only when travelling on business.

Unless being out and about is part of your job, I can't see how location information is any business of your company.

Gone West

Thoie wrote: »

Things I think would be perfectly reasonable for a work smart phone:

Gathering, keeping, and reviewing what phone numbers are called, how often and why. Make it clear that work phones are not for making personal calls.

I think it would be reasonable for a company to collect info on what websites are visited (but not usernames/passwords of those websites).

It would be reasonable for the company to know what applications are installed (but not the username/passwords for those applications).

It would probably be wise to suggest that employees set up a separate google account (if Android) for use on the work phone.

Agreements would need to be in place for when/how/where phone and data roaming is allowed. E.g. maybe no data roaming at all, or only when travelling on business.

Unless being out and about is part of your job, I can't see how location information is any business of your company.

Anyone who knows their MDM product inside out will be able to tell you that there's a huge difference between
a) What the software is collecting
b) What the software can collect if the administrator wants to
c) What data is legal to collect and store.

Some interesting discussions on this:
Line between work and personal data (largely depends on MDM strategy/products used)
Legality across borders. Seems to me that each EU country has deliberately misinterpreted the EU directive on this. And each country has interpreted it in different, often contradictory ways. This makes it difficult to roll out a large global corporate smart phone project. Germany will forbid you from collecting any data whatsoever, while the USA (SEC) might mandate you record all phone calls and store for 7 years.

Mrs OBumble

Another approach is just to ban all personal use of the work phone. Then the only thing to worry about is GPS data collected while you are on-call but not actually working.

Autonomous

In our job there is no valid argument the company can make to monitor by gps.
I never use work phone for personal use.

Autonomous

Found this in the relevant Act
"Right of data subject to object to processing likely to cause damage or distress"
Any other data than the phone bill would be distressing to me, so feck them