Mobile Technologies and the Law Overview (19 November 2012)

This document is available in the following formats:

 Microsoft WordAdobe PDF  

 MS Word

 Adobe PDF

 HTML


The shortened URL for this document is: http://jiscleg.al/MobileTechOverview

Table of Contents

1. Who is This Paper For?
1.1 Background
1.2 The Difference Mobile Makes
2. The Legal Issues
2.1 Copyright
2.2 Equality, Accessibility and Inclusion Duties
2.3 e-Safety Duties
2.4 Data Protection
2.5 Use Your Own Device
3. Summary

Key Points

  • Mobile use can enhance the student learning experience
  • Staff mobile use can increase flexibility and productivity
  • Mobile use usually involves loss of institutional control
  • An institution’s policies and procedures in relation to mobile use need to be established and regularly reviewed

1. Who is This Paper For?

This paper considers the legal issues likely to arise from the use of mobile devices by colleges and universities. It will be relevant to staff with responsibility for planning and managing the introduction and use of mobile technologies in their institution and for lecturers, researchers and support staff using or supporting the use of mobile technologies. The paper will focus on copyright, e-safety, compliance with equality duties, and data protection, although it is recognised that other law such as freedom of information, health and safety, and employment law will also play a part.

1.1 Background

There is no specific “mobile technology law”. However, it is necessary to consider how pre-existing laws apply in a new and a growing context, that of mobile technologies. This increasingly wide spread use of mobile devices has put pressure on institutions to open up their systems and policy decisions may vary depending on whether it is staff or student use.

Mobile phones, and other mobile devices such as tablets and laptops, are to some extent, mini computers with the capability of holding and accessing data on the same basis as an institutional desktop and this is the starting point for colleges and universities when assessing the risks and the compliance issues.

1.2 The Difference Mobile Makes

There are three main differences for colleges and universities when assessing legal compliance issues in mobile technologies compared to the institutional desktop:

  • The uncertain location of where someone is accessing or using the institution’s services. The ideal is for the location of staff, students and other users to be irrelevant, but location can be legally relevant. For example copyright licences may have geographical limits, and compliance with data protection law may require you to know if data is being transferred outside Europe.
  • The diversity of mobile devices. There is a huge range of devices upon which learners and staff might be using an institution’s materials, tools and resources. It is usually easy to pull the plug on an institution’s own computers. It is also easy to update, apply restrictions or filters to these, i.e. the institution controls its own devices. The same level of control is difficult or impossible to achieve over users’ own mobile devices.

  • Mobile devices are portable and personal – and easily lost. Mobile phones, Kindles, and other mobile devices are regularly left on trains, in cars, and stolen from employees’ homes as is evidenced from the cases of data loss handled by the Information Commissioner’s Office (the ICO is responsible for policing data protection law). Institutions may also provide their staff with smart phones or permit use of their personal phones for work purposes. Issues such as extent of personal use may need to be revisited, the right to remotely delete the data from a smartphone should it be stolen, lost or compromised, compulsory password protection, and the institution’s right to monitor are all issues that need to be considered in the context of mobile device use.

2. The Legal Issues

2.1 Copyright

What’s the issue? Institutional liability for breach of copyright or breach of contract terms agreed with publishers or software suppliers.

A common question is whether staff and students can use all of an institution’s resources legally via a mobile device? There is a common theme to the answers about copyright, and that is, it depends on the licence. The use of various materials in colleges and universities is permitted by licences, whether blanket licences or particular licences for specific resources. Some of those licences contain restrictions to do with digital rights management, and there may be restrictions on use: type of use, format of use, and even the geography as some materials may only be used in a certain place. An institution needs to look at its licences, and decide whether they are fit for its purposes after considering the relevant limits on use. There are also questions of adaptation. A tutor might not always want to deliver the same thing to a mobile device as is delivered to a desktop, and the constraints that licences may place on that, need to be checked. For example, adaptation of materials in copyright is a restricted act. This means that the copyright owner has the right to control whether or not adaptations may be made, and to grant or deny permission to make such adaptations. Common questions come up about apps, mobile apps, content purchased through various providers such as iTunes or Kindle, and to what extent such content can be used. There may also be issues regarding software licences used by the institution and whether additional licences are required for mobile use. Again, it comes back to looking at the licence terms and conditions.

 

Key points on copyright and mobile devices:

  • Copyright law extends to mobile use
  • There is a difference between merely accessing and actual copying of a work and keeping it on a mobile device
  • Check that your institutions licences including software cover remote access
  • Check your licences permit adaptation of your resources for mobile use
  • Check that the device and resource terms of use permit the level of access you need

 

Further reading: JISC Legal’s Copyright Law resources (www.jisclegal.ac.uk/copyrightIPR)

2.2 Equality, Accessibility and Inclusion Duties

What’s the issue? Institutional liability for discrimination under the Equality Act 2010.

The Equality Act 2010 places duties on institutions to be proactive when looking at inclusion, to provide for those with disabilities and to make reasonable adjustments to fulfil those duties. The good news is that mobile technologies are often useful for users with disabilities, and by making adaptations, and by thinking about inclusivity, everyone benefits, not only those with disabilities. Institutions have to explore the duty to be proactive, to make reasonable adjustments, and ensure inclusivity.

Key points on accessibility and inclusion duties:

  • Include mobile options when assessing students’ needs
  • Not every use of mobile technologies will suit all students

  • Mobile devices and student use of their own device may present many advantages for students and aid inclusion
  • Websites and materials may need updating to ensure inclusivity


Further Reading
: JISC Legal’s Equality, Disability and the Law resources (www.jisclegal.ac.uk/EqualityDisabilityandtheLaw)

2.3 e-Safety Duties

What’s the issue? Institutional liability for failing in its duty of care to prevent foreseeable harm to its learners.

Mobile devices extend the reach of the campus. Once upon a time, a student was, ‘at college’, when they were sitting in a room in the college, and up until they got out of the gates. That’s not the case anymore: technology, including mobile, has extended the campus, and with it, the learning context. In addition there is a blurring of private and public life for both staff and students through the use of mobile devices.

Institutions need to find the boundaries and the limits, and set behaviours that are appropriate to ensure quality and safety, ensuring learners learn in a safe and secure environment. To that extent, the law imposes a ‘duty of care’ on all institutions and quality assurance and/or funding bodies will consider how well learners are safeguarded in their use of ICT (including mobile devices).

This duty of care means that institutions must think about potential harm or injury that might come to students and staff, and anyone else who is connected with the institution’s activities, which the university or college could reasonably foresee and prevent.

In the digital context an institution needs to be able to tackle behaviour adverse to e-safety and security. That includes defamation, harassment, bullying and other threatening behaviour. There is also the need to deal with suspicions of crime that come to the notice of staff, such as computer misuse, fraud, harassment, bullying, or malicious communications. Again, institutions should have planned, consistent, fair and legal procedures that deal with these situations when they arise.

Key points on e-safety and the law:

  • Mobile use can lead to inappropriate informality and use involving staff and students
  • Ensure your user etiquette and acceptable use policies cover mobile devices
  • Consider e-safety for younger or vulnerable learners
  • Assess risks at outset of a new project
  • Plan for incident handling


Further Reading
: JISC Legal’s e-Safety resources (www.jisclegal.ac.uk/esafety)

2.4 Data Protection

What’s the issue? Breach of confidentiality, contract, or data protection law due to the inadvertent release or loss of information.

Many mobile devices now have the capability of copying and storing information accessed via a secure password protected network. They offer flexibility of access to information and learning at convenient times and offer control of pace. On the downside, this flexibility may place added pressure on employees, which may in turn lead to unauthorised and unintentional disclosure of personal or confidential data. Student data, staff data and research data may all contain information about identifiable, living individuals. The use of such data is controlled by the Data Protection Act 1998 (DPA), and the use of mobile technology may create particular risks. It may also give rise to new personal information such as location tracking data. The DPA ‘principles’ apply to mobile technologies, in particular the requirement that processing of personal data must be done fairly and lawfully, and appropriate security precautions must be taken.

Consent to processing of the personal data of your staff, learners and other users such as alumni should already have been obtained for college or university purposes. Such consent should be checked to make sure it includes the proposed new mobile activity and that consent is obtained with regard to any third party information: for example, interviewees as part of a learner’s coursework. Security measures such as user authentication also should not be overlooked in your planning. Encryption may be necessary where processing of personal data takes place using mobile devices. The DPA does not distinguish between data held on-site and data taken off-campus, and the obligations on the data controller (i.e. the college or university) to ensure appropriate security remain the same, but the challenges in easily controlling and securing the data increase.

 

Key points on data protection:

  • The DPA principles apply to mobile use
  • Mobile use may also result in new personal data e.g. location data
  • Rules on password/PIN and encryption requirements and appropriate security need to be clear to fulfil the institution's DPA compliance obligations
  • Data protection and acceptable use policies for staff and students should reflect mobile device use both on and off campus


Further Reading:
JISC Legal Paper on Security, Mobile Devices and Data Protection (www.jisclegal.ac.uk/SecurityMobileDevicesandDP)

2.5 Use Your Own Device

Colleges and universities, in some contexts, may provide mobile devices including smartphones to relevant staff. They may also be considering extending their current remote access provision (e.g. via VPN) where staff and students use their own devices off campus, to a “bring your own device” (BYOD) policy allowing students, as well as staff to connect to the campus network with their own personal devices. The use of employee-owned mobile devices to access systems is a current and widespread practice. There may be an increasing expectation that staff can use their own devices ‘on the premises’ too, but at present, this is secondary to remote access by employees on their own devices. However it is the students’ desire to use their own devices both on and off campus, and the security issues arising from this, which is driving the need for institutions to consider their stance in regards to BYOD.

2.5.1 Employees, remote access, and institution provided devices

Permitting employees to use their own devices to connect to the university network has cost, productivity and usability advantages. However, there are risks attached which need to be assessed and consideration should be given to the types of information being stored on such devices. Smartphones are now essentially mini-computers with download and storage capacity, and institutions need to consider security and use from this viewpoint. Smartphones may be set up to provide access to work emails, calendars, task lists, documents, meeting notes, etc all of which may contain personal data, or commercially sensitive or confidential information. When assessing the risks for own device use, institutions should consider the employee’s role in the institution and the information which can be accessed, and should consider the level of security which is appropriate.

The huge increase in the number of mobile devices accessing an institution’s IT network also opens up the increased security threat of malware. Institutions need to assess the risks for their own circumstances, and have in place appropriate policies and practices to ensure that staff are clear as to what is and what is not permitted. For example, on an institution-owned device, is personal use and the use of apps permitted and is the employee aware of whether the institution will remote wipe the device in the event of loss? On the other hand, how is remote wiping or the use of passwords or other authentication handled in the case of personal devices used for work purposes?

Even where the institution permits use of employee-owned devices, an institution’s control over the device will be less than over an institution-provided device. An institution may allow access to its email and calendar system via a smartphone and issue technical guidelines to staff on synchronising a mobile device to receive emails, but guidelines should also be issued as to the security expectations and the applicability of the institutional policies on work-related email and internet use. Many mobile users do not set a password/PIN to protect their own mobile devices as this is seen as an inconvenience and this attitude needs to be borne in mind if institutions are encouraging mobile-based access to systems. Clear, appropriate and realistic policies are needed to ensure institutional compliance. For the moment, the technology to ‘remote wipe’ employee’s own smart phone in the event of loss is rarely available. However it is clear that as technology develops, technical solutions such as partitioning a phone may be an option.

In adopting a full BYOD strategy for staff, security of the campus network and information, loss of control of devices and, the need to address the expectations of staff regarding IT support across many platforms will all be risks for institutions to manage.

2.5.2 Students and BYOD

Students are increasingly expecting to use their own mobile devices both on and off campus and the institution will need to again consider the security implications of this as well as the need to have a robust infrastructure that can support varying devices. Clarity needs to be provided to students as to what is and is not provided for example will an institution be able to provide access for all devices – iPhone, android etc. or will it have constraints and what level of IT support will be provided.

Another issue to address is where the student is using his own device in sensitive areas regarding collection of data for his own studies, e.g. university research students using mobile devices to record sensitive personal data from experiments conducted on campus or college nursing students recording home visit notes with sensitive health-related personal data, the institution should ensure that acceptable use, data protection and student behaviour policies and contracts all reflect the use of students’ own devices.

Key points on data protection and use of personal mobile devices:

  • Establish what devices may connect to your network - would any need for restrictions resulting in loss of functionality make it less attractive for students and staff?
  • Establish extent of permitted personal use on institution-supplied devices to staff
  • Where mobile access using employee-owned devices is permitted , the institution may need to offer IT security support and limits of responsibility for management and maintenance need to be clear
  • An institution may need to consider the necessity of agreement to remote locking/wiping of data in appropriate cases
  • Rules on password/PIN and encryption requirements and appropriate security need to be clear to fulfil the institution's data protection compliance obligations
  • Data Protection and acceptable use policies for staff and students should reflect mobile device use both on and off campus
  • Use of employee-owned devices may have equality duty benefits- it is inappropriate to default to 'lock it all down', rather than to make a reasoned risk assessment

Further Information: JISC Legal’s Mobile Technologies and the Law Webcast (www.jisclegal.ac.uk/mobilewebcast)

3. Summary

Mobile devices can provide important benefits and opportunities for colleges and universities in teaching and learning, research, outreach and administration. Institutions need to establish their approach to the use of mobile devices and ensure that their policies and procedures are up to date so that staff and students are clear as to how devices are to be used in the institutional context.

Posted on 19/11/2012