Finance firm ‘accessed personal data of staff using its security app’
A FINANCE company accessed an ‘excessive amount’ of employees’ personal data using a mobile phone app, a watchdog has ruled.
Alliance Trust Savings (ATS) in Dundee failed to comply with its data protection obligations, the Information Commissioner has determined.
The security app, MobileIron, was used by employees to access work systems from their personal phones. ATS refused to say what data was collected from workers’ devices after the watchdog’s criticism.
MobileIron is designed to protect confidential business information and gives users secure access to services.
It can determine a phone’s location and see what apps are installed, read text messages, corporate emails and web activity going through the corporate network. But concerns have been raised over such monitoring systems when staff are using their own mobile device for work purposes.
A whistleblower who raised the alarm over the volume of data collected by MobileIron said he felt ‘betrayed’ by ATS’s handling of his concerns. Alex Forootan, 36, began investigating after receiving an unexpected text message from Microsoft saying someone had attempted to access his email account. He worked as a database administrator at ATS’s Dundee HQ between October 2017 and October last year and is set to take the company to an employment tribunal next month.
He recently rejected a £10,000 payout over the matter, citing concerns about his ability to publicise the issue should he accept. ATS told investigators not all of MobileIron’s features were turned on when it was rolled out to employees.
But a watchdog’s review of the firm’s use of the app found it was processing an ‘excessive amount’ of personal data. The commissioner ruled that while ATS had configured the app to reduce the information collected, ‘it appears that the app must collect details of the other apps an individual may have installed on the device’.
ATS said it does not monitor sensitive personal data – such as dating or health apps.
The watchdog ruled ATS had used a system which is ‘inappropriate for its purposes’. It said the firm had ‘not been able to rely upon a lawful basis for processing this information’ as it could not show consent had been given by employees’.
An ATS spokesman said it was unable to discuss an ongoing tribunal ‘involving one of our former employees’, but added: ‘ATS uses an industryrecognised software application to secure corporate information held on personal devices used for work purposes and does not access or use the data for any other reason.’
‘Inappropriate for its purposes’