A Dundee-based financial firm has been censured by the Information Commissioner over the use of a mobile app which allowed it to access an “excessive amount” of employees’ sensitive personal data.
The watchdog ruled Alliance Trust Savings (ATS) failed to comply with its data protection obligations over the use of a security app called MobileIron, which had been used by employees to access work systems from their personal phones.
ATS, a major investment platform service provider based at Dundee’s West Marketgait, refused to say what data is currently being collected from workers’ personal devices following the dressing down from the watchdog.
MobileIron’s website states the app allows employers to see information such as carrier, country, device make and model, operating system, phone number, location, a list of installed apps and email.
SMS messages can also be relayed through the corporate email system, where a company’s data security team would have access to them.
The application is popular as it allows firms to secure and manage business content on mobile phones and tablets but concerns have been raised over the use of such monitoring systems when employees are using their own device for work purposes.
ATS told investigators not all of MobileIron’s features were turned on when it was rolled out to employees but a review of the company’s use of the app found it was processing an “excessive amount” of personal data.
The Commisioner ruled that while ATS had configured it to reduce the information collected, “it appears that the app must collect details of the other apps an individual may have installed on the device”.
ATS said it does not monitor sensitive personal data – such as dating or health apps – but as the app requires information to be collected, the watchdog ruled ATS had used a system which is “inappropriate for its purposes”.
It said the company had “not been able to rely upon a lawful basis for processing this information” because it could not show consent had been given by employees.
I knew it wasn’t right. They shouldn’t keep me in the dark about what is going on with my own personal phone.
Whistleblower Alex Forootan
“As such ATS should consider whether there is an imbalance between itself and the individual, for example where the use of the app is required in order for the individual to fulfil their role at ATS,” the Commissioner said.
“In such cases it would be unlikely that consent was freely given as to the processing of this information.”
The watchdog said it was “concerned” the firm “did not fully consider the data protection implications of using the app in question prior to deployment” and ATS should ensure it “conducts a thorough review of the use of the app, addressing the concerns we have set out above”.
It said the company should have an “accurate record of the data it has collected” through the app.
ATS was asked by The Courier whether it was aware of any employees still using the app on their personal mobile phones for work purposes, and for the results of the “thorough review” ordered by the Information Commissioner.
It was also asked whether it will now release all information collected on employees through the app to those individuals.
ATS failed to answer any of the questions and ignored a follow up email.
The company began as a savings scheme for shareholders of its parent company Alliance Trust PLC but was sold to Interactive Investor last year and became a wholly-owned subsidiary of the group.
A deal to sell ATS to the Embark Group was later agreed in a move which saw £6 billion of assets and about 30,000 clients transfer over to the Embark platform.
Whistleblower felt ‘betrayed’ by response to spying concerns
A whistleblower who first raised the alarm over the volume of data being collected by the MobileIron app said he felt “betrayed” by ATS’ handling of his concerns.
Alex Forootan, 36, began investigating after receiving an unexpected text message from Microsoft saying someone had attempted to access his email account.
Mr Forootan worked as a database administrator at ATS’s Dundee headquarters between October 2017 and October last year and is set to take the company to an employment tribunal next month.
He recently rejected a £10,000 pay out from ATS over the issue, citing concerns about his ability to raise it to public attention should he accept.
ATS provided logs to Mr Forootan which appear to show his location and application data were not accessed within a set time frame but he remains concerned over the veracity of the information.
He said requests for details of exactly what data was collected and how many of his former workmates were still using the app were rejected by the company.
Mr Forootan said: “The police came to my house a couple of weeks ago but they said even if they inspect my phone, they won’t be able to get to the bottom of it because the app is essentially an anti-theft system, it is designed to assume the user is a thief and maybe the phone has been stolen.
“It’s not supposed to let the thief know they are enabling surveillance or tracking it down. It’s supposed to conceal itself from the end user, so it’s really hard.
“After you install it on your phone, you lose control and you have no way to find out. It’s disturbing really because it feels like they’ve found a legitimate way to spy on you and get to your phone without taking any liability.”
The whistleblower said he was not given the option of using a work-only device and it was made to feel like “standard procedure” people should download the app on their personal phone.
He added: “I knew it wasn’t right. They shouldn’t keep me in the dark about what is going on with my own personal phone.
“Even if they haven’t got it enabled, I need to know who has access to my information. They wouldn’t even tell me who has access to the software.”
A spokeswoman for Alliance Trust Savings refused to be drawn on Mr Forootan’s case and said it was “unable to discuss the details of an ongoing tribunal case involving one of our former employees”.