The Information Commissioner ruled that the financial firm failed to comply with its data protection obligations over the use of a security app called MobileIron, which had been used by employees to access work systems from their personal phones.

MobileIron’s website highlights that the app allows employers to see information such as carrier, country, device make and model, operating system, phone number, location, a list of installed apps and email.

SMS messages can also be relayed through the corporate email system, where a company’s data security team would have access to them.

ATS refused to reveal what data is currently being collected from workers’ personal devices after the action was taken by the watchdog. 

The app is popular, as it allows companies to secure and manage business content on phones and tablets, however, concerns have been raised over the use of such monitoring systems when employees are using their own device for work purposes.

The firm told its investigators that not all of MobileIron’s features were turned on when it was distributed to its employees but a review of the use of the app found that it was processing a large amount of personal data.

The Commisioner ruled that while ATS had configured it to reduce the information collected, “it appears that the app must collect details of the other apps an individual may have installed on the device”.

ATS said it does not monitor sensitive personal data – such as dating or health apps – but as the app requires information to be collected, the watchdog ruled ATS had used a system which is “inappropriate for its purposes”.

The Information Commisioner said it “not been able to rely upon a lawful basis for processing this information” because it could not show consent had been given by employees.

It added: “As such ATS should consider whether there is an imbalance between itself and the individual, for example where the use of the app is required in order for the individual to fulfil their role at ATS. In such cases it would be unlikely that consent was freely given as to the processing of this information.”

The watchdog said it was concerned that ATS “did not fully consider the data protection implications of using the app in question prior to deployment” and ATS should ensure it “conducts a thorough review of the use of the app, addressing the concerns we have set out above”.

The Information Commisioner said ATS should have an “accurate record of the data it has collected” through the app.

The Courier asked ATS whether it was aware of any employees still using the app on their personal mobile phones for work purposes, and for the results of the “thorough review” ordered by the Information Commissioner. It was also asked whether it will now release all information collected on employees through the app to those individuals.

ATS failed to answer any of the questions and ignored a follow-up email.