Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.

EXCLUSIVE: Dundee firm Alliance Trust Savings censured after whistleblower’s ‘spying’ concerns

Alex Forootan.
Alex Forootan. Image: DC Thomson.

A Dundee-based financial firm has been censured by the Information Commissioner over the use of a mobile app which allowed it to access an “excessive amount” of employees’ sensitive personal data.

The watchdog ruled Alliance Trust Savings (ATS) failed to comply with its data protection obligations over the use of a security app called MobileIron, which had been used by employees to access work systems from their personal phones.

ATS, a major investment platform service provider based at Dundee’s West Marketgait, refused to say what data is currently being collected from workers’ personal devices following the dressing down from the watchdog.

MobileIron’s website states the app allows employers to see information such as carrier, country, device make and model, operating system, phone number, location, a list of installed apps and email.

SMS messages can also be relayed through the corporate email system, where a company’s data security team would have access to them.

Alliance Trust Savings’ West Marketgait headquarters

The application is popular as it allows firms to secure and manage business content on mobile phones and tablets but concerns have been raised over the use of such monitoring systems when employees are using their own device for work purposes.

ATS told investigators not all of MobileIron’s features were turned on when it was rolled out to employees but a review of the company’s use of the app found it was processing an “excessive amount” of personal data.

The Commisioner ruled that while ATS had configured it to reduce the information collected, “it appears that the app must collect details of the other apps an individual may have installed on the device”.

ATS said it does not monitor sensitive personal data – such as dating or health apps – but as the app requires information to be collected, the watchdog ruled ATS had used a system which is “inappropriate for its purposes”.

It said the company had “not been able to rely upon a lawful basis for processing this information” because it could not show consent had been given by employees.

I knew it wasn’t right. They shouldn’t keep me in the dark about what is going on with my own personal phone.

Whistleblower Alex Forootan

“As such ATS should consider whether there is an imbalance between itself and the individual, for example where the use of the app is required in order for the individual to fulfil their role at ATS,” the Commissioner said.

“In such cases it would be unlikely that consent was freely given as to the processing of this information.”

The watchdog said it was “concerned” the firm “did not fully consider the data protection implications of using the app in question prior to deployment” and ATS should ensure it “conducts a thorough review of the use of the app, addressing the concerns we have set out above”.

It said the company should have an “accurate record of the data it has collected” through the app.

ATS was asked by The Courier whether it was aware of any employees still using the app on their personal mobile phones for work purposes, and for the results of the “thorough review” ordered by the Information Commissioner.

It was also asked whether it will now release all information collected on employees through the app to those individuals.

ATS failed to answer any of the questions and ignored a follow up email.

The company began as a savings scheme for shareholders of its parent company Alliance Trust PLC but was sold to Interactive Investor last year and became a wholly-owned subsidiary of the group.

A deal to sell ATS to the Embark Group was later agreed in a move which saw £6 billion of assets and about 30,000 clients transfer over to the Embark platform.

 

Whistleblower felt ‘betrayed’ by response to spying concerns

A whistleblower who first raised the alarm over the volume of data being collected by the MobileIron app said he felt “betrayed” by ATS’  handling of his concerns.

Alex Forootan, 36, began investigating after receiving an unexpected text message from Microsoft saying someone had attempted to access his email account.

Mr Forootan worked as a database administrator at ATS’s Dundee headquarters between October 2017 and October last year and is set to take the company to an employment tribunal next month.

Alex Forootan

He recently rejected a £10,000 pay out from ATS over the issue, citing concerns about his ability to raise it to public attention should he accept.

ATS provided logs to Mr Forootan which appear to show his location and application data were not accessed within a set time frame but he remains concerned over the veracity of the information.

He said requests for details of exactly what data was collected and how many of his former workmates were still using the app were rejected by the company.

Mr Forootan said: “The police came to my house a couple of weeks ago but they said even if they inspect my phone, they won’t be able to get to the bottom of it because the app is essentially an anti-theft system, it is designed to assume the user is a thief and maybe the phone has been stolen.

“It’s not supposed to let the thief know they are enabling surveillance or tracking it down. It’s supposed to conceal itself from the end user, so it’s really hard.

“After you install it on your phone, you lose control and you have no way to find out. It’s disturbing really because it feels like they’ve found a legitimate way to spy on you and get to your phone without taking any liability.”

The whistleblower said he was not given the option of using a work-only device and it was made to feel like “standard procedure” people should download the app on their personal phone.

He added: “I knew it wasn’t right. They shouldn’t keep me in the dark about what is going on with my own personal phone.

“Even if they haven’t got it enabled, I need to know who has access to my information. They wouldn’t even tell me who has access to the software.”

A spokeswoman for Alliance Trust Savings refused to be drawn on Mr Forootan’s case and said it was “unable to discuss the details of an ongoing tribunal case involving one of our former employees”.