How do I preserve and collect ESI from an employee's personal phone under a BYOD policy?
Preserving and collecting electronically stored information (ESI) from an employee’s personal device under a Bring Your Own Device (BYOD) policy sits at the intersection of litigation duties, employee privacy, and practical access. The work is defensible only when each step is deliberate, documented, and proportionate to the matter.
Establish the Duty and Possession, Custody, or Control
A preservation obligation generally arises once litigation is reasonably anticipated. The threshold legal question is whether the organization has the right to access the relevant data on a personal device — often framed as “possession, custody, or control.” This depends heavily on your BYOD policy language, employment agreements, and the governing jurisdiction. Rules and standards differ across U.S. federal courts, state courts, and other countries, so confirm the applicable law before acting.
Issue and Track a Legal Hold
When the duty attaches, issue a written legal hold to the custodian (the employee) and any administrators of associated accounts or mobile-device-management systems. The hold should:
- Identify the relevant data types (texts, app messages, photos, call logs, email, cloud backups).
- Instruct the custodian to suspend deletion, auto-purge, and device-reset settings.
- Be reissued and acknowledged periodically, with tracking retained.
Collect Defensibly and Proportionately
Collection from personal phones raises real privacy concerns, so scope it narrowly to relevant data and time periods. Good practice includes:
- Documenting chain of custody and the collection method.
- Preserving metadata and original content integrity.
- Using forensically sound, repeatable processes rather than manual screenshots where feasible.
- Considering targeted collection of only responsive material to limit exposure of personal information.
Coordinate among legal, records/information governance, IT, and the employee. Privacy frameworks and information-governance standards can help structure the privacy analysis and consent approach.
Document Everything
Courts evaluate the reasonableness of your efforts, not perfection. Contemporaneous documentation of decisions, scope, custodian communications, and methods is your best defense against spoliation claims. Where access or technical limits exist, record them and the steps taken to address them.
For broader context on the discovery lifecycle, see /topics/ediscovery/.
Because mobile and BYOD issues evolve quickly, treat your BYOD policy, hold templates, and collection workflows as living documents reviewed with counsel.
Sources & further reading
Authoritative government and non-profit references.
- Federal Rules of Civil Procedure — U.S. Courts
- The Sedona Conference publications — The Sedona Conference
How to cite this page
APA
RM University Editorial. (2026). How do I preserve and collect ESI from an employee's personal phone under a BYOD policy?. Records Management University. https://www.recordsmgmt.org/questions/preserve-collect-esi-from-byod-personal-phone/
MLA
RM University Editorial. "How do I preserve and collect ESI from an employee's personal phone under a BYOD policy?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/preserve-collect-esi-from-byod-personal-phone/.
Related questions
- A key custodian left the company—how do we preserve and collect their email and files after they're gone?
- An employee admitted to deleting emails relevant to a lawsuit—what do we do now?
- Are curative measures or monetary fines available when lost data can be replaced through other sources?
- Can a company be sanctioned for spoliation when an employee auto-deleted text messages or ephemeral chats?
- Can a court order cost-shifting or limit search terms when keyword searches return an unmanageable hit count?