In Canada, there has been an increased trend of employers requiring employees to use their own mobile devices for business purposes. These are commonly known as a Bring Your Own Device or BYOD programs. The practice raises privacy concerns as well as concerns about ownership of company data and the ability to retain company data when an employee departs.
In August 2015, the Privacy Commissioner offices of Canada, British Columbia and Alberta jointly issued a paper considering the privacy implications of BYOD programs. It also provides useful recommendations for employers.
Recommendations include the need to conduct both privacy impact assessments and threat risk assessments. These should be done prior to allowing collection, use, disclosure, storage and/or retention of personal information on personal devices. The privacy impact assessment is specific to ensuring compliance with legal privacy requirements. The threat risk assessment is meant to ensure that the organization has considered the security of its data on personal devices. For example, organizations should consider the use of, or restricting the use of, certain applications on the employee's device, if the device will also contain company data.
Another important recommendation was the requirement to have specific BYOD policies that inform users about the reasonable expectation of privacy and whether the organization intends to monitor the BYOD device. Some organizations require geo-tracking devices on smart phones that are part of a BYOD program. In those circumstances, organizations should give specific notice of how they intend to use the geo-location tracking data, and ensure that the use is reasonable.
Options discussed by the Commissioners include "sand-boxing" or "containerization". This would partition personal data of the employee from the company's data. Effective containerization software can reduce some of the privacy and security risks but not eliminate them. However, containerization is strongly recommended, considering the requirements for organizations to take reasonable steps to safeguard personal information in their custody or control from unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.
Finally, given the amendments to the federal government's Personal Information Protection and Electronic Documents Act as a result of the Digital Privacy Act receiving Royal Assent on June 8, 2015, new data breach notification obligations apply. Organizations with a BYOD program should have a documented incident management process in the event of security incidents or privacy breaches. This will help to ensure that you can meet your obligations to notify affected parties as required, in the event of a privacy breach.