What employment issues must companies consider in deciding whether to switch to the bring your own device (BYOD) model?
An employer should first consider whether the BYOD model under consideration would violate the applicable employment standards legislation, particularly if the employer requires its employees to pay for the cost of operating the devices (eg, airtime and data fees). The employment standards legislation of some Canadian jurisdictions prohibits employers from passing on their business costs - which arguably include the cost of operating mobile devices for business use - to employees. For instance, the position of the British Columbia Ministry of Jobs, Tourism and Skills Training is that the employer must pay for the cost incurred by the use of a mobile phone for business purposes.
Furthermore, the common law may recognise an implied duty of an employer to pay for these devices and their operating costs because they constitute expenses incurred in the course of employment for the employer's gain. To avoid such terms being implied by a court, the employment contract should clearly spell out the terms and conditions regarding who is responsible for the cost of electronic devices and their associated operating fees (subject to any limitations imposed by the applicable employment standards legislation).
With respect to the ongoing administration of the BYOD model, there are two main intersections between BYOD and employment law: overtime pay exposure and employee misconduct.
When an employee is working from his or her own device, it is easier for the employee to perform work during non-working hours. If this employee is entitled to overtime, the time spent working on the device will count as time worked for the purposes of calculating the employee's overtime entitlement. Employers should be mindful of this possibility and develop a consistent approach to tracking employee hours so that time spent on an employee's device can be properly tracked.
If an employer is concerned about the risk of additional overtime, the employer should implement a clear policy about emailing and other activities outside of working hours. For example, an employer may wish to request that employees not send work-related emails after a certain time in the evening.
Second, employees may be disciplined for using their personal devices for purposes that are contrary to the interests of the company. For example, in Hendrickson Spring,  OLAA No 440 an employee connected his mobile phone to his work laptop in order to access the Internet and watch non-work-related videos on his phone. In doing so, the employee skirted the company's firewall and exposed his work computer to a potential security breach. The employee was fired for his conduct and a grievance arbitrator upheld the employer's decision.
In order to justify discipline for employees who misuse their own devices, an employer must have a clear BYOD policy that sets out acceptable usage. An employer should also clearly communicate and consistently enforce this policy so that employees know what to expect when using their own devices for work purposes.
Employers may also wish to consider whether to continue to permit access to work email and other programs while an employee is on an extended leave.
Are there any specific issues that organisations with a global presence, or those in highly regulated sectors, should bear in mind?
Organisations with a global presence may have greater exposure to security risks if employees are connecting with WiFi networks abroad. Employers should ensure that employees' devices will not transmit work-related information over unsecured WiFi signals, and that employees who travel abroad for work purposes are provided with a data plan to cover their business needs.
Employers in highly regulated sectors may also be exposed to additional regulatory liability if employees mishandle company information. Employers in these sectors may wish to consider more rigorous safeguards to protect information, such as encrypting employees' devices or particular files or requiring a password to open certain documents.
How do privacy laws, employment laws and protecting a company's confidential information overlap or intersect on this issue – and how can they be reconciled, given their disparate aims?
Privacy law and employment law typically intersect when an employer wishes to inspect or monitor an employee's device. In a recent decision the Supreme Court of Canada determined that the police had improperly searched an employee's work computer. The court held that an employee had a "reasonable expectation of privacy" in his work computer, given that an employee's computer contains "information that is meaningful, intimate, and touching on the user's biographical core" (R v Cole, 2012 SCC 53, at para 2). While this case focused on a person's right to freedom from unreasonable search and seizure by police, it will likely have an impact on future decisions involving broader privacy considerations in the workplace, such as the extent to which employers can monitor employee activity on electronic devices.
From an employer's perspective, there is no simple solution to creating a BYOD system that protects the confidentiality of both employer and employee. The success of a BYOD policy requires the employer to strike a careful balance between employees' privacy interests and an employer's legitimate business interests.
In a unionised environment, the union may bring a grievance if it feels that the employer has overreached and has violated employees' privacy interests. If possible, the union should be consulted when developing a BYOD policy such that the union is aware of the terms of the policy and has a better understanding of the employer's business needs.
An employer's confidentiality interests may also intersect with employment law if the employee breaches his or her contractual or common law duty of confidentiality. If an employee discloses confidential information, this may be grounds for discipline or termination based on the nature and scope of the employee's duty of confidentiality to the employer.
For those that make the switch to BYOD, how can the confidentiality of both employer and employee be preserved?
Employers should have a detailed BYOD policy to ensure that the confidentiality of the employer and the employee are preserved.
When developing a policy, employers should first work to understand when, where and how employees will be using their devices for business purposes. Employers can then tailor their BYOD policies to the needs of their business and their employees, and can strike the right balance between employer and employee interests.
A BYOD policy should include the following information:
- List of permitted devices - it may be easier to streamline technology, storage and security measures if employees are using the same family of devices.
- Definition of 'confidential information' - the employer may also wish to specify types of information that are confidential and remind employees that the employer retains ownership of this information.
- Security protocol - the employer should consider what level of protection employees should maintain on their devices. For example, an employer may require a device or certain documents to be password protected or encrypted.
- Monitoring protocol - all BYOD policies should clearly state what the employer is monitoring and what right the employer retains to audit the employee's device. For example, an employer may wish to monitor and control certain settings on the phone.
- Privacy proviso - to ensure that employees understand that the employer respects their privacy, a BYOD policy should specify that the employer will limit the collection and disclosure of personal information to what is required for legitimate business purposes.
- Definition of 'acceptable use' - a BYOD policy should clearly state that the employee may use only approved applications for work purposes. For example, employers may wish to prohibit the use of text messaging for business purposes and restrict the use of the camera to certain purposes.
- Storage protocol - an employer should consider whether employees will store their data on their phone or on a cloud-based system. An employer may also wish to synchronise business data so that a copy is retained on a company server.
- Limits on apps and settings - an employer may wish to restrict the apps that an employee can use on his or her phone and require the employee to maintain certain settings for security purposes. Employers may also require employees to update their apps and operating system to protect from security breaches.
- Prohibition against 'jail-breaking' - a BYOD policy should clearly state that employees are not permitted to use a jail-broken phone for work purposes, as this could lead to serious security concerns.
- Mandatory control of the device - an employee should retain control of the device and should not lend it out. A BYOD policy should clearly specify the proper procedure if an employee loses a phone. An employer may wish to obtain employees' consent in advance to remotely wipe a lost device.
To effectively implement a BYOD policy, an employer should offer support and training to employees on the proper use of their devices for work-related purposes. An employer should also maintain an up-to-date record of participating devices and consider auditing these devices to ensure that employees are properly updating and securing their devices.
How can companies separate out what information sent or received on the device is official and business related? Who owns this information – the employer or the employee? And how can employer access to information be assured?
Ultimately, it is impossible for an employer to ensure that all information remains fully protected on an employee's device. That said, employers can implement various safeguards to ensure that their information is protected, such as encryption, password protection and the ability to remotely wipe a lost phone. Employers may also monitor the settings on an employee's phone to ensure that the proper updates are installed and security measures are in place.
An employer can retain control and ownership over the content and use of its work email system, but cannot monitor employees' personal email. The best method of ensuring that an employee maintains a separation between email accounts is to include this requirement in a policy and periodically audit an employee's device. If the employer conducts an audit, the employer cannot search or review the employee's personal email account.
If an employee will be creating work-related documents on his or her device, the employer may wish to clarify ownership of these documents in its BYOD policy.
What happens in the event of a security breach? Is the employee protected from liability?
Employers should have a clear policy for how an employee should respond to a security breach, if this breach comes to the employee's attention. For example, employers should have a 'lost devices' policy that requires the employee to report a lost device and permits the employer to remotely wipe all information from the employee's phone. Given that this is a fairly significant intrusion on the employee's personal information stored on the phone, employers should require employees to sign an agreement for remote wiping to ensure that employees are aware of this possibility.
Employers that permit BYOD should also consider reviewing the terms of their insurance policy to ensure that their coverage extends to breaches that occur through employee devices.
Generally, employees will not be liable for accidentally disclosing company information. However, if this disclosure occurred because of the employee's intentional conduct or serious negligence, the employee may be civilly or criminally liable for this breach.
The employee's conduct may amount to a breach of confidentiality or of the employer's BYOD policy, in which case the employer may take disciplinary action against the employee. The employer's BYOD policy should explicitly state that a breach of the policy could lead to discipline.
What steps can a company take to prevent an employee leaving the company from taking company confidential information via his personal device? And how can the employee's own personal information be safeguarded in the process?
The employer's BYOD policy should clearly state what an employee should expect when departing from the company. When removing information from the employee's device, the employer should ensure that it has the capability to remove only the information and applications that the employer owns or provided.
Ultimately, there is no way for an employer to be certain that a departing employee has not retained some company documents. After leaving the company, the employee owes an ongoing duty of confidentiality to the company. If the employee subsequently discloses or uses company information in a way that breaches this duty of confidentiality, the employer may pursue legal action against this employee for any harm that resulted from this disclosure.
For further information on this topic please contact Emily Shepard or Daniel Mayer at Fasken Martineau DuMoulin LLP by telephone (+1 416 366 8381), fax (+1 416 364 7813) or email (firstname.lastname@example.org or email@example.com). The Fasken Martineau DuMoulin LLP website can be accessed at www.fasken.com.
Summer law student Claire Feltrin also assisted in the preparation of this update.