Employees are increasingly urging employers to allow the use of personally owned mobile devices for business purposes. This comes in direct contrast to participation of employees in employer issued mobile device programs.
This trend may stem from a number of factors, including the inconvenience of carrying multiple phones, comfort of using a particular operating system, corporate acceptance of smartphones other than Blackberries, and Marshall McLuhan’s age-old idea that technology is an extension of the human form. As a result, it is no longer atypical for companies to allow employees to use personal mobile devices at work. However, this shift in industry norms presents a number of privacy and security concerns.
Companies should be aware of legal obligations (found in federal and provincial privacy legislation) relating to the protection of employee and client privacy. Moreover, Ontario’s Information and Privacy Commissioner (in collaboration with TELUS) recently released aguidance document that provides practical tips on addressing privacy and security concerns when developing a “Bring Your Own Device” (BYOD) program.
Unfortunately, companies of varying sizes are simply not keeping pace with this new phenomenon and have yet to develop appropriate policies to regulate BYOD programs.
Employees have a reasonable expectation of privacy from their employers. However, since a mobile device contains both personal and company content, employers may have access to employees’ private information, messages, photographs, music or other similar items. Periodic monitoring and backing-up of mobile devices by a company (for business purposes) may contravene privacy laws, especially if technological measures are not in place to distinguish between personal and company content. In addition, company use of data stored on a mobile device is generally only acceptable for particular court proceedings. As such, employers may face a dilemma if they discover personal information or messages that serve as grounds for discipline or termination.
Privacy obligations owed by a company to its employees may conflict with its obligations to keep company data secure. Company data may include trade secrets, sensitive information or client-related information that requires a certain level of privacy protection and security breach reporting in the event of unauthorized access. Employers may install technological safeguards on mobile devices (for the purpose of protecting data or networks) including implementations of profiles, certificates, remote wiping capabilities, automatic locking or password control mechanisms and data encryption. In the event that a mobile device is lost or stolen, or an employee is terminated, companies will want to wipe mobile devices, which may include employee-specific private information. However, companies often forget to obtain prior informed consent from employees necessary for deletion, as they are primarily focused on protecting company data.
There are companies that obtain informed consent and address this concern by regularly reminding employees to safeguard any personal data in the event that their device is wiped. However, this can also cause privacy concerns. The advent of new technologies makes it easier for employees to back-up their devices by using automatic syncing programs (such as iCloud) which do not discern between personal and company information. Consequently, many employees may be inadvertently storing client information in unsecure forms.
It is advisable that companies balance these conflicting concerns through a well drafted and implemented BYOD policy, which incorporates the companies’ existing or established policies. Employers should explicitly disclose company practices and obtain informed consent in order to stay on the right side of the law. Each company must consider its own unique situation and assess the privacy and security concerns applicable to their specific industry, practice, IT structure and culture.