This is the sixth instalment in our Top 10 Issues for Employers series.
The workplace practice of bring your own device (BYOD) has hit the mainstream as more and more employees use their own mobile electronic devices to connect to corporate networks. Employees have a reasonable expectation of privacy with regard to the mobile devices used as part of a BYOD program. However, this expectation should not be unlimited. There is a fine balance between an employee’s expectation of privacy and the employer’s legitimate business need to manage and control its business information.
When implementing a BYOD program, an employer will generally want to ensure that it includes a BYOD policy that sets out the employer’s practices and expectations when it comes to the use of personal mobile devices for work purposes. As with any new policy or program, the employer will need to consider other corporate policies so that the BYOD policy can be properly integrated. This may include policies dealing with remote access via home computers, “corporate-owned” smartphones, document retention, acceptable use of the employer’s network, compliance and ethics, litigation holds, social media, harassment and discrimination, and employee privacy policies.
SCOPE OF BYOD PROGRAM
Employers will want to consider which devices will be included in the BYOD program and who will be entitled to participate in it. Consideration should also be given as to how many devices each participant may have in the program, what the approval process for those wishing to participate in the BYOD program will be, what support the employer will provide in respect of devices and to users of those devices, and of course, the financial aspects of the employer’s BYOD program. Employers may also consider whether to offer an alternative company-owned device for those employees who do not wish to participate in the BYOD program. Employers will want to keep an up-to-date inventory of participating devices. This allows the employer to keep track of where its data and business information resides.
In Canada, privacy rights are recognized through the patchwork of privacy legislation and common law and arbitral jurisprudence that impose obligations on employers with some variations depending on the nature of the employer and the jurisdiction of employment. Generally, there will be some restrictions placed on the collection, use and disclosure of employee personal information and employers will want to consider the following guidelines:
- Limiting Collection. Implement technological or other methods of limiting the collection of non-business-related employee personal information from the personal mobile device. Consider options to segregate the business data from the personal data on the device.
- Limiting Disclosure. Only authorized personnel should have access to the personal information collected from mobile devices. Safeguards should be put in place to limit unintentional or unauthorized disclosures of personal information. Policies should also notify the employees as to whom the information will be disclosed, including potentially to law enforcement agencies when a breach of law is suspected.
- Consent and Notification. In any BYOD program, employers will usually install software onto the personal device that provides the employer with access to the business and sometimes other data on the device. An employer’s right to access or monitor a mobile device may be constrained by the fact that the device is not owned by the organization. Obtain express consent and provide written notification to employees about the purposes for collecting, using and disclosing data on the device. In addition, consent and notification is required for remote or other wiping of the device, particularly since such functions might also delete the employee’s personal information or property.
- Expectation of Privacy. Employees should understand what expectation of privacy they should have when using a personal mobile device that is subject to the BYOD policy, and should understand what monitoring the employer will conduct and for what purposes. In order to effectively manage an employee’s expectation of privacy and any consent requirement, an employer will need to be very clear—through not only its policies, but also its practices—about the circumstances under which and the purposes for which the employer may monitor employee device usage and what uses the employer may make of information that it accesses, views or collects.
An employer’s BYOD program must consider any security-related requirements or practices relevant to participating devices and users. The primary focus here is preservation of the confidentiality of the employer’s business information while recognizing the privacy of any personal information within the possession or control of the organization.
- Security Controls. Decisions will need to be made regarding which user authentication protocols should apply to participating devices and users, which data encryption protocols should be mandated, and which antivirus protection measures should be implemented.
- Restrictions on Apps. Employers must consider which controls or restrictions are appropriate in relation to apps used by participating users for business purposes.
- Restrictions on Clouds. Employers need to know which “clouds” their business information resides in and whether the information in those clouds is subject to reasonable and appropriate security safeguards, taking into consideration the nature of the information being stored and the employer’s legal obligations—whether under statute or pursuant to its contractual obligations.
- Back-ups. Since employees will have personal information and property (photographs, music, etc.) on the device, consideration should be given as to the issue of back-ups and whether all of the device’s data can be backed up onto a computer that is not part of the organization.
When introducing the BYOD program or at the time of hire, employers will want to provide training on the policy and have the employees sign the consent or acknowledgment form. A BYOD policy will have little impact or enforceability if the employees are not made aware of the policy and provided with some training or orientation on its terms and conditions. In addition to the foregoing, as with other policies, employers will want to specify in the policy disciplinary and other actions that may be taken when an employee does not comply with the expectations set out in the policy, and be consistent in the application of the policy to all employees who participate in the BYOD program.