Bring Your Own Device, or BYOD, programs are increasingly popular in Canada, as they are in the United States. Under a BYOD program, employers require or expect employees to use their own mobile devices for business purposes. The practice raises privacy concerns as well as concerns about ownership of company data and the ability to retain company data when an employee departs.
In August 2015, the Office of the Privacy Commissioner of Canada’s federal government together with those of British Columbia and Alberta jointly issued a paper considering the privacy implications of BYOD programs. The paper also provides useful recommendations for employers.
Recommendations include the need to conduct both privacy impact assessments and threat risk assessments. These should be done prior to allowing collection, use, disclosure, storage, and/or retention of personal information on personal devices. The privacy impact assessment is specific to ensuring compliance with legal privacy requirements.
The threat risk assessment is meant to ensure that the organization has considered the security of its data on personal devices. For example, organizations should consider the use of, or restricting the use of, certain applications on the employee’s device if the device also will contain company data.
Another important recommendation was the requirement to have specific BYOD policies that inform users about the reasonable expectation of privacy and whether the organization intends to monitor the BYOD device. Some organizations require geo-tracking devices on smartphones that are part of a BYOD program. In those circumstances, organizations should give specific notice of how they intend to use the geolocation tracking data and ensure that the use is reasonable.
Options discussed by the commissioners include “sand-boxing” or “containerization.” This would partition personal data of the employee from the company’s data. Effective containerization software can reduce some of the privacy and security risks but not eliminate them.
However, containerization is strongly recommended, considering the requirements for organizations to take reasonable steps to safeguard personal information in their custody or control from unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction.
Finally, given the amendments to the federal government’s Personal Information Protection and Electronic Documents Act as a result of the Digital Privacy Act receiving royal assent on June 8, 2015, new data breach notification obligations apply. Organizations with a BYOD program should have a documented incident management process in the event of security incidents or privacy breaches. This will help to ensure that you can meet your obligations to notify affected parties as required in the event of a privacy breach.