Labor and Employment Law

Privacy Commissioner of Canada's BYOD Guidelines

 I’ve written several posts about BYOD in the past, and continue to believe that for many workplaces, BYOD will be difficult if not impossible to resist. However, it won’t be news to anyone that BYOD raises a full array of privacy and security issues related to the potential blurring and blending of employee personal information and business/customer information on devices.

Recently, the Office of the Privacy Commissioner of Canada, along with the Alberta and British Columbia Information and Privacy Commissioners, have published guidelines to assist organizations considering or implementing BYOD policies.

While the publication does not introduce anything overly novel, it does provide a good roadmap in one document, a roadmap with quite a bit of weight if you are trying to prove your organization did its due diligence around implementing a prudent BYOD program.

The 16 page guide “Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization?” discusses the privacy and security risks of such a program through 14 tips or considerations.

Highlights of the Guide include:

  • Recommendation that organizations conduct a privacy and threat assessment prior to implementing a program to identify and address risks;
  • Recommendation to implement workplace rules and policies to govern the use of devices, for monitoring employees and with respect to sharing devices, app management, connection to corporate servers and responsibility for security features. Policies should also cover concepts such as implementing software updates and voice or data plans;
  • Because a full BYOD program can get fairly complicated, employers implementing BYOD should also invest in training to ensure that everyone understands expectations and so that IT folks can successful manage multiple platforms;
  • Risk mitigation measures should be considered, such as using encryption, authentication and partitioning devices to try to keep personal apps and data separate from corporate; and
  •  “Incident management” provisions (because who hasn’t left their phone in a bar bathroom stall or subway?).

The 14 tips covered by the guide are:

  1. Get executive buy-in for BYOD privacy protection
  2. Assess privacy risks
  3. Establish a BYOD policy
  4. Pilot your program
  5. Train staff
  6. Demonstrate accountability
  7. Mitigate risks through containerization
  8. Put in place storage and retention policies
  9. Encrypt devices and communications
  10. Protect against software vulnerabilities
  11. Manage apps effectively
  12. Enable effective authentication and authorization practices
  13. Address malware protection
  14. Have a plan for when things go wrong.

My past posts on BYOD include: 

 For additional updates, please visit Lisa Stam's blog, Employment and Human Rights Law in Canada.

For more information about LexisNexis products and solutions, please connect with us through our corporate site.