The British Columbia, Alberta and Federal Privacy Commissioners are reminding employers that Bring Your Own Device Programs or “BYOD” invite significant risks to privacy and security and have issued guidelines to help business that are considering implementing such programs.
Under a typical BYOD program, an organization authorizes its employees to use their own personal mobile devices (such as smartphones and tablets) for both personal and business purposes. While these programs can reduce costs for the employer they, also present new and serious challenges relating to privacy and security, which if not handled properly can be quite costly. For example, mobile devices can be more susceptible to security breaches. These breaches can affect an employer’s confidential business information as well as employee personal information.
Guidelines for BYOD Programs
The Office of the Privacy Commission of Canada, together with the Alberta and British Columbia Privacy Commissions, recently have issued guidelines to help employers who are using or considering using a BYOD program. The complete guidelines can be found HERE.
The Guidelines include a comprehensive list of tips and advice. Some of the more important recommendations are summarized below:
- Before implementing a BYOD program, make sure it is right for your organization: the guidelines state that organizations should conduct a Privacy Impact Assessment (PIA) and Threat Risk Assessment (TRA) before implementing a BYOD program. These assessments will help employers tailor a BYOD program to its specific needs. Every organization has different privacy and security risks that should be considered when contemplating a BYOD program.
- Develop, Communicate, Implement and Enforce your BYOD policy: any policy should clearly set out the employers’ expectations and employee obligations. The employer should ensure that the policy is written clearly so all employees understand their obligations. The guidelines include a list of issues and restrictions that employers should consider including in their BYOD policy.
- Develop Training on the BYOD policy: this is an important aspect for any policies implemented by employers but it is especially important that IT professionals are adequately trained in the implementation and use of the necessary security software for the BYOD policy to be effective.
- Consider the Issue of Administrative Rights: mobile device owners have administrative rights on their devices and can configure or modify settings at any time. This can pose some additional challenges for employers. Device administration can be very complex under BYOD policies. The guidelines suggest that an agreement is signed between the device owner and the employer which clearly articulates specific device administration activities that the employer can perform on the employee’s devices.
- Use a Process Known as “Containerization”: this process involves partitioning each device into two compartments – one used for business purposes while the other is for an employee’s personal use. The goal is to separate corporate information from the employee’s personal information. There is software that an organization can use to assist with this important process.
- Identify Storage and Retention Policies: employers must always have policies for the storage and retention of employee personal information, but it is increasingly important to have sound policies with a BYOD program. Employee personal information that resides on a mobile device could be within the organizations’ control and therefore policies on the storage and retention of such information is important.
- Formalize a BYOD Incident Management Process: even with the best policies, training and procedures, things can still go wrong. It is important to have processes in place that will deal with any privacy or security breaches including a way to investigate and correct the problem.