Employees are increasingly urging employers to allow the use of
personally owned mobile devices for business purposes. This comes
in direct contrast to participation of employees in employer issued
mobile device programs.
This trend may stem from a number of factors, including the
inconvenience of carrying multiple phones, comfort of using a
particular operating system, corporate acceptance of smartphones
other than Blackberries, and Marshall McLuhan's age-old idea
that technology is an extension of the human form. As a result, it
is no longer atypical for companies to allow employees to use
personal mobile devices at work. However, this shift in industry
norms presents a number of privacy and security concerns.
Companies should be aware of legal obligations (found in federal
and provincial privacy legislation) relating to the protection of
employee and client privacy. Moreover, Ontario's Information
and Privacy Commissioner (in collaboration with TELUS) recently
released a guidance document that provides practical
tips on addressing privacy and security concerns when developing a
"Bring Your Own Device" (BYOD) program.
Unfortunately, companies of varying sizes are simply not keeping
pace with this new phenomenon and have yet to develop appropriate
policies to regulate BYOD programs.
Employees have a reasonable expectation of privacy from their
employers. However, since a mobile device contains both personal
and company content, employers may have access to employees'
private information, messages, photographs, music or other similar
items. Periodic monitoring and backing-up of mobile devices by a
company (for business purposes) may contravene privacy laws,
especially if technological measures are not in place to
distinguish between personal and company content. In addition,
company use of data stored on a mobile device is generally only
acceptable for particular court proceedings. As such, employers may
face a dilemma if they discover personal information or messages
that serve as grounds for discipline or termination.
Privacy obligations owed by a company to its employees may
conflict with its obligations to keep company data secure. Company
data may include trade secrets, sensitive information or
client-related information that requires a certain level of privacy
protection and security breach reporting in the event of
unauthorized access. Employers may install technological safeguards
on mobile devices (for the purpose of protecting data or networks)
including implementations of profiles, certificates, remote wiping
capabilities, automatic locking or password control mechanisms and
data encryption. In the event that a mobile device is lost or
stolen, or an employee is terminated, companies will want to wipe
mobile devices, which may include employee-specific private
information. However, companies often forget to obtain prior
informed consent from employees necessary for deletion, as they are
primarily focused on protecting company data.
There are companies that obtain informed consent and address
this concern by regularly reminding employees to safeguard any
personal data in the event that their device is wiped. However,
this can also cause privacy concerns. The advent of new
technologies makes it easier for employees to back-up their devices
by using automatic syncing programs (such as iCloud) which do not
discern between personal and company information. Consequently,
many employees may be inadvertently storing client information in
It is advisable that companies balance these conflicting
concerns through a well drafted and implemented BYOD policy, which
incorporates the companies' existing or established policies.
Employers should explicitly disclose company practices and obtain
informed consent in order to stay on the right side of the law.
Each company must consider its own unique situation and assess the
privacy and security concerns applicable to their specific
industry, practice, IT structure and culture.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).