In August, the offices of the federal, Alberta and British Columbia privacy commissioners released joint guidelines for organizations considering a BYOD program. "BYOD" or "Bring Your Own Device" programs which allow employees to use their own mobile devices for both personal and business purposes are becoming increasingly popular with organizations as a method of cost reduction. However, because of the risks associated with both privacy issues and security concerns, it is important that organizations ensure they have in place robust policies and procedures and technical safeguards. Even where mobile devices are owned by individual employees, organizations remain responsible for any personal information (both customer/client and employee personal information) contained on the devices and have an obligation to ensure that information is safeguarded. And concerns are not just limited to personal information; organizations have a very real interest in protecting corporate confidential information which might be stored on, or accessible through, the devices.
The guidelines provide suggestions for developing and implementing BYOD programs which provide the necessary privacy and security protections:
- obtain senior management "buy-in"
- conduct a privacy impact assessment and threat risk assessment
- develop, implement and enforce an appropriate BYOD policy
- pilot test your BYOD program
- develop and implement training materials and programs
- demonstrate accountability for the information on devices
- consider mitigating risks through containerization
- implement policies and procedures for storing and retaining personal information
- implement and enforce encryption requirements
- ensure protection against software vulnerabilities and malicious activities
- manage apps and app configuration
- require authentication and authorization prior to granting access to information
- address malware protection
- develop a documented incident (both security and privacy breaches) management process
We expect that the privacy commissioner will rely heavily upon these guidelines if faced with either a privacy complaint or breach notification flowing out of a BYOD program. So, you should review the guidelines prior to implementing any BYOD program and use them to audit and update your current program. If you want to ensure you comply, we are available to help.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.