Page 13 - CCCA 239285 Magazine_Fall 2015
P. 13
{ Privacy }
Bring Your own deViCe
progrAm guidelines
By Yosie Saint-Cyr
using personal devices at work to conduct business (BYOd or It is important to remember that em-
“bring your own device”) has become commonplace in the last ployees have privacy rights over their
personal information. That will not
couple of years. employers are implementing BYOd policies change with a privacy policy. However,
left, right and centre to try to control the privacy challenges this by knowing their rights and what could
happen ahead of time if, for example, an
practice can bring about when employers access these devices employee’s device is stolen or hacked, the
to protect their data contained on them. employee will consider if they really want
to use their personal devices for business
purposes, and if they do, they will know
n August 13, 2015, the federal, British to keep their personal information (e.g., the consequences and solutions they need
Columbia and Alberta privacy com- photos, browsing history, emails, etc.) to put into place if a problem arises. For
omissioners issued joint guidelines stored on their mobile devices private from example, have a back-up of their personal
about the protection of personal informa- their employers. data in the case of a remote wipe by the
tion to help organizations reduce the risks company if there is a breach or the device
of privacy breaches when considering al- what is recommended by the federal, has been stolen or lost.
lowing employees to use their own mo- British Columbia and Alberta privacy The privacy commissioners’ guidelines
bile devices and computers for work. The commissioners? help you understand how to draft your
guidelines also aim at mitigating risks of The guidance is focused on 14 tips to con- policy to implement rules governing the
security incidents and privacy breaches. sider when planning or implementing a acceptable use of devices, corporate moni-
BYOD program: toring, app management, connecting to
the privacy risk explained ■ Get executive buy-in for BYOD privacy corporate servers and security features,
The term “employee-owned device” is protection. voice and data plans, etc. In addition, the
very broad and includes smartphones, ■ Assess privacy risks. guidelines suggest risk mitigation measures
tablets, laptops and desktop computers ■ Establish a BYOD policy. such as the encryption of BYOD devices,
at home. These devices allow profession- ■ Pilot your program. authentication protocols and how to sepa-
als to access corporate data, email, ap- ■ Train staff. rate corporate data from personal ones.
plications, and other processes wherever ■ Demonstrate accountability.
they are. ■ Mitigate risks through containerization. Conclusion
While the convenience of personal ■ Put in place storage and retention policies. Employers that simply allow employees to
devices enables employees to communi- ■ Encrypt devices and communications. use their own devices for work purposes,
cate with clients and review documents ■ Protect against software vulnerabilities. without considering the repercussions and
without being tied to the offce, the BYOD ■ Manage apps effectively. implementing controls, place themselves
trend is creating tension between how ■ Enable effective authentication and at substantial risk of data loss and misuse,
much access an employer can have to the authorization practices. unnecessary expenses and legal costs, repu-
worker-owned device and how much pri- ■ Address malware protection. tational damage and even fraud. It is essen-
vacy an employee can expect. ■ Have a plan for when things go wrong. tial that they develop a BYOD policy and
Organizations are understandably con- Companies need to understand the issues plan to protect themselves. ❚
cerned about security, such as confden- and risks specifc to their organization,
tial data falling into competitors’ hands or prior to establishing a BYOD program and Marie-Yosie Saint-Cyr, LL.B., is the Managing Edi-
employees misusing or losing corporate policy. They also need to train their em- tor of the Human Resources and Compliance Col-
information. ployees and IT staff on what the policies lection from First Reference, a Canadian publishing
On the other hand, when using their say, and institute methods for ensuring the company. This column is a condensed version of a
personal devices for work, employees want employees are compliant. post on the Slaw blog.
CanadIan CORPORaTe COunSeL aSSOCIaTIOn | CCCa-aCCje.ORG 13
