In this fourth piece on Bringing Your Own Device to work, I build upon my past posts that set out the benefits, costs and risks of BYOD.
So you’ve now decided to jump in (or some other reckless decision maker in your organization has), and you now have to develop your BYOD program. Here are five tips to consider when rolling out your BYOD Program:
- Policies: Policies are an essential backdrop for employers in our Canadian, contract-based, non-at-will employment law environment. Whether you have a formal written contract for each employee or not, a properly drafted and executed workplace policy can lay out the details for a BYOD program, articulate parameters around device use during and after work hours, and set out expectations of privacy.
By setting out these expectations, the employer can then rely on the policy document to discipline or dismiss an employee who fails to adhere to the workplace rules. Conversely, an employee can look to the policy for clarity on how he or she can use his or her device in the workplace.
- Content of Policies: A BYOD policy should include provisions that speak to the following issues: exactly what devices are permitted; that specific security programs should remain updated; that work-related content developed on a personal device is the intellectual property of the company; that the security of the company server will prevail when determining when to remote wipe a lost device; that the employee has no expectation of privacy in any device plugged into the company system. As set out in R v Cole, while an employer can only lower, and not eliminate expectations of privacy on a workplace computer, here is the moment and place to set out language to articulate employer expectations around privacy issues.
- Context: The policy should remain in context with your workplace and industry. There are rarely good “off the shelf” solutions, and policies should be an organic document that reflects workplace culture, workplace demographics and the vision of where the company is going. A careful cross-reference with other workplace policies will ensure consistency and ability to use policies in conjunction with each other. For example, the workplace harassment, discrimination, privacy, data security and/or confidentiality policies all should be read together to present a uniform approach to electronic information and devices.
- Privilege: It may be useful to articulate that the BYOD program is a privilege, not an entitlement, and that the employer reserves the right to revoke the privilege should an employee abuse the BYOD program.
- Termination Protocol: Finally, employers should turn their mind to how they will deal with personal devices when an employee resigns or is dismissed. If the device has a lot of confidential information and/or the employee has remote access to the server, there should be a checklist ready to go should the employment relationship go south and proactive measures need to be triggered urgently. Your IT and HR team should be working together with management to develop a termination protocol for all electronic data, including such data on personal devices.
For most workplaces, BYOD will be a non-starter within a couple of years. Developing the protocols and policies, and having open discussions about what both employers and employees want/need will eliminate the growing pains often associated with adopting new devices and technology.
For more information on the benefits, cost and benefits of BYOD, feel free to visit my past posts:
Has your workplace adopted BYOD? I’d love to hear how it’s going, and whether you have any other tips to add to the list.