Last week, I conducted a workshop on implementing a successful “Bring Your Own Device” (BYOD) program at the Canadian Institute’s Privacy Law & Compliance Conference. I met a wonderful group of privacy experts who had plenty to contribute to the discussion.
We talked about the benefits, risks and costs of permitting employees to use their personal device to perform work-related tasks, which typically includes accessing the company’s network. Over half the group was in the public sector and regularly handled very sensitive, confidential personal information.
The private sector attendees in the group had an equally strong concern about protecting highly sensitive and confidential business information. At the end of the day, most organizations, regardless of how open they may or may not be, require a certain level of security around their data, intellectual property and personal information.
So how to implement a successful BYOD program?
There is no cookie-cutter solution, but there are five broad issues to consider when rolling out a program:
1. Technical – security (is your technical infrastructure sufficient?)
2. Technical – support (is your IT team up for the job?)
3. Financial questions (who pays for what?)
4. Employment Issues
5. Company Liability
This blog post will start with some of the key employment law issues and will examine the other issues in future posts.
The BYOD Program & Policy
When developing a program, an organization will want to assemble a team that includes key stakeholders from across the organization, including human resources, IT, finance and privacy. Together, the team will want to come up with a BYOD program that sets out the various issues it has identified and resolved. Typically, this is a larger, internal working document that is not necessarily distributed broadly.
The key principles of the program are then distilled into a BYOD policy and distributed to the participating employees.
The organization will then want to have individual employees enter into a participation agreement that, among other things, sets out the parameters of the program and cross-references the BYOD policy.
Both the program and policy should harmonize with the organization’s various workplace policies, including:
- Employee Personal Information and Privacy
- Electronic Use, Communications & Systems
- Social Media (which should include ownership of content provisions)
- Hours of Work and Overtime
- Harassment, Discrimination and Human Rights policies
All of these issues are now set against the backdrop of an employee’s residual expectation of privacy, a principle enshrined in our law through R v Cole last year.
Ownership of Content
Other key issues to consider include whether the employee or employer own the content developed on the personal device. I blog regularly on this issue and know that employers need to increasingly expressly articulate what they believe they own. In the absence of that articulation, employers risk employees successfully claiming ownership over certain information.
Having business conducted on a personal device continues to muddy the water on this issue. How do you unwind the Outlook contacts? What about the LinkedIn lists? Or the email drafts of blog content?
While concerns around organizational systems are less about employment law and more about HR infrastructure, this needs to be part of the overall consideration of people issues. BYOD enables people to work anywhere on his or her own device. Where are the files being shared? Unsecured file-sharing programs in the cloud? On a very easy to lose USB stick? Are silos being created out of individual convenience that prevent effective collaboration? Is data being duplicated and eating up company storage space? Is data being backed up, and backed up securely?
Now that employees have the convenience of working anytime, are they, in fact, working all the time? How is the organization going to keep track of overtime hours? What will count as overtime work? You can count on that employee remembering their extensive overtime hours should the employment relationship sour in the future.
Every organization and industry has its own best practices. For organizations that rely on a bullet-proof reputation for maintaining confidentiality and data security, BYOD presents many challenges, but most of which can be overcome with a comprehensive BYOD program plan.
Update: Check out the Office of the Privacy Commissioner of Canada‘s BYOD publication from August 2015.