Focus: BYOD policies are the new privacy battleground

There are many benefits to instituting a Bring Your Own Device policy in the workplace.

As employees increasingly demand a personal choice in their use of phone or computer, it is employers who need to map out the implications for them, says a Toronto lawyer.

Kelly O’Ferrall of Stikeman Elliott LLP says increasing attention to the use of personal devices in the workplace is due to the possible consequences for employers and employees. She recommends employers have written policies on how employees can use their personal devices for work matters.

“If there is a chance [employees] are doing any work on [their device] at all, you are better off to have a policy,” says O’Ferrall.

“As people become more opinionated about their phone choices — they want to use Apple or Android — employers see the potential for cost savings, but the employees have not always thought about the implications.”

Despite concerns by employers about mixing work and personal information, the use of personal devices in the workplace seems to be an irresistible phenomenon, which company policymakers are reactively trying to control.

Lisa Stam, a partner at Koldorf Stam LLP in Toronto, says the culture where employees would hand over their devices for examination with little resistance is largely over.

“Over the last few years, two things have happened. Privacy law has continued to expand. The R v. Cole decision of the Supreme Court has solidified the privacy rights of employees. The traditional default position — if it’s in the workplace it belongs to the employer — is meeting with much more resistance,” says Stam.

Stam says another “big development is that employers recognize they can’t do a heck of a lot without a good policy in place.”

She said often the battleground over the application of BYOD policies occurs when employers are seeking evidence for wrongful dismissal.

“That’s where the time and resources are being spent,” reports Stam. “When the employer tries to prove cause, that’s the moment the employee says ‘I have a right to privacy.’”

Stam has seen a growth in the number of cases in the labour law area.?

“Collective agreements now refer to privacy rights and there is a lot more case law [related to this]. In the discipline or grievance context, the battle is over what evidence is admitted,” she says.

While company e-mails are already on the company server, recovering communications is harder when employees have texted each other or clients or used I-chat or voicemail.

“This is standard old-school pieces of technology that are not captured on the server and are only found on local devices,” notes Stam. “In a case for wrongful dismissal, it might be evidence the employer needs.”

While policies are becoming more prevalent, they are often done retroactively for an employee who is already on board and has started using their device.

O’Ferrall believes the policy should precede the practice.

“My advice, if the company has not already made a decision, is to look at their resources and see if they have the appropriate IT abilities,” she says.

“In my experience, it’s usually implemented in well-established and sophisticated businesses that have an IT department that can address the issues.”

Stam points out that the IT department needs to understand all the systems in use.

“If it’s going to be a free-for-all, there are only so many hours in the day. Many companies have had a list — here are the types of device we will support that can plug into our server. Now that devices are becoming more universal, there are less restrictions on what kind,” she says.

Interestingly, Stam says it is the legal profession that is lagging in this area.

“It took a while for law firms to get on board, but we are starting to see it open up,” says Stam. “We are paranoid by profession. Client information is so confidential and sacred. There is always going to be a reluctance to negatively impact that.”

O’Ferrall sees that putting a policy together forces employers to address issues with respect to securing confidential information and also employee expectations of privacy.

“They need buy-in from all levels of management and a commitment from the employees that they are going to allow the personal device to be tampered with, at least by the IT person in the organization,” she says.

O’Ferrall lists some of the questions that need to be asked.

“If the company is to have access to the phone, what parts of the device can they access or search?
Who’s paying for what? Can everyone participate or just some individuals? What happens if it is lost or stolen?” she says.

Stam says usually the employer is pushing the envelope past what the employee would expect by inserting clauses in company policies that give employers intrusive powers.

“In the event of a termination, [the employer] may assert the right to confirm that employer-owned digital data is deleted or in the employer’s keeping. They might have the right to do a remote wipe,” she says.

“Some technology is probably available to allow you to cherry-pick what you wipe, but the free accessible version will do a blanket wipe to dump and clean the entire device, including family holiday photos. There are ways to make both parties happy, but you have to think about it, hopefully in advance — before the employees or the employers complain.”

To assist policymakers who are still addressing the problem, the Office of the Privacy Commissioner of Canada, together with the Alberta and British Columbia privacy commissioners, released guidelines last year specifically aimed at BYOD programs. The guidelines will help companies to prove they have done their due diligence on the issue, says O’Ferrall.

“The whole BYOD world is all driven by privacy law and the expectation of privacy,” adds Stam. “I’m not surprised that the privacy commissioners are starting to act on it. That’s a shifting landscape right now.”