In August 2015, the Privacy Commissioners of Canada, Alberta and British Columbia issued guidelines entitled “Is a bring your own device (BYOD) program the right choice for your organization?” (the “Guidelines”). The Guidelines provide helpful guidance for any organization considering a new BYOD program or assessing an existing BYOD program.

BYOD

Bring your own device (BYOD) – also called bring your own technology (BYOT), bring your own phone (BYOP) and bring your own PC (BYOPC) – refers to a practice of permitting employees to use their own computing devices (e.g. smartphones, tablets and laptops) for both personal and business purposes. BYOD programs are perceived to result in productivity gains, increased worker satisfaction and cost savings. BYOD programs can also present significant privacy and security risks, because each BYOD device is connected to the organization’s IT infrastructure and to the user’s personal IT services, and accesses both the organization’s data and the user’s personal data.

The Guidelines

The Guidelines remind that Canadian personal information protection laws require an organization to safeguard personal information in the organization’s custody or control from risks such as unauthorized access, collection, use and disclosure. The Guidelines also remind that an organization is accountable for personal information collected, used or disclosed by the organization’s personnel using BYOD devices. The Guidelines caution that a BYOD program might not be the right solution for an organization. The Guidelines include the following recommendations for developing and implementing a BYOD program:

• PIA/TRA: Conduct a privacy impact assessment and a threat risk assessment to identify and assess the risks presented by a proposed BYOD program, and to determine whether the program is appropriate for the organization.
• BYOD Policy: Develop, implement and enforce a BYOD policy that establishes the rights and obligations of the organization and BYOD users.
• Training: Train BYOD program stakeholders to identify and manage security and privacy risks.
• Mobile Device Management: Consider mobile device management (MDM) software to manage BYOD devices, and the use of MDM software should be addressed in a BYOD policy and an agreement between the organization and each BYOD user.
• Communication / Storage: Consider limiting the kinds of data that may be accessed by BYOD devices, and using technologies to avoid or minimize the need to store data on BYOD devices and to segregate organization data from user data.
• Encryption: Consider using encryption to protect the organization’s data while in transit (to and from BYOD devices) and at rest (on BYOD devices).
• Asset / Software Management: Approve and manage BYOD devices and the installation, configuration, updating and removal of operating systems and applications installed on BYOD devices.
• Authentication and Authorization: Use authentication (e.g. device authentication and user authentication) and authorization.
• Malware: Use protection against malware that might be installed on or transmitted by BYOD devices.
• Incident Management: Establish and regularly test and update an incident management plan for security incidents and privacy breaches involving BYOD devices.

Comment

BYOD programs may provide various benefits, but they also present significant risks, including losses and liabilities resulting from the unauthorized use or disclosure of an organization’s data and liabilities for violating privacy rights. An organization can manage and mitigate those risks by designing and implementing a suitable BYOD program.