As an employer, you may be contemplating creating a bring your own device (BYOD) program in the workplace. There are several advantages to having such a program—companies can save a great deal of money and make employees happy by allowing devices in the workplace. However, there are significant concerns that need to be addressed if this is the direction the company wishes to take. The Privacy Commissioner has recently created tips for employers who are contemplating creating such a program. Furthermore, the Commissioner has provided some workplace tips for protecting personal information on portable devices.
The Privacy Commissioner recently released a document going through the privacy and security risks of a BYOD program within an organization.
It also created a checklist of the main tips.
In a nutshell, the Privacy Commissioner recommends that one first obtains senior management commitment to address applicable privacy risks in the workplace in order to ensure that there are sufficient resources to plan for and successfully implement a BYOD program that protects privacy.
Subsequently, it is important to conduct a privacy impact assessment and threat risk assessment in order to identify, prioritize and mitigate potential risks associated with the collection, use, disclosure, storage and retention of personal information. This also helps to determine whether the benefits of a BYOD program outweigh the risks in your particular organization.
At this point, it is necessary to develop, communicate, and implement the BYOD policy. It is recommended that the policy touch on topics such as: acceptable use; corporate monitoring; sharing of devices with friends and family; app management; and responsibility over security features and voice/data plans.
That said, before actually activating the program, it is important to pilot the program—this means that the company can first test out the program on a certain number of select staff and on a single mobile platform.
Additionally, it is important to develop training materials so that the employees understand the BYOD policy and IT professionals are prepared to implement it and any necessary technical security controls.
During the discussions with staff, employers have a responsibility to explain to employees how the program complies with applicable privacy laws and policies.
Moreover, one of the most interesting and effective ways to mitigate risks is to use containerization—this means partitioning devices to keep approved corporate apps and data separate from personal ones. In fact, using this method, companies are able to remotely and securely erase the corporate container if a device is lost or stolen or upon employee departure from the organization.
Another critical aspect of protection includes encryption – the Privacy Commissioner states that, at a minimum, it is important to use up–to–date, industry standard encryption algorithms for device–to–device communications. Where devices connect to a corporate network, a secure connection is required such as a Virtual Private Network.
Likewise, employers are recommended to create effective storage and retention policies. One example is allowing one to only display personal information held on corporate servers on a device, but not store it.
Employers are also recommended to:
- make sure employees understand their responsibility to protect personal information;
- limit the personal information that is stored on mobile devices to that which is absolutely necessary;
- have employees use hard–to–guess passwords;
- make sure employees are using secure networks in the case where they take work home with them and are never leaving the devices unattended in public;
- make sure that software updates are current;
- make sure that employees are installing and properly updating approved apps;
- use a strong, centrally–managed authentication system for authenticating users and mobile devices connecting to the corporate network; and
- ensure that network security is regularly monitored to prevent malware attacks.
Last but not least, it is important to have a plan B for when things go wrong (for instance, there is a privacy breach).