Ontario Privacy Commissioner releases BYOD policy whitepaper

Employees have taken work home with them on laptops, portable media and via email for many years. Since the advent of the smartphone, however, the scale of the practice has expanded dramatically, and data is now more likely in workers’ pockets or purses than on their desks at home. “Bring your own device” (BYOD) is an increasingly common—and risky—business practice that many organizations implicitly support or endorse even though they may have never considered it. To help organizations address the associated privacy and data security risks, Ontario’s Information and Privacy Commissioner and telecom giant Telus have co-authored “BYOD: Is Your Organization Ready?”, a whitepaper outlining the steps organizations should take to implement a bring-your-own-device program.

More than ever, workers are using their personal phones, tablets, laptops and other devices to conduct business, meaning they open confidential documents, access confidential client and employee information and connect to private corporate data networks, with all the risks that these activities entail. One recent study found that, in Canada, 75 percent of businesses actively support employee-owned digital devices on corporate networks. Surely there are more organizations that passively support these devices or simply don’t know their employees are using them on corporate networks. Also more than ever, employees are causing information breaches due to lost, stolen, unprotected and compromised laptops, phones, tablets and portable drives. Another study found 58 percent of Canadian organizations have lost business information in these ways.

With so many organizations already acknowledging and accepting BYOD—explicitly or not—the whitepaper’s description should sound familiar:

A BYOD program involves employees using their own mobile electronic communication devices to carry out work for their employer through remote access to the organization’s intranet. One goal of a BYOD program is to enable the employee to be more productive and efficient by selecting a device that best fits his/her preferences and work purposes, while at the same time ensuring data integrity and protecting the organization’s information from leakage or loss.

However, the security requirements mean that simply accepting BYOD in the workplace is not enough. Organizations need to implement a policy and actively enforce it.

One key challenge is that “two kinds of personal information will flow through the device, both of which will require proper protection on the part of the organization that employs the individual using a BYOD.” (Emphasis added.) That is, employee-owned devices will almost certainly contain personal information of both clients and employees, including family members, friends, partners and so on. Organizations are required to protect clients’ personal information from illegitimate use or disclosure, whether the employer or employee owns the device used to access it. Organizations must account for the kinds of device workers want to use; the makes and models; the operating systems and applications installed on the devices; the personal and work-related purposes for which the devices are used; where and when the devices are used; and who might use the device. How can they manage information in such complex circumstances?

Moreover, the privacy commissioner says:

All risks must be identified, acknowledged, measured and assessed, prioritized, and mitigated through an organization’s systematic application of [Privacy by Design] principles, a comprehensive security program, and an appropriate mobile device management strategy…

The risks include:

• Undisciplined use of devices by employees can expose your organization to security threats. The broad expansion and acceptance of consumer devices and resulting advancement of applications, app stores, data portability (e.g., the cloud), etc., promote user behaviour that can be incongruent with what’s ultimately best for your organization.
• Your organization may be exposed to regulatory risks that result from data breaches, information loss, etc. Poor management of end-point data and sensitive information can lead to regulatory exposures that could be debilitating to your business.
• Mishandling of personal information can quickly become public knowledge and severely tarnish your brand and reputation. Privacy issues are top of mind in today’s business world, as organizations are increasingly accumulating and exploiting personal information. Compromising an employee’s personal information can lead to severe consequences for your organization.

There are many more, but these all specifically relate to privacy and information management.

Since organizations are already letting workers use their own digital devices to perform work, they are courting danger if they do not develop and implement and enforce a “responsible, accountable and effective BYOD program.” The whitepaper describes “five critical process steps”:

1. Establishing user requirements: Understand the usage patterns of all mobile workers.
2. Technology alignment and device choice: Align the right technologies to assure compliance across the infrastructure.
3. Policy development: Establish obligations, requirements and criteria in a formal policy.
4. Security: Address data security risks with effective administrative controls.
5. Support: Ensure support for end-users with appropriate capabilities and processes.

A BYOD strategy should include the following features:

• Acceptable use policy: Include clear and concise definitions and statements of what is allowable on the device, once access to organizational data is permitted.
• Privacy policy: Cover mobile device use and behaviour expected from both employees and third parties acting on behalf of the organization.
• Location of use: Understand where workers expect to use the devices.
• Mobile device management: Remotely control certain business-related aspects of BYOD mobile devices, for instance configuring relevant settings, applying policies, performing remote diagnostics, tracking location information, operating applications, providing reports and analytics as well as inventory management and expense controls, and whether you will outsource this task.
• Mobile device camera use: Include a statement of where and when the camera capabilities of the device are permitted. This can be enforced technically via mobile device management.
• Data classification and mobile device use: Include the critical statement as to the sensitivity of the organizational data that will be permitted on the device. Some organizations may want to prohibit restricted data from mobile devices.

This process may seem like an immense challenge for any organization, and certainly it will require a lot of effort, but the potential damage and costs caused by a data breach, not to mention the legal obligations, should encourage organizations—even those with their heads in the sand—to act. Consider: it doesn’t make sense for an organization that takes good care of internal corporate information to ignore the risks associated with external corporate information. Data management is data management, and the obligations remain the same no matter where the information resides, who is accessing it and where or what type of device they are accessing it from.

The whitepaper from the Office of the Information and Privacy Commissioner and Telus offers a valuable overview of how organizations can begin implementing a formal BYOD program. But it is only a start. Organizations will have to consult their employees, information technology staff and likely third-party service providers to fully implement a BYOD program. Moreover, like many policies, this one will evolve over time, as technologies and user needs change. Organizations will need to review some aspects of their BYOD program regularly, possibly even more than once a year! Getting started now will help organizations get a handle on the mobile device security, which is likely to become more complex in the near future.

Find the whitepaper, “Bring Your Own Device: Is Your Organization Ready?” here.

Adam Gorley
First Reference Human Resources and Compliance Editor

Information Technology PolicyPro Managing IT risks and cyber security are essential in today’s business environment. You need to be ready when the unexpected occurs. Information Technology PolicyPro provides a practical and effective way of designing, implementing and reviewing controls over your IT in the context of your overall business strategy. learn more

• About
• Latest Posts

Follow me

Adam Gorley

Editor at First Reference Inc.

Adam Gorley is a copywriter, editor and researcher at First Reference. He regularly contributes to First Reference Talks, Inside Internal Controls and other First Reference publications. He writes about general HR issues, accessibility, privacy, technology in the workplace, accommodation, violence and harassment, internal controls and more.

Follow me

Latest posts by Adam Gorley (see all)

• Can you implement a mandatory vaccine policy or ask employees if they have been vaccinated? - June 10, 2021
• Do you know the latest on terminations? Find out at the Ontario Virtual Employment Law Conference - May 11, 2021
• Announcing the 2021 Virtual Ontario Employment Law Conference - April 15, 2021