The Privacy Commissioner of Canada, together with Offices of the Information and Privacy Commissioners of British Columbia and Alberta, created a document, Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization?, in 2015 that is still relevant today. The document sets out various considerations and proposes strategies for organizations that have or want to have a Bring Your Own Device (BYOD) program in the workplace.
What is BYOD?
A BYOD program is an arrangement where private sector organizations allow employees to use their own personal mobile devices such as smart phones or tablets for both personal and business uses.
Why is this concerning?
There are many benefits such as cost savings, increased satisfaction of employees because they are using their preferred devices, and increased efficiency – however, there are some privacy and security risks that could lead to financial losses or damages to reputation. Further, critical documents and sensitive personal information of consumers or employees could be put at risk unless careful measures are taken.
Considerations
The document lists several considerations for organizations contemplating having BYOD programs:
1. Obtaining senior management commitment to address privacy and security risks: Senior management is recommended to clearly demonstrate a commitment to identify and address privacy and security risks by conducting assessments to determine what is required to address the unique privacy risks in that organization
2. Conducting a privacy impact assessment and threat risk assessment: These assessments need to address the risks associated with collection, use, disclosure, storage, and retention of personal information, taking into account the sensitivity of the information and what is appropriate for that organization and for employees in specific positions
3. Developing, communicating, implementing and enforcing a BYOD-specific policy: Organizations need to develop, communicate, implement, and enforce the BYOD policy, so that expectations are clearly established and easy to understand; when setting out restrictions in the program, there needs to be a balance between the privacy expectations of employees using the devices and the organization’s information management requirements
4. Pilot testing a BYOD program prior to roll-out: It is recommended to pilot the program before rolling it out to the entire organization, and to also use a single platform before expanding to other platforms in order to examine any risks and benefits of the program
5. Develop training materials and programs: Training is vital – IT professionals and users need training to address the privacy and security issues, and provide opportunities to ask questions and receive resources; some issues include storage and retention, encryption, patch and software vulnerability management, malware protection, and incident management
6. Demonstrating accountability: The issue here is that, if an employee has full administrative rights for all the information on the device, an organization may not be able to appropriately demonstrate accountability for the information under its control or in its custody. Also, connecting a personal device to an organization’s network may create significant privacy and security risks, such as corporate network security integrity. The recommendation is to implement Mobile Device Management software to manage mobile devices that connect to the corporate network that includes over-the-air distribution of apps, data, and configuration settings (ensure that expectations of the parties are first documented in the policy)
7. Mitigating risks through containerization: Organizations are recommended to consider partitioning each device into two compartments/containers (one for business use, and one for personal use). In this way, organizations can effectively manage and protect the container that holds the personal information in their control and any corporate-approved apps (lost/stolen devices can be dealt with by organizations erasing the container holding corporate information), but policies need to also address the scenario where the device is “rooted” (where privacy and security controls are bypassed)
8. Identifying policies and procedures for storage and retention: It is necessary to have policies in place dealing with storage and retention of personal information in an organization’s control on the corporate network or approved devices; organizations can use a “thin client” to prevent information from being stored on a BYOD (for instance, a remote desktop service)
9. Implementing encryption for devices and communications: It is important to address device encryption, container encryption, and the encryption of communication channels between devices/mobile apps and the corporate network; secure connections like a virtual private network are recommended for remote connectivity, and preventative strategies are recommended to be created by the organization deal with lost encryption keys
10. Addressing patch and software vulnerabilities: The program must protect against software vulnerabilities and malicious activities by clearly establishing areas of responsibility for patch management and updates (keeping in mind that even if the corporate apps have security patches installed, security vulnerabilities from user-installed apps could compromise personal information)
11. Managing apps and app configuration: It is recommended to have a list of approved apps that can be installed and procedures for installing, updating, and removing them
12. Supporting effective authentication and authorization practices: Device authentication, container authentication, and user authentication need to be addressed (it is recommended to have a system requiring strong passwords and use multifactor authentication); organizations are recommended to consider balancing security and privacy with usability
13. Addressing malware protection: Organizations need to ensure that there is protection from common malware such as worms, viruses, ransomware, adware, and Trojan horses that are spread through messages, emails, and web links by having strong network security that is regularly monitored, tested and updated; users also need to be educated on mitigating risks by exercising judgment regarding online sites visited and suspicious links
14. Formalizing a BYOD incident management process: Even if organizations take steps to identify and address privacy and security risks, incidents can still occur – incident management processes ensure that security incidents or privacy breaches are detected, contained, reported, investigated, and corrected in a timely and consistent manner using clear processes so that security incidents and privacy breaches are reported as soon as they are discovered to the organization’s privacy officer
What does this mean for employers?
Employers who are considering using BYOD programs (or already have them) are recommended to review the above considerations and consider what policies and procedures they have in place for their BYOD programs. It may be worth weighing the costs and benefits of having such a program in the organization before making the decision to implement one. Employers who choose to proceed with a BYOD program are recommended to regularly review their policies and procedures so they remain current and relevant to the particular workplace.
Additionally, find Christina at https://www.christinacatenacci.com/
- The antitrust case against Google - November 17, 2023
- Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems released - October 20, 2023
- Privacy Commissioner of Canada releases Annual Report - September 22, 2023
Dear Celeste,
Thank you for your general question regarding charities and non-for-profit organizations. PIPEDA clearly states in its application provision, section 4, that it applies to organizations that collect, use or disclose personal information in the course of commercial activities.
Section 2(1) defines “commercial activity” as any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
These sections can be seen here:
https://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-1.html#h-416934
It is important to take a look at the PIPEDA Interpretation Bulletin regarding commercial activity here:
https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_03_ca/
As can be seen in this document, not-for-profit organizations are not automatically exempt from PIPEDA. In fact, whether an organization is a non-profit business for purposes of taxation is not determinative of whether its collection, use or disclosure of personal information is carried out in the course of commercial activity.
So, it may be essential to comply with PIPEDA and also observe the policies and guidance documents provided by the Privacy Commissioner. Even in the case where one believes that PIPEDA does not apply, the Canadian Bar Association recommends that charities and not-for-profits comply with PIPEDA anyhow, as seen here:
http://www.cba.org/Sections/Charities-and-Not-for-Profit-Law/Articles/2019/comply-with-PIPEDA
In fact, given the growing emphasis on privacy and the fact that it has been noted that many charities across Canada are in control of a great deal of personal information (particularly relating to donors, clients and volunteers), it may in the organization’s (and everyone’s) best interests to comply with privacy rules voluntarily.
Indeed, the CBA notes that voluntary compliance with privacy rules may help to manage reputation and maintain stakeholder confidence in the organization.
Those who are not sure about whether their particular organizations are covered under PIPEDA are recommended to seek legal advice.
Thank you,
Christina
What about in the not for profit sector – Board members who demand access to confidential information on their own personal devices and in their own homes??