OTTAWA – Canada’s Privacy Commissioner issued words of caution, and some suggestions, for Canadian businesses thinking about implementing a bring your own device (BYOD) program for employees.
The Office of the Privacy Commissioner of Canada and the Alberta and British Columbia Information and Privacy Commissioners' Offices issued joint guidelines Thursday that they say are designed to mitigate the risks of security incidents and privacy breaches when employees use their own mobile devices and computers for work.
According to the guidelines, organizations should conduct a privacy and threat assessment prior to implementing a BYOD program to identify and address risks associated with the collection, use, disclosure, storage and retention of personal information. They also suggest that a BYOD policy include rules governing the acceptable use of devices, corporate monitoring, the sharing of devices, app management, connection to corporate servers and responsibility for security features, software updates and voice or data plans. Other suggested risk mitigation measures include encrypting BYOD devices, authentication and partitioning devices to keep approved corporate apps and data separate from personal apps and data.
"Allowing employees to use their mobile phones, tablets and laptop computers for both personal and professional use carries significant privacy risks – particularly when one world collides with the other," said Privacy Commissioner Daniel Therrien, in the news release accompanying the guidelines. "Companies need to consider the risks in advance and prepare to manage them effectively. Only then could they conclude whether a BYOD program is right for them."
