There is an increasing trend in the workplace, where employees bring their own devices (BYOD), typically smart phones or tablets, to work. With the emergence of devices like the iPhone and Galaxy phones, the trend keeps growing.
Why? Employees want the flexibility of using the latest technology to do their jobs more efficiently while multi-tasking chores like personal banking and staying connected with their lives outside of work. Allowing employees to use the tools they prefer increases satisfaction and retention. It also avoids the need for employees to carry a work and personal phone.
In an era of cost savings, where flexible workspaces and work from home programs are also becoming the norm, and with mobile technology changing at unprecedented rates, employers are likely to view BYOD as an appealing way to lower costs.
Whatever the reason, it is now common for employees to have their devices and use them for both work and personal activities. Employers have started developing BYOD policies and programs in response to this trend. BYOD however, is a complex area that involves balancing a number of legal, human resources and information security issues.
From the legal standpoint, the most significant issues that arise for both employees and employers are from a privacy and confidentiality perspective. The issue of privacy was grappled with in the 2012 Supreme Court of Canada (SCC) decision in R. v. Cole, and more recently, the British Columbia Court of Appeal decision in R. v. McNeice.
Both of these cases involved teachers convicted of accessing child pornography on their work laptops, where the employee was found to have a reasonable, though diminished, expectation of privacy in their personal use of the laptops. The SCC did not make any findings about the employer’s right to monitor their employees’ computer use, but these cases highlight the importance of clearly outlining the employee’s expectation of privacy, as well as the extent of the employer’s right to access and monitor BYOD devices within a policy. In a BYOD context, the fact that the employer no longer owns the equipment is only likely to increase the employee’s expectation of privacy, and reduce the employer’s ability to access and monitor communication on these devices.
Employers should also keep in mind the Court of Appeal or Ontario’s 2012 decision in Jones v. Tsige, which recognized a new tort of “intrusion upon seclusion” in cases involving invasion of privacy in the civil context. This case involved access to another employee’s sensitive personal information, in this case, banking records, by another employee through the employer’s network.
In considering a BYOD program, it is important for employers to determine whether BYOD is even appropriate for their business. This will depend, in large part, on the nature and sensitivity of the information communicated over its networks. For example, BYOD is unlikely to be appropriate in industries where security issues and information theft are a strong possibility.
If BYOD is appropriate, there remain numerous issues for employers to consider when developing a BYOD policy. While the following is not an exhaustive list, an effective policy should:
- Establish that BYOD is a privilege granted at the employer’s discretion;
- Make reference to related policies that apply to the use of BYOD devices;
- Outline which employees the BYOD policy will cover, and which devices will be allowed to connect with the employer’s network;
- Clearly define what is considered business or personal use of a device, as well as the employee’s expectation of privacy with respect to each type of use;
- Set out what access and monitoring rights the employer will have over the device;
- Outline how costs associated with the device will be shared between the employer and employee, as well as what support will be available for employees using BYOD devices;
- Address hours of work and overtime issues for eligible employees; and
- Explain what happens to a device and/or the information stored on it when the device is lost or stolen, or when an employee leaves.
Given the complexities involved in BYOD programs, we recommend that employers get advice from experienced legal counsel early in the policy development process.
