News Archives

Sunday, December 20, 2015

BYOD Guidelines Issued in Canada

During the late summer, the Office of the Privacy Commissioner of Canada, together with the Alberta and British Columbia Privacy Commissioners, issued guidance for employers to consider before allowing employees to use their own mobile devices for both work and personal uses.  The guidance, entitled Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization? Privacy and Security Risks of a BYOD Program, can be summarized section-by-section as follows:
  • Ensure commitment by Senior Management
  • Conduct privacy impact & threat risk assessments
  • Develop, communicate, implement and enforce a BYOD policy
  • Test the BYOD program (before rolling it out)
  • Develop training materials & programs
  • Demonstrate accountability
  • Mitigate risks through “containerization”
  • Identify policies and procedures for storing and retaining personal information
  • Implement encryption for devices and communication
  • Address patch and software vulnerabilities
  • Manage apps and app configurations
  • Support effective authentication and authorization practices
  • Address malware protection
  • Formalize a BYOD incident management process
As noted by Kelly O’Ferrall of Stikeman Elliot, the underlying message to employers in this worthwhile but sobering guidance appears to be “proceed with caution, if at all.”

No comments:

Post a Comment