BYOD policies could use upgrades with newer CASL requirements

Installing software, updates on employees’ personal devices requires consent

Last summer, Canada’s anti-spam legislation — CASL — came into force with a flurry. Various departments, including IT, marketing and HR, were kept busy trying to ensure their organizations didn’t run afoul of rules that restrict how businesses can communicate with each other and the public via email and text.

On Jan. 15, 2015, sections of the act came into force related to the unsolicited installation of computer programs or software, so it looks like there’s still more work to be done.

CASL prohibits the installation of a computer program (software) on another person’s computing device (such as a laptop or smartphone) in the course of commercial activity without the express consent of the device owner or an authorized user.

“In the context of an employment relationship, the employer would be the owner and the employee would be the authorized user,” said the Canadian Radio-television and Telecommunications Commission (CRTC).

If an employer is not considered by CASL to already have consent without needing to ask for it, it must request it before installing the software. And this has implications for bring-your-own-device (BYOD) policies in the workplace.

“A lot of employers may think… ‘We’re not the target of this legislation’ but if you look at the legislation and how it applies, I think it’s reasonably clear that it applies,” said Daniel Michaluk, chair of the information management and privacy practice group at Hicks Morley in Toronto.

“The basic premise around it is about being transparent about an employer’s interest in the personal device and … the premise of a BYOD policy is transparency about the employer’s interest in a personal device, and BYOD often involves installing software on an employee’s personal device.”

However, there may be a gap around the rigours of the consent rule under CASL, he said.

“You need express consent and the express consent has to be requested in a certain way, and then if the software performs certain intrusive functions that employees might not reasonably expect, you have to actually provide additional information, so everything pushes you to a more rigorous form of transparency.”

While employers with a BYOD policy might assume employees who enroll in the program are implicitly consenting when they hand over their device, that could be wrong, said Michaluk. 

“I don’t think handing over a device is something I would be comfortable calling ‘express consent’— you’re implying from an action that is rather remote. So, in that circumstance, I think employers are going to want to go back and perhaps when there’s a software update or something like that called for, they’re going to put something before employees that causes them to expressly state their (consent),” he said. “If that’s the only cost of compliance and, frankly, that’s the only one I can see, it’s not such a big deal and it’s something employers should do.”

Taking the extra step is in line with BYOD best practice anyway, said Michaluk.

“It’s almost an opportunity to kind of take a second look at your policy which you may have put out in the early years — when thinking about these policies wasn’t as developed — and to bring it up to snuff,” he said. “Why play with fire and guess what the enforcement agency’s going to do when everything suggests that it’s the right way to handle the problem anyway?”

BYOD policies or remote computing are of concern when it comes to using a personal device, said Martin Kratz, partner and head of intellectual property at Bennett Jones in Calgary.

“In each of those cases, I own the property and usually what happens is the user may not be very sophisticated and if the employer installs the computer programs or the employer facilitates installing of the computer programs — like the help desk might do that, for example — then CASL would apply.”

The legislation says an employer needs express consent in those cases and while that can be done in a conversation, the government has specific informational requirements, he said.

“So you can’t expressly consent to the installation of a computer program, for the purposes of CASL, unless you provide a purpose for which you’re requesting the consent, you provide contact information, you indicate the consent can be withdrawn and you describe the functions of the computer program.”

And if a device is lost or stolen, the help desk may need to remotely “wipe” the computer, which may mean changing some of the settings.

“If any of those settings are changed without the disclosure of these functions then there could be a violation of CASL. There doesn’t have to be anything malicious involved, it’s just if CASL applied,” said Kratz. “It solves the problem but it may have unintended consequences and if it has unintended consequences, then there’s a requirement for disclosure of these additional enhanced features.”

What’s required is an analysis of the methodology by which the additional software is installed, what type of protective features are carried out under the BYOD program and then confirming the users understand what kind of functions or features may be involved, he said.

“There’s some defensive steps that employers can take by making sure that they review how they deal with employee’s remote devices, including bring-your-own-device policies, and then provide for the necessary notification and just analyze that whole process to make sure that they’re providing the required and prescribed information to the employees prior to the employee enrolling in the program,” said Kratz. 

“And the consent that is sought from the employee can include updates, so a best practice would be that when you’re obtaining consent, that you obtain consent to apply the updates as well.”

There’s also another concern, according to John Beardwood, partner at Fasken Martineau in Toronto, that involves both personal and professional devices: Work-related emails sent from personal accounts, without consent.

While companies may have complied with CASL by putting in place technological blocks on their servers that prevent employees from communicating with clients or potential customers on a “do-not-contact” list, that block is not available for personal email accounts or text messaging, he said.

“If you’re sending from a gmail address, you don’t have a systems application solution available to you because that’s somebody’s individual account,” he said. 

“There’s a good argument you’re representing Fasken when you send those emails which means that the company has to be concerned that the employees are obviously trained and understand the CASL implications.”

And while the employer may have complied with CASL in using lists of commercial contacts who have “opted in,” employees using personal accounts might bypass this database, intentionally or not, he said. So it’s a matter of conveying to them the importance of sticking to the rules.

“It’s important to note that that would equally be captured by CASL and it’s the same problem as gmail accounts because texts are not going through your company’s network, they’re going through your telco provider, for example Bell or Rogers, so… that means that you can be representing your company through that text but just like the gmail account, you don’t have the technological block.”

To read the full story, login below.

Not a subscriber?

Start your subscription today!