'If you can potentially expose your company to economic or security vulnerabilities, that's a violation of your work contract'
Recently, the Canadian federal government said employees would not be allowed to have Chinese-owned social media app TikTok on employer-issued phones.
In banning the app, the “Chief Information Officer of Canada determined that it presents an unacceptable level of risk to privacy and security,” said Mona Fortier, president of the Treasury Board Secretariat.
The government is well within its rights as an employer to do take such a radical step, according to a Toronto academic.
“The technology is owned by the government so, in other words, handheld devices, smartphones, because they own it, they can do what they want in terms of how the device is used,” says Daniel Tsai, lecturer on law and technology at the University of Toronto and Toronto Metropolitan University (TMU) in Toronto.
Obviously, government employees might potentially have access to more sensitive data, versus that of a private employee but the move makes a lot of sense, he says.
“Me hearing that they’re banning TikTok on government phones, that doesn’t raise any alarms; to me, it sounds reasonable. If the government has undergone a risk analysis and determined that TikTok is more harmful than good on the government phones, then that is the result.”
Should other employers, particularly those in the private sector, consider this kind of ban?
Why protections are needed
For private employers, there are some laws that have to be accounted for, according to Savvas Daginis, associate business law at Siskinds Law Firm in London, Ont.
“If you are a business collecting personal information, most likely, PIPEDA [Personal Information Protection and Electronic Documents Act] applies to you.”
When thinking about how much protection needs to be offered, it is the type of data that matters most, he says.
“If you’re just holding onto somebody’s name and maybe address, and let’s say that name and address are in a phonebook that is readily available to everyone, you won’t need to implement incredibly detailed security measures. Whereas maybe you’d have to implement such measures if you had medical data.”
When you have a work-related phone, that should be work-related, says Daginis.
“In the cybersecurity world, the more programs you have on a device, the more doors there are to enter that device,” he says. “When you have confidential or personal information on a device, you need to make sure that that information is protected.”
When it comes to protecting data that might be found on, or be available via a company-issued phone, there are a number of considerations employers should undertake to keep everything safe, says Liam Ledgerwood, associate labour and employment law also at Siskinds Law Firm.
“Each individual employer will likely set out what their expectations are about the extent to which employees need to safeguard confidential and proprietary information and that will generally be dictated by contract — or by an employer policy, about what employees must do,” says Ledgerwood.
Employee-owned devices
While control of employer-issued phones is under the purview of the organizations, there might be a “wrinkle” for personal employee phones, says Ledgerwood.
“If it’s a personal device [and] the employee has purchased it themselves, they have full administrative control over the device and generally no company information is stored on the device or the device is not otherwise used for work, that would add a wrinkle to the analysis,” says Ledgerwood.
“The major question would be more of a practical question, rather than a legal question, which would be: ‘Why bother?’ Why bother telling employees what they can or can’t do on their personal devices?
“But to the extent that an employer did want to bother and did want to try to dictate what employees had on their personal devices, employment laws that exist don’t really have a category of claim for an employee complaint about that.”
Are employers allowed to monitor employees using company equipment? It all comes down to reasonableness and the expectation of privacy.
When it comes to employee personal devices, there are many privacy-of-information concerns that have to be addressed in order to protect the data, says Tsai.
“If your phone is used for business purposes, there is a legal argument to be made that the use of the device in that context can also be regulated: if you’re using your personal device to work, that’s governed by the employment contract,” he says.
“If you can potentially expose your company to economic vulnerabilities or security vulnerabilities, that’s actually a violation of your work contract. Even if you’re using a personal device, that could be problematic if you’re in a particularly sensitive industry, and you’re talking about employment stuff on your personal device.”
Policy considerations for data protection
Deciding on how to proceed will generally be on a fact-specific basis as workplaces and privacy needs have a wide variation, says Ledgerwood.
“Some industries have contractual obligations with their customers or clients to maintain confidentiality, and then they may have obligations to maintain employee privacy under some legislation that governs workplace privacy, but each of those perspectives will have very different treatment for what an employer is obligated to do, and then what an employee is obligated to do.”
No two policies are exactly the same, he says.
“Some will be very brief and high level and others will be longer and very detailed and technical about exactly what employees need to do to protect private information — but the one unifying feature of them is the creation of some type of contractual obligation.”
Basically, you want to keep things totally separate, so use your personal for your personal, and don’t mix it with your business, employment stuff, says Tsai.
So HR departments concerned about privacy and confidentiality should look at founding documents that create and govern employment relationships to see “Do we have proactive contractual obligations for employees to take certain steps to protect and safeguard confidential proprietary and private information? And what policies and procedures do we have in place to ensure that those steps are being taken?” he says.
“That may include taking a look at potential weak points in network security, or in device security, including potentially malicious apps; ensuring that they’re not installed on devices that could access that confidential and proprietary information.”
