Bring Your Own Device - Part 4

As I have attempted to draft a sample BYOD policy on this blog, I have resisted the idea that the employer agree to recognize zones of privacy on an employee's device when the employer takes possession of it to extract records.

In Part 2 of my BYOD drafting series, I proposed a clause saying the employee must keep his/her supervisor reasonably informed and empowered as to the employee's use of a device for business and the access control credentials to the device.  That idea raised concerns on my Google Plus page from employee advocates.

Zone of Privacy?

But over on my Facebook page, Gal Shpantzer asked whether it is practical for the employer -- once it is looking into the content of the device -- to acknowledge that one zone on the device is business and subject to inspection and another zone is personal and not subject to inspection.  My direct reply to Gal is I don't know.

Two Operating Systems?

Gal's question leads me to ask another question:  Is it practical for the employee to have two operating systems on a mobile device, designating everything under operating system X as business and everything under operating system Y as personal?

If the answer is yes, what do you think about the sample BYOD policy including the following clause?

"If an employee sets up a device with two operating systems, designating all the data and activity under the first as business and all the data and activity under the second as personal, then the employee is not required to keep his or her supervisor informed and empowered as to data, activities and access control credentials related to the second operating system."

If this clause were in place, could not the employee secure and even encrypt everything under the second operating system?  Is this clause a practical way to protect the interests of the employer, while empowering the employee with reasonable privacy?

This is Part of a Series

To really understand this post, you need to study the whole series of BYOD posts on this blog:

Part 1
Part 2
Part 3
Part 5

I welcome your comments.

--

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Update:  Relevant discussion continues on my facebook page.

Another update:  Employee who brings own phone for work, might set up a Google Voice number for business calls.

No comments:

Post a Comment