Australia's privacy laws are currently in a transitional phase prior to the introduction of a unified set of Australian Privacy Principles (APPs) that will apply to both the private sector and the Commonwealth public sector. Privacy is particularly relevant in the context of BYO devices because an employer may be able to access and back up a variety of personal information relating to an employee and their contacts.
There are no privacy laws that specifically address BYOD technologies. However, organisations will need to comply with the APPs, which regulate things like the collection, handling, storage and disclosure of personal information.
In particular, APP 11 requires organisations to take reasonable steps to protect information it holds from misuse and loss, and from unauthorised access, modification or disclosure. Broadly speaking, organisations are also required to destroy or de-identify personal information if it is no longer needed.
Australian privacy laws (unlike most other privacy regimes around the world) contain an "employee records exemption" which essentially exempts private sector organisations from complying with the APPs where they are dealing with personal information of their employees for the purpose of the employment relationship.
While this provides some protection to organisations implementing BYOD strategies, it does not protect organisations in respect of personal information of an employee's contacts and friends which the organisation may end up backing up. Again, this highlights the importance of segregating work and personal data on an employee's device.
Surveillance and tracking
The legal landscape surrounding workplace surveillance and telecommunications interception is complex and is dictated by a variety of State and Commonwealth laws which organisations adopting BYOD strategies must be aware of and adhere to.
A key principle of the various pieces of legislation is that employees must be provided with notice of all workplace surveillance that will occur, and organisations should have in place (and make easily available) a data surveillance policy which contains certain mandatory information that is required at law. This may be relevant if an employer plans to record, for example, telephone calls and SMS messages sent or received by the employee's device.
Surveillance is also relevant in the BYOD context if an employer intends to utilise some form of tracking mechanism to monitor the location of an employee's device. For example, an employer may require an employee to install a GPS tracking application.
Again, the legal framework surrounding tracking is complex, but the key principle is that employee devices should not be tracked without the express consent of the employee -- mere notification is not sufficient.
While organisations may choose to forego the implementation of a BYOD program because of the potential legal and commercial risks, this approach is not likely to be practical in the long term given the demand for organisational mobility.
Sign up for CIO Asia eNewsletters.