Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Evan Schuman: What to include in your mobile privacy policy

Evan Schuman | Jan. 8, 2014
If your company doesn't yet have a mobile-specific privacy policy, it's time to get to work.

You also need to specify what the company can do with mobile devices' tracking capabilities. They might seem like a boon when you need to locate employees, and they're even helpful for building security, such as when needing to make sure every employee is located during an emergency evacuation. They're also an easy way for new employees to find some far-off conference room on a large campus.

But it doesn't take much imagination to see how tracking could get creepy. Are you going to let managers use tracking data in performance reviews? ("Well, Rebecca, I see that you spend more than an hour every day in the lavatory." "Scott, the average length of your lunch hour over the past six months has been 85 minutes.") Will you track employees when they leave your facility but are still on company time? What about when they are not on company time? What if someone phones in sick and you find his company-issued Android at the racetrack or a bar — or a competitor's headquarters?

In last week's column, I discussed the implications of BYOD policies, where employees use their own mobile devices. I suggested that some form of partitioning will be needed to separate corporate- and employee-owned data, so that you aren't backing up employees' private data or deleting it when the employee leaves the company. Your mobile privacy policy is going to have to address who owns the device: the company or the employee — or a third party? Do you have the same rights to justify monitoring your corporate data if it resides on a device your employee owns? Or a contractor owns? Or a partner (some other company's employee) owns?

You need to discuss and agree on where your company wants to place those limits. It's light-years easier to discuss this calmly and professionally when there is no immediate specific situation staring you in the face — with personalities attached. Whatever is agreed to must be ironclad. You don't want emotional situations to trump the calm thinking made at an offsite executive meeting back in January. Clearly, exceptions can always be made, but they should be rare.

Something else to consider: Deciding these things isn't enough; the policy should also dictate how those decisions will be communicated to all of your audiences, especially to customers. In this case you can take a lesson from Nordstrom, which recently conducted a mobile location trial with shoppers. It posted a sign at the entrances to its stores, alerting customers to what was being done. It wanted the sign to be succinct and understandable, but it ended up with a program description that was a little inaccurate and incomplete. That caused confusion and anger among shoppers, who envisioned the program being far more invasive than it was.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.