Organization stumbles into BYOD nightmareDistrict of Houston v Canadian Union of Public Employees, Local 2086, 2019 CanLII 104260 (BC LA)
Hat tip to investigation firm Rubin Thomlinson for bringing an illustrative British Columbia arbitration decision to my attention. The remarkable April 2019 case involves an iPhone wiped by an employee's wife mid-investigation!
The iPhone was owned by the employer, but it set it up using the employee's personal Apple ID. That is not uncommon, but the employer apparently did not use any mobile device management software. To enforce its rights, the employer relied solely on its mobile device (administrative) policy, which disclaimed all employee privacy rights and stipulated that all data on employer devices is employer-owned.
Problems arose after the employer received a complaint that the employee was watching female employees. The complainants said the employee "might also be taking pictures" with his phone.
The employer met with the employee to investigate, and took custody of the phone. The employee gave the employer the PIN to unlock the phone, but then asked for the phone back because it contained personal information. The employer excluded the employee and proceeded to examine the phone, but did not finish its examination before the employee's wife (who the employee had phoned) remotely wiped the phone and refused to restore it with backup data.
The employer terminated the employee for watching the complainants (though not necessarily taking their pictures) and for insubordination.
The arbitrator held that the employer did not prove either voyeurism or insubordination. In doing so, he held that the employer had sufficient justification to search the phone but that it could not rely on its mobile device policy to justify excluding the employee from the examination process and demanding the recovery of the lost data. Somewhat charitably, the arbitrator held that the employee ought to be held "accountable for failing to make an adequate effort to encourage his wife to allow for recovery of the data" and reserved his decision on the appropriate penalty.
The employer took far too much comfort from its ownership of the device. Given the phone was enabled by the employee's personal Apple ID, the employer was faced with all the awkwardness, compromise and risks of any BYOD arrangement. Those risks can be partially mitigated by the use of mobile device management software. Policy should also clearly authorize device searches that are to be conducted with a view to the (quite obvious) privacy interest at stake.
For Rubin Thomlinson's more detailed summary of the case, please see here.