Warning about BYOD-related laws
The template BYOD Policy does not purport to be compliant with all might be relevant. It should be used as a reference guide only. There are many Australian laws to be considered when tailoring a BYOD policy to any particular circumstances. Some key ones (there are others) are:
- surveillance laws, generally: There are Australian State laws concerning listening, optical surveillance and geographic tracking. Many devices, such as smartphones, can be used for surveillance which is regulated under these laws. Consent, as provided in the template BYOD policy, may be permit otherwise impermissible surveillance under such laws, but this should be true consent in the sense of it being knowingly given, with choice for alternatives and with knowledge of the consequences. A mere signed consent form may not amount to actual consent in some circumstances;
- specific employee surveillance laws: Some Australian State laws have specific employee surveillance Acts. The comments, above, concerning consent are equally applicable;
- general workplace laws: Some State laws bring employee surveillance within the purview of industrial relations regulation. More generally, there is an issue about how a BYOD policy aligns with other applicable employer policies and employment terms. The BYOD policy template may not to be contractually binding. Consideration should be given to adapting BYOD policy template in these respects;
- health records laws: Where a principal might access an individual's health-related information on a permitted device, health records laws concerning permissible collections, uses, disclosures and record retention may apply;
- privacy laws: In addition to the Commonwealth legislation (e.g., the Privacy Act 1988), State privacy laws may apply to constrain access to an individual’s device and the access seeker’s management of information which might be accessed from that device. The coverage of the Privacy Act 1988 (Cth) and State privacy laws is not the same. For example, they operate differently as regards the personal information of employees and personal information collected by those falling within a "small business" exception.