Dubai Stu, I'm with you... and unfortunately; this is where things get messy. BES, Exchange, etc. all have different levels of administrators and access rights. Unfortunately, in IT somebody (hopefully not many) have the keys to the kingdom. That said, access to a device, pulling data, etc. will all be recording in the systems audits logs. These logs should be reviewed regularly by a Sr. Manager or another 3rd party to catch that kind of behavior or hopefully deter it from happening in the first place.

Unfortunately, in most organizations, the centralized groupware items: (e-mail, calendars, folders on laptops), there are usually a couple of the IT guys that have keys to most of it. Its possible to eliminate these kinds of access (the military does it all the time), but usually the cost to the organization to have those types of controls in place greatly exceeds the risks. Its easier to audit those that have access.

My opinion is that many IT folks should be held to similar licensing standards as lawyers and other professions. Some of us have too much access to too much sensitive information. (this is an entirely different unrelated topic).

From insiderdude's comments, I got the impression ID has work stuff and personal stuff on the same device and is concerned about work accessing his personal stuff. I do it, just because the hassle of keeping them completely separate (different devices, limited functionality) outweighs my personal exposure. It's really a judgment call on the part of a user.

With BES you are part of the work cloud, in many respects no different than working from your office desk. Accessing external information is just a matter of you pulling it locally. You can remove your device from the work cloud, and pull data out from the office, but you then limit your functionality (and some companies don't allow this). Both methods work. It really depends on what is more important to you.