July 7, 2020
With various Canadian provinces and territories declaring states of emergency as a result of the outbreak of COVID-19, many workplaces have directed their employees to work from home. While we live in an era where most businesses are prepared and equipped for their employees to work remotely, there remain a number of challenges in ensuring privacy standards are adhered to and various ways employers and employees can lower risks.
Computer security, cybersecurity or information technology security are all terms used to describe the protection of computer systems and networks from the theft or damage of hardware, software, data, and misdirection of services. Information technology security is a primary concern when working from home.
Some cybersecurity threats include:
- unsecured home wifi networks;
- sensitive data is being shared across wider networks, some of which are not secure;
- using personal devices or networks that may not be compliant with corporate standards, may not be up to date or are accessed by others in the home;
- heavy reliance on group communication tools, some of which may not be secure; and,
- scams targeting remote workers.
Some ways of addressing the inherent risks associated with working remotely include:
- Establish a Work From Home Policy and Regular Training
In order to address some of the above risks that come with working remotely a company should establish procedures to be followed when working remotely and ensure proper training of employees to ensure the policy is understood.
This policy and training can address many of the issues that arise when an employee is working remotely including:
- different security settings depending if the individual is on a wifi network at home or in a more public place like a hotel or coffee shop;
- ensuring the home router is secure;
- regular data back-up requirements;
- training employees on phishing emails and other scams targeting remote workers.
- Ensure Employees have the right tools
Ensuring employees have the right tools will vary depending on the business, which may include providing a computer to the employee that is strictly to be used for business and that has all the required tools to ensure cybersecurity, or at a minimum ensuring that any computer used remotely has:
- strong passwords that are regularly changed;
- passwords that are not used across multiple platforms;
- two-factor authentications;
- a Virtual Private Network (VPN) which will ensure encrypt network traffic;
- antivirus software;
- regular updates of all software;
- regular data back up;
- encrypted communication capabilities;
- device locking after a short period of not being used.
Ensuring that employees know how to use the tools they are provided to ensure cybersecurity is important and should not be disregarded.
- Keeping Records and Personal Information Safe
When dealing with personal information:
- ensure that security levels are not changed as a result of the transition to working from home when accessing personal information or records;
- limit the records or personal information being taken home by employees to that what is necessary;
- ensure that records or personal information are transported safely – for example, a locked bag for paper records and an office-issued laptop that is encrypted for electronic records;
- paper records, laptops or other devices should not be left in a public place such as a car while an employee runs and errand on their way home (i.e. grocery shopping) and should be stored in a secured location (i.e. a locked filing cabinet, desk drawer or office) at home;
- electronic transmissions of personal information should be secured through encryption with the password provided separately (i.e. over the phone or through a separate email with a clue);
- paper records, laptops or other devices with records or personal information that are no longer required should be securely returned to the office as soon as they are no longer needed.
- Guidance Documents
The Office of the Privacy Commissioner of Canada has released a guidance document on privacy issues during a pandemic and addresses both PIPEDA and the Privacy Act, which can be viewed here.
Several provincial privacy authorities have also released guidance documents for employees working from home, which can be accessed at the following links:
- Alberta – Office of the Information and Privacy Commissioner of Alberta
- British Columbia – Office of the Information and Privacy Commissioner for British Columbia
- see also the January 2015 Guidance Document: Protecting Personal Information Away from the Office
- Newfoundland and Labrador – Office of the Information and Privacy Commissioner
- Northwest Territories – Northwest Territories Information and Privacy Commissioner
- Ontario – Information and Privacy Commissioner of Ontario
- Quebec – Commission d’accès à l’information du Quebec
- Saskatchewan – Office of the Saskatchewan Information and Privacy Commissioner
- Yukon – Yukon Information and Privacy Commissioner
- Have questions?
Koskie Minsky’s privacy team can assist in navigating various privacy issues during these uncertain times. To speak to one of our privacy lawyers please click here.
Privacy and Compliance