On July 23, 2020, the Office of the Information and Privacy Commissioner of Ontario released a fact sheet regarding privacy concerns associated with working from home during the COVID-19 pandemic.
The fact sheet notes that people are now working from home in ways that they never anticipated, and thus new risks to privacy, security and access to information have arisen. The recommendation is to take steps to mitigate the potential risks and consider the suggested best practices for developing work-from-home plans.
More specifically, the fact sheet touches on several important topics that contain useful best practices. Here are a few examples:
- Work from home policies: It is important to review any existing work-from-home policies that may be present in the workplace to ensure that they remain up to date. If there are none in place, it is important to create them considering the current situation where everyone is working from home.
- Communication: Employers need to ensure that employees understand that legislative requirements and other workplace policies and procedures still apply when working from home. Also, employers should provide employees with the contact information of technical and administrative support for situations where it is required. It is crucial that employers explain the dangers of phishing scams and other malicious cyberattacks, and provide information on how to identify and defend against them. Further, employers need to explain the concerns associated with sending emails and take steps to use work-related devices and protect the information on those devices (such as using encryption and password-protecting documents).
- Remote access to networks and information: It is necessary for employers to enable secure remote access to their corporate networks, databases and email accounts. This can be accomplished by using strategies such as multi-factor authentication, ensuring that a virtual private network with end-to-end encryption is used, prohibiting employees from using unsecured Wi-Fi and requiring approval to remove any personal information from the office.
- Digital devices and software: With respect to work-issued devices, employers need to be clear on what technology and software is required to perform the work from home. These work devices should be equipped with the most current security software, applications and other required resources. Employees need to understand how to work with external communication platforms and cloud service tools, namely how to safely install, configure and use them. It is important to stipulate that employees are not to download or install programs or apps on work devices without approval. With respect to personal digital devices, employees need to understand what precautions can be taken to protect personal information, and if there are no secure remote access tools, it is important to segregate and secure all work-related information on devices used at home (such as saving password-protected files in a different location/partition on the device). Employers need to ensure that they have a plan in place to address issues relating to the secure destruction of information, keeping in mind applicable retention period requirements.
- Home workspaces: It is possible that other individuals in the house may be near the workspace and could be overheard. Employees need to understand the risks of inadvertently disclosing sensitive information and the things they can do to tackle this issue. Some things that employees can do include securing devices by not leaving them unattended, visible or unsecured outside the home. Moreover, it is recommended that employees not work in public places since there is a higher risk of eavesdropping and equipment loss or theft.
What can employers take from this fact sheet?
It is recommended that all employers examine this fact sheet and try to find proactive ways to incorporate some of the suggested best practices that may be applicable. During these uncertain times, it is important to comply with privacy obligations and also remain responsive and adaptive while meeting evolving operational needs and the needs of employees.