In response to the COVID-19 outbreak, businesses and employers are exploring options to move their workforce online or to accommodate work from home. Schools, post-secondary organizations and other sectors may also be looking to deliver core services online. While many organizations already have these systems set up, for others the response to COVID-19 has accelerated efforts to explore the feasibility of work from home arrangements. Even if you’ve already been accommodating remote work arrangements, your organization is likely facing greater and faster demand under the present circumstances.
All privacy laws in Canada impose requirements on organizations to ensure that the personal information that they collect, use and share is secure against unauthorized access, use and disclosure. Planning to move your workforce online must include appropriate consideration for legal privacy and data security obligations.
Some risks to consider include:
Loss of Control
Moving to a remote workplace means letting go of centralized office space and moving the “workplace” to disparate home offices, kitchen tables and mobile devices. This necessarily means that organizations will surrender some ability to exercise direct physical control over paper and electronic files. Organizations need to stay on top of this issue. When data migrates out of the corporate office into employees’ homes, keeping track and instructing employees on prudent practices is key to managing risk and satisfying obligations under privacy laws.
Data Security
Moving personal information or confidential and proprietary business information into the cloud obviously entails new risks. Just as organizations ensure their physical premises are secure, employers need to ensure that online systems are secure against cyber-attack and there are appropriate access controls in place. It’s important to involve your IT professionals in vetting and putting into place electronic systems security to identify and address vulnerabilities that may place sensitive information at risk. Even simple measures, like instructing employees in encrypting sensitive electronic files, can make a difference.
Privacy Breach
Most organizations have already developed privacy breach reporting and response plans. However, with a remote work force the employer’s ability to identify and respond quickly to privacy breach incidents may be diminished. It’s prudent to review privacy breach policies and plans and adapt them for use with a mobile workforce. It’s also important to ensure employees clearly understand the expectations to protect personal information and to report privacy breaches to the employer if they occur. The fact that employees are working from home does not lower the expected standards that apply.
Exposure Risks
There are also a range of other privacy and data security risks that arise from work at home arrangements. Many of these risks can be addressed by properly instructing employees on best practices. Those instructions should address issues including: sharing of devices or home computers with the employee’s spouse or family; the secure storage and destruction of paper and electronic files; and maintaining physical security over files, passwords, mobile devices and home offices while working remotely.
Vetting Cloud Providers
Making prudent decisions about your choice of cloud service providers is crucial. Organizations continue to be responsible for the actions of their contractors and service providers under privacy laws. Organizations must ensure that they carefully vet cloud service providers to reduce risk and guarantee compliance. A provider’s privacy policies, terms of use and service contracts should be carefully reviewed. Organizations should consider issues such as: the provider’s right or ability to access and use your data; what information the provider collects about users and what they do with it; the provider’s physical and electronic security standards; and whether you exercise control over the data, including a right to require its destruction. It is also important for organizations to review cloud service arrangements with a view to liability. Many cloud service agreements seek to limit the provider’s liability in the event of a privacy breach, even when the breach is due to the provider’s own negligence.
Data Residency
When moving employees into a cloud-based working environment it is also important to understand where the organization’s data is being stored or whether it may be accessed from outside of Canada. In British Columbia, the public sector (and private sector organizations who provide services within the public sector) is subject to strict requirements under the Freedom of Information and Protection of Privacy Act governing the storage and access of personal information outside of Canada. Many cloud providers are based outside of Canada and maintain servers elsewhere. This imposes compliance risks for BC-based organizations. Even if data-residency restrictions do not apply to your organization, storing information outside of Canada exposes personal information to additional risks as the privacy laws in foreign jurisdiction may not be the same as they are in Canada. It is recommended that organizations at least notify employees and customers if personal information is being stored outside of Canada.
Organizations that have the option of continuing to operate and deliver services by mobilizing a remote work force are fortunate. However, it is important that employers proceed carefully and prudently. Protecting personal information and confidential business information in these types of work arrangements raises new planning challenges that must be identified and addressed.
For more information on employees working from home please review the related article: “Privacy Practices for Employees Working From Home”.
If you have questions on how best to deal with privacy issues as your organization begins to work remotely, contact Suzanne Kennedy.
Note to our Readers: Information regarding COVID-19 is rapidly evolving. We are working to bring you up-to-date articles as the legal issues develop and to keep our previous posts updated. Given that the legal issues related to COVID-19 are constantly changing, if you are looking for legal advice or are dealing with an issue in relation to COVID-19, please contact your Harris lawyer or a member of our COVID-19 response team: Sari Wiens, Ilan Burkes, Nicole Toye or Jessica Fairbairn.
To read our most recent articles and other updates on COVID-19, visit our COVID-19 Updates page.