Practical Privacy and Tech Tips For a Workforce that is Working from Home

Many of us have jobs that can be performed remotely – all that is needed is an internet connection, a phone and a computer or other device, such as a tablet. This has allowed Canadian businesses to respond to the challenges that are created by social distancing, by enabling their employees to work from home.

Work from home arrangements raise a host of legal implications, including worker’s compensation coverage and reimbursement of expenses. There are also many privacy and tech issues, which are the focus of this article.

Chances are, your employees are dealing with sensitive information (understanding that for an employer, it’s likely that anything related to the business might be viewed as sensitive).

What are some of the implications of work from home arrangements, in this context?

  • Productivity monitoring: It might be tempting to look to spyware, keystroke monitoring and other software, to ensure your employees are devoting their working hours to business activity. Be aware, however, that privacy laws deem these technologies to be extremely privacy invasive. They can only be justified if other, less privacy invasive measures, have been tried unsuccessfully. Better to stick to supervision by way of more traditional methods, such as keeping tabs on work output and response times, as well as periodic telephone and email check-ins (which many employees might appreciate, anyway, in these times of social isolation). Be clear about what you’re doing – covert surveillance is much harder to justify, and not just because it involves a greater infringement on employee privacy rights. Productivity monitoring works better when employees know they are being held accountable (never mind the negative effect on morale that’s caused by surreptitious monitoring).
  • Intercepted communication: Using public WiFi for work material is never a good idea. It wasn’t before COVID-19, and it won’t be after the pandemic passes, either. Make sure you’ve clearly communicated your expectations, in that regard. VPNs (virtual private networks) and firewalls offer an added layer of security, but they are not impenetrable. Consider whether sensitive email or documents ought to be encrypted before transmission. Privacy laws do not require perfection, but they do require you to turn your mind toward privacy risks and implement reasonable protective measures.
  • Whitelisted technologies: Many employers were not in a position to provide laptops and other devices to their employees, before the requirement for social distancing kicked in. This means many employees are using personal computers, phones, routers and other equipment. An employer’s tech infrastructure will be (or at least, should be) built on carefully reviewed and approved equipment, apps and other software. Use of employee devices means it is harder for the employer to control (or even know) what tech is being used, to access its infrastructure and data. Do employees have up to date anti-virus and malware software installed on their devices.
  • Ownership of content: It’s much easier for an employer to argue it owns work product that is created on employer-owned technology, during work hours. Once employees start using their own devices, during off-hours. Once employees start using their own devices, during off-hours, the line gets hazier. What happens to the information, if the employee ceases to work for the business? Is there a plan for repatriating the data, once things return to the status quo?
  • Retention and access to information: Work product that is created on employee devices may be harder to store and catalogue, for future use. Privacy laws may also require an employer to provide records in response to an access to information request. Give consideration to how your business might respond (especially if you’re a public sector employer), if you receive an access to information request that implicates records that live on an employee’s device. Can the personal vs. private data be separated?
  • Who’s paying? Data costs money – who’s paying for extra bandwidth charges (though note many internet service providers have committed to waiving those charges, for the time being)? Who will be responsible for long distance call charges on personal devices?
  • Reporting lost devices: Canada’s privacy laws may require notification to affected individuals, if a business’s information is lost. The first step is knowing you have a problem. Consider a system for keeping track of what information is on what devices.

 

As can be seen, there are many issues that arise from work from home arrangements. While there is no single answer, we’ve found that many of these issues can be addressed through a comprehensive bring your own device (BYOD) policy. We’ve created many BYOD policies and would be happy to assist you with the preparation of your own policy (or, you already have one, tuning it up so that it addresses these work from home considerations).

Please do not hesitate to contact your relationship partner or lawyer if you have any questions or if we can be of assistance in guiding you through these new challenges.

This article was prepared by:

ANDREW J.D. BUCK
PARTNER
204.956.3569
[email protected]

This article represents general information and is not legal advice. Please contact us if you would like legal advice that is tailored to your particular circumstances. We would be happy to help.

Download PDF here.