As our global society experiences the second wave of COVID-19, it is likely that workers will continue to work remotely and not be returning to their offices anytime soon. The number of remote working options spiked in May of 2020 increasing the amount of jobs done from home to 3.3 million more than usual in Canada. The number of remote jobs is expected to continue to rise, and employers have had to adapt in countless ways. One significant change has been in how employers manage privacy issues within their newly remote-based organizations.
Privacy has been a hot topic during COVID-19. Much discussion has taken place on the issue of securing privacy rights during a world health emergency, such as the use of personal information by governments or private-sector organizations related to public health (see an IPilogue article on privacy and big data during COVID-19 here).
However, maintaining privacy within the workplaces isn’t sparking as much debate. This transition towards remote working presents unique challenges for employers and experts suggest that organizations re-visit existing privacy policies to ensure breaches of personal information does not happen at home or wherever a remote worker may connect to the workplace. The lack of preventative security controls that only an office may provide is a significant concern. Remote working might have employees use public Wi-Fi, which can lead to potential hackers having access to the company’s private information. Some employers may not have the resources to supply workers with work computers. Some may even be more inclined to switch to their personal computer from time to time for work-related tasks at home or on the go. This can lead to a privacy breach, as personal computers do not include all the intricate protocols and security systems work computers would have within their network. Having other people in a coffee shop have the ability to see what you are typing, or simply forgetting your work computer at a relative’s house are also dangers that risk privacy breaches.
- Be Accountable. Comply with the fair information principles and develop a privacy management program that adapts to remote-working environments.
- Identify the Purpose. Find out and document the reasons why personal information is being collected before or during collection.
- Obtain Consent. It is reasonable to expect that customers will understand the nature, purpose and consequences of collection in most cases.
- Limit Collection. Collection should not include personal information that isn’t necessary for its purposes.
- Limit Use, Disclosure, and Retention. Make sure personal information is stored in a secure way and used only for the purposes it is intended for.
- Accuracy. Minimize possibility of using incorrect information when documenting or disclosing personal information, and keep information up-to-date.
- Safeguards. Ensure that remote work environments do not risk breach of personal information, and protect information appropriately relative to its sensitivity.
- Openness. Make sure privacy management practices are clear for all remote workers.
- Individual Access. Allow individuals to be informed and be given access to their personal information.
- Challenging Compliance. Anyone may be able to challenge an organization’s compliance with these principles.
Written by Sebastian Romanutti, Osgoode JD Candidate, enrolled in Professors D’Agostino and Vaver 2020/2021 IP & Technology Law Intensive Program at Osgoode Hall Law School. As part of the course requirements, students were asked to write a blog on a topic of their choice.