Working Remotely during COVID-19 and its Privacy Risks

As our global society experiences the second wave of COVID-19, it is likely that workers will continue to work remotely and not be returning to their offices anytime soon. The number of remote working options spiked in May of 2020 increasing the amount of jobs done from home to 3.3 million more than usual in Canada. The number of remote jobs is expected to continue to rise, and employers have had to adapt in countless ways. One significant change has been in how employers manage privacy issues within their newly remote-based organizations.

Privacy has been a hot topic during COVID-19. Much discussion has taken place on the issue of securing privacy rights during a world health emergency, such as the use of personal information by governments or private-sector organizations related to public health (see an IPilogue article on privacy and big data during COVID-19 here).

However, maintaining privacy within the workplaces isn’t sparking as much debate. This transition towards remote working presents unique challenges for employers and experts suggest that organizations re-visit existing privacy policies to ensure breaches of personal information does not happen at home or wherever a remote worker may connect to the workplace. The lack of preventative security controls that only an office may provide is a significant concern. Remote working might have employees use public Wi-Fi, which can lead to potential hackers having access to the company’s private information. Some employers may not have the resources to supply workers with work computers. Some may even be more inclined to switch to their personal computer from time to time for work-related tasks at home or on the go. This can lead to a privacy breach, as personal computers do not include all the intricate protocols and security systems work computers would have within their network. Having other people in a coffee shop have the ability to see what you are typing, or simply forgetting your work computer at a relative’s house are also dangers that risk privacy breaches.

Therefore, it is important to revise privacy policies within one’s workplace since remote working has become entrenched in today’s work force. The one-stop shop for finding out how to either familiarize or refresh privacy policy in any organization in Canada is visiting the Privacy Commissioner’s website for recommendations on best practices. Employees may start by re-acquainting themselves to best practices under relevant federal legislation such as The Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA sets out ground rules for how Canadian businesses must handle personal information (The Privacy Act, on the other hand, only applies to government bodies and their handling of private information). Some provincial legislation on privacy laws may slightly deviate from federal laws, so if one’s organization handles cross-provincial employees, clients, or customers, it is important to be mindful of the possibility of a tort action through either the common-law in some provinces, or statutory torts under others’ Privacy Acts. Alberta, British Columbia, and Quebec have their own private-sector laws that are substantially similar to PIPEDA, but only British Columbia, as well as few other provinces like Manitoba and Saskatchewan, have adopted statutes which have created a tort of invasion of privacy. Ontario, for example, has introduced a common law cause of action for the tort of intrusion upon seclusion through the Court of Appeal as recently as 2012.

A good place for any Canadian organization to refresh their privacy policy is by revising PIPEDA’s Fair Information Principles, which summarize an organization’s responsibilities and how they may be fulfilled during COVID-19:

  1. Be Accountable. Comply with the fair information principles and develop a privacy management program that adapts to remote-working environments.
  2. Identify the Purpose. Find out and document the reasons why personal information is being collected before or during collection.
  3. Obtain Consent. It is reasonable to expect that customers will understand the nature, purpose and consequences of collection in most cases.
  4. Limit Collection. Collection should not include personal information that isn’t necessary for its purposes.
  5. Limit Use, Disclosure, and Retention. Make sure personal information is stored in a secure way and used only for the purposes it is intended for.
  6. Accuracy. Minimize possibility of using incorrect information when documenting or disclosing personal information, and keep information up-to-date.
  7. Safeguards. Ensure that remote work environments do not risk breach of personal information, and protect information appropriately relative to its sensitivity.
  8. Openness. Make sure privacy management practices are clear for all remote workers.
  9. Individual Access. Allow individuals to be informed and be given access to their personal information.
  10. Challenging Compliance. Anyone may be able to challenge an organization’s compliance with these principles. 

Written by Sebastian Romanutti, Osgoode JD Candidate, enrolled in Professors D’Agostino and Vaver 2020/2021 IP & Technology Law Intensive Program at Osgoode Hall Law School. As part of the course requirements, students were asked to write a blog on a topic of their choice.