Working with Privacy in mind from home
Most people were not working from home prior to the pandemic, however a shift has occurred and more people are working from home most of the time or occasionally depending on their situational circumstances. If you have fully transitioned to a home office or if you on occasion find yourself at your home office, there are things you need to know about managing records.
The OIPC released, in April 2020, a resource which focuses on Managing Records When Transitioning from Work to Home, found here due to the number of questions they received from organizations in all sectors about how to manage records or personal information when transitioning staff to work from home.
Each organization needs to independently make decisions on whether or not staff should be permitted to take home different types of records. This is due to each organization knowing which legislation they are working within and knowing their own circumstances best. They will also need to answer, with justification should the need arise, “Was the information transitioned from work to home because it was necessary for the purposes of work and furthermore, was it on a ‘need to know’ basis?” Ultimately, there are associated risks to record privacy and proper mitigation strategies are required to safeguard all records.
To help Alberta’s organizations across all sectors, the OIPC has listed some points to consider. The list is non-exhaustive.
From the Article: “The list below primarily relates to paper records, although some of the points are relevant to digital work environments:
- No staff member should be given access to records or personal information that they would not normally be given access to within the work environment.
- Limit the records or personal information being taken by a staff member to only what is necessary to support the staff member for a finite period of time.
- Ensure the records or personal information are transported in a secure container. Do staff have office-issued laptops that are encrypted and can the relevant records be scanned and saved to the laptops? Paper records should be secured in a locked bag.
- Under no circumstances should the locked bag, laptop or other secure container be left in a personal vehicle. Require staff to drive straight home, with no stops (e.g. no picking up groceries).
- Upon arrival at home, the records or personal information should be immediately placed in a secure area within the home, such as a locked filing cabinet, desk drawer or office. No other member of the household should be able to access the records or personal information.
- Ensure the records or personal information are not stored on personal (i.e. not issued by the organization) computers or devices. (All office-issued laptops or other portable devices should be encrypted.)
- Any electronic transmission (e.g. email) of records or personal information should be secured through encryption with procedures for the recipient to receive the encryption password by different means (e.g. by phone).
- Organizational records management policies should address the creation, retention and ultimate custody and control by the organization of any new records created by staff while working from home.
- Return the records or personal information securely to the workplace as soon as they are no longer needed.”
- The onus is on each organization to determine the processes it will use to determine how records will be transitioned.
- Alberta is not alone, organizations around the country and world are facing new and unparalleled challenges related to the pandemic. Best practices need to be established during this unprecedented time.”
Iron Mountain has produced a document to help support organizations. Information Security and Records Management Best Practices for a Remote Workforce to assist you, it can be found here.