According to Angus Reid Institute, only 36% of Canadians who are currently working from home expect to return to the office full-time once the pandemic is over. With remote work being the norm now, and perhaps for many in the foreseeable future, are your organization’s privacy programs and policies up to scratch? Now more than ever, it is critical that businesses and public bodies take measures to ensure the safety and integrity of their data.
We reached out to our in-house Privacy and Information Governance professionals, Joan Dunlop and Rick Klumpenhouwer, to get the answers to the most pressing privacy questions our clients are asking to secure their remote workforce and to consider while planning a return to the office.
Joan and Rick agree that you can start by thinking of the current state of work as a wake-up call to define and address the things you’ve always been required to do. This is the time to assess your entire program, keeping remote and in-office work in mind, to prepare you for your current state and what might happen in the future.
Q: When reviewing my privacy program for remote and in-office work, what are the top three things I should consider?
No matter where your work is being conducted, you need to take a high-level view of your overall privacy program and start asking and answering some basic questions:
- What are the legal and regulatory standards applicable to your organization? Do some digging and determine whether you are provincially or federally regulated in the public, health or private sector and then look to the legislation and other security standards in your jurisdiction for the rules you must follow. Those laws will be the basis for your policies, procedures, and staff training.
- Do you have a clear understanding of roles and responsibilities when it comes to privacy in your organization? Find out who the Privacy Officer is (Surprise! It might be you!) and what, if any, privacy responsibilities have been assigned to anyone else. Then make sure those individuals know what they are expected to do and provide them with good training and supports.
- Do you have a good sense of what sensitive personal and business information you really have, where it is, and what people are doing with it? Find out if there is a listing of personal information holdings or at least a good retention schedule that might help you determine what records you have and how they are being managed. It’s tough to protect something if you don’t know what or where ‘it’ is!
Q: What are the fundamental measures I can implement to mitigate the privacy and security risks associated with remote work?
Managing information in any setting can be tricky, but no matter where ‘work’ happens, there are some basics to be covered:
- Policies – Are your privacy and information security policies up-to-date and are they applicable to remote and in-office work? Review yours, taking into consideration the most widely accepted information security standards and protocols that include physical, technical, administrative safeguards, amend and update what you have and then roll out your shiny new versions.
- Training – Staff should be trained on the policies and procedures that teach them how to manage sensitive information in any setting and help them recognize and respond to malicious attacks and accidental breaches. Teach them how to assess their home office for security risks and give them the tools they need to mitigate those risks.
- Resources – Do your system capabilities match your employees’ functions and responsibilities? Take a good look at how employees access your systems and information, and ensure Virtual Private Networks (VPNs), document sharing sites (SharePoint, DropBox), and applications for virtual communication (think Zoom) are secure, and are easy to access and use. And then teach people! If your employees don’t understand or trust the technology, they are much more likely to skip it altogether, save information on less secure local drives and devices, or use personal networks, email, or apps to communicate and share information. Not good.
Q: Are there any new security threats remote workers need to be aware of?
Even when you have the basics managed well, remote work will require some extra precautions.
There are very real security threats from both internal and external actors whenever you are working with internet-based network transmissions. Because it is a public network, protection of the information and information assets accessed through the Internet is by and large, not a default setting – it requires active intervention. That means you need to actively manage and maintain firewalls, VPNs, encryption regimes, and good staff practices. There have been improvements in the last 10-15 years among the major office and social media platforms, but the use of the Internet remains an active concern and will always be one of your most complex risks.
Of course, all of this was a threat when we were working from the office. But now many employees are more frequently forced to use new devices, portals and applications designed to communicate, collaborate and transmit data remotely. These must be configured to meet the same security standards as when information and systems were accessed by workstations at the office. And there have been big missteps – some applications (not mentioning any names….Zoom!) were clearly unprepared to meet the security requirements of remote workplaces.
And to make things more complicated, remote workstations are much more difficult to secure when we’re talking about computer output, local caching and storage, and unauthorized access and viewing. Many employees had to ‘MacGyver” together workstations quickly wherever they could – often in physical spaces at home that were far from secure.
Are there more phishers and hackers lurking to take advantage of this confused state of network and system security? Most certainly, so teach your employees how to recognize and respond to those kinds of attempted intrusions. But what is the biggest and most constant threat? Accidental security breaches by our employees. And unfortunately, the chaos in your new and hastily created satellite offices, unless properly managed, will increase the chances of suffering those breaches.
So, the bottom-line? We can’t say it enough – be sure to provide the hardware, software, policy and training your employees need to upgrade their home office to your established standards. Oh, and be sure your ‘usual’ office spaces meet the same standards once you get back there!
Q: Can I monitor who has access to data and applications, and monitor what they’re doing with them?
Let’s keep in mind that the rules for monitoring employees and their activities are no different in a remote work setting than in an office setting. You have to get a firm grip on the rules for collecting, using and disclosing information in your jurisdiction and apply those to any kind of employee monitoring. Generally speaking, you can monitor for authorized access and use of information, not for things like employee performance – as tempting as all our technology makes that kind of thing!
What does that mean? You should absolutely be setting and monitoring access controls very thoroughly and carefully by asking: what information does each of my employees need to do his or her job? Appropriately armed with that knowledge, you must ensure each employees’ access to systems (databases, applications) and information (files, documents) is granted according to their role, and at times individual circumstances and cases for use. Then spread the word! Each employee needs to understand his or her assigned and authorized level and type of access.
How can you be sure everyone is following the rules? When you have systems or directories containing a lot of personal information, such as Human Resources Management or Electronic Medical or Dental Records systems, you can and should be keeping audit logs of individual user access. This will tell you who accessed what and when. However, these are only as effective when they are reviewed and monitored.
We get it, privacy and compliance can be complicated. Let Cenera make it simple.
If you’re interested in learning more about building or updating a privacy program that protects sensitive data and earns the trust and loyalty of clients, no matter where you’re working, book a consultation. Call (403) 290-0466 today!
Never miss an update, click here to subscribe to our monthly newsletter.