The OIPC has received questions from organizations in all sectors about how to manage records or personal information when transitioning staff to work from home.
Whether staff should be permitted to take different types of records home is a decision for each organization to make independently. Each organization will best understand its own circumstances, and will need to weigh the need for staff to have access to different types of records with the associated risks to privacy and possible mitigation strategies to safeguard records.
To assist organizations in all sectors, the OIPC has listed some points to consider. The list is non-exhaustive. There may be other circumstances, procedures and risk mitigation strategies relevant to each organization. The list below primarily relates to paper records, although some of the points are relevant to digital work environments:
- No staff member should be given access to records or personal information that they would not normally be given access to within the work environment.
- Limit the records or personal information being taken by a staff member to only what is necessary to support the staff member for a finite period of time.
- Ensure the records or personal information are transported in a secure container. Do staff have office-issued laptops that are encrypted and can the relevant records be scanned and saved to the laptops? Paper records should be secured in a locked bag.
- Under no circumstances should the locked bag, laptop or other secure container be left in a personal vehicle. Require staff to drive straight home, with no stops (e.g. no picking up groceries).
- Upon arrival at home, the records or personal information should be immediately placed in a secure area within the home, such as a locked filing cabinet, desk drawer or office. No other member of the household should be able to access the records or personal information.
- Ensure the records or personal information are not stored on personal (i.e. not issued by the organization) computers or devices. (All office-issued laptops or other portable devices should be encrypted.)
- Any electronic transmission (e.g. email) of records or personal information should be secured through encryption with procedures for the recipient to receive the encryption password by different means (e.g. by phone).
- Organizational records management policies should address the creation, retention and ultimate custody and control by the organization of any new records created by staff while working from home.
- Return the records or personal information securely to the workplace as soon as they are no longer needed.
It is up to each organization to determine whether the processes established apply to all or some of the records staff typically have access to in their work environments, which may depend on the sensitivity of the records or personal information at issue.