Securing Your Organization’s Information During Work-from-Home Arrangements

In response to the COVID-19 pandemic, organizations across Canada are beginning to implement work-from-home or remote access arrangements for their employees.

For a work-from-home arrangement to be successful, it is crucial that your organization and employees have agreed to and clearly understand the details of the arrangement. This is important to ensure that your organization can protect its confidential and proprietary information and satisfy various related legal requirements (such as privacy law requirements to implement appropriate safeguards for personal information and contractual requirements to protect proprietary information).

The Government of Canada has confirmed more than 600 cases of COVID-19 in Canada, and the numbers continue to rise. Saskatchewan, Ontario, Alberta and British Columbia have all declared states of emergency and six provinces have announced the closure of schools with likely more to come. As a result, companies are asking more employees to work from home to prevent continued spread of the novel coronavirus.

In some circumstances, circulating a memo or email from your organization may be a reasonable starting point. However, a remote access policy or telecommuting policy with appropriate acknowledgement from employees is preferable from a legal standpoint. Such a policy should address a number of matters including, for example:

  • How the organization will decide which employees are permitted to work from home and who the policy applies to.
  • A general description of the method of remote access and specific requirements.
  • Who will be responsible for costs associated with the set-up of a home office, insurance or travel expenses.
  • What is considered acceptable and non-acceptable use of the remote access system.
  • What responsibilities an employee has with respect to password and system protection.
  • The requirement for security measures such as not leaving devices unattended, using a secure web browser, having up-to-date virus protection, never forwarding work emails to a personal email address and ensuring that all connections to the internet are secure.
  • The requirement to report all incidents of non-compliance with the policy or any instances of loss or theft of information.
  • The potential consequences if an employee violates the policy.

In addition to adopting an appropriate policy, it is important to work with internal or external information technology professionals and service providers to ensure that the technology relied upon to facilitate work-from-home arrangements is up-to-date and secure, and that appropriate contractual protections are in place.

If your organization would like assistance in developing a remote access policy, our MLT Aikins Team would be pleased to assist.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.