26 March 2020
Workplace “Privacy Tips” during COVID-19
UPDATE: On March 26, 2020, the B.C. Minister of Citizens’ Services signed an order under the authority of the Freedom of Information and Protection of Privacy Act, permitting the disclosure of health information by health care bodies and public bodies in certain circumstances related to COVID-19.
Health care bodies may make disclosures for the purposes of the following in connection with COVID-19:
- communicating with individuals;
- supporting public health responses; or
- coordinating care.
Public bodies are also permitted to disclose information through the use of third-party tools and applications if doing so supports operations and public health requirements related to COVID-19.
While the order does not directly speak to those in the private sector, it reflects a general direction from the authorities in balancing individual privacy interests against the broader interests of protecting community health during emergency times. All employers are encouraged to keep apprised of changes in this area to better understand how to develop good and current policies with these interests in mind.
The COVID-19 pandemic has swept the globe and claimed its spot at the forefront of public consciousness. Amidst the avalanche of concerns sparked by the virus and ensuing public health emergency, some issues might be momentarily drowned out by the noise, but are no less important. One such issue centers on the right to privacy at the workplace.
Privacy issues relating to COVID-19 include disclosures about health status and travel history, in addition to issues that arise when workplaces transition from “in-person” to “virtual”.
The following is an overview of workplace “Privacy Tips” in the age of COVID-19. Employers may wish to review these tips and seek guidance on incorporating them into a comprehensive workplace policy, updated to reflect their particular industry and the current pandemic.
1. Be aware when disclosing health status or travel history
Employees have privacy rights with respect to their personal information, such as their health status and recent travel history. On the other hand, an employer has a duty to maintain a safe workspace and notify employees of possible contact with someone with a COVID-19 diagnosis or recent high risk of exposure. As a result, disclosure of an employee’s information to promote safety must always be balanced with that employee’s privacy rights.
Employers should ask: “What is really necessary to keep the workplace safe while minimizing disclosure?” Employers should only use or disclose personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace and refrain from disclosing more than is necessary.
2. Obtain consent before sharing personal contact information
During this time, and to facilitate work from home, employees may be asked to share their personal contact information, such as personal phone numbers or e-mail addresses. An employer may consider collecting this information, perhaps to circulate amongst employees as an internal contacts list. If so, the employer should always advise the employees in advance that this is being done and give them time to lodge any objections to the disclosure of their information.
Employees should be assured that their information will only be used for business purposes, during business hours, and where other methods are ineffectual. Further, the information should be deleted or withdrawn from circulation once it’s no longer necessary to keep on file.
3. Set up passwords
Employees who work remotely will be logging into various devices (i.e. phones or laptops) to carry out their work duties. These may be personal devices or other devices provided by the employer. In either case, all devices that are used for work should be adequately protected. In an “off-site” vs. “on-site” work situation, employers have less control over the security of devices used and should set up measures to protect this security – such as requiring strong passwords for access to any work-related accounts, files, or any other information as appropriate.
Employees should also be extremely cautious if they use a device for both work and personal purposes if permitted by an employer. For example, many applications these days ask for access to accounts during the initial set-up. Ensure that such access is authorized and will not put workplace security at risk.
Depending on the nature of the work, it may also be wise to require passwords for certain communications, such as password-protecting files being emailed externally.
4. Ensure that files are stored privately and securely
Employers and employees alike should be mindful of the way they are storing files at home. This may involve reviewing third party arrangements for Cloud storage and understanding the terms and conditions, as well as the security and location of the server where files are ultimately uploaded. Where work involves physical files, employers should remind their staff of security measures they could take, such as refraining from leaving files in exposed areas (i.e. in a public place, in plain view in a vehicle, etc.).
A good workplace policy would also address the responsibilities of each party in ensuring that files, whether electronic or physical, are stored securely.
5. Ensure that files are accessed privately and securely
On a related note, employees should refrain from accessing work-related information on public computers or networks (e.g. public Wi-Fi), as doing so may not only jeopardize the privacy of workplace information but also expose the employer to risk.
6. Be mindful of the potential for privacy breaches when using technology
COVID-19 struck at a time where the global population has access to a myriad of sophisticated technologies. While new technologies greatly facilitate workplace communications and collaboration, they also come with some pitfalls, including potential privacy breaches.
For example, some video conferencing technologies designed for business use have features that may deploy “surveillance”-like functions. This could involve monitoring someone’s computer while they are on a conference call, and tracking what other applications are open. If this is done without an employee’s consent, that may raise significant privacy concerns that expose the employer to liability.
Employees should also be mindful of the security of their personal data when they sign up for third-party services used in the remote workplace.
Another related concern is the privacy of workplace data when employees have other “Smart” devices at home. For example, employees may have personal devices that are enabled with Amazon Alexa or Google Home (which are constantly “listening” and responding to voices). In that case, as a precaution, employers may consider asking their employees to turn off these devices while working and during business hours.
Learn more at our COVID-19 Resource Centre.
Sarah Hentschel is a Senior Associate in our Litigation & Dispute Resolution Group, and focuses on Workplace and Privacy Law.