Virtual Workplace Confidential (Making a Practice of Privacy in the Remote Era)

Jason McRobbie

YOU’RE INVITED to a complimentary Master Class with Canadian researcher Dr. Gillian Mandich. Learn the science behind happiness, how to incorporate small bursts of joy into each day, and how your wellbeing influences others. Register now for this exclusive webinar.

Despite workplaces closing shop overnight in March 2020 to reopen the next day in home offices, kitchens and living rooms across B.C., nothing has actually changed in the laws governing confidentiality or privacy rights in the remote era. As Keri Bennett, a partner with Roper Greyell LLP explained to us, good faith has gone a long way to maintaining the balance of trust, but lax practices can settle in with the growing fatigue. Fortunately, she also had a few great tips.

Key Takeaways:

  • Leaders need to be aware that while the era of remote work has brought a plethora of privacy concerns, B.C.’s PIPA and the federal PIPEDA remain unchanged.
  • Leaders are putting a lot of good faith in employees, but need to back that up with policy, training and reminders.
  • Privacy Minute Updates can help ensure vigilance and combat Covid fatigue.

Learn the top methods that HR teams are using to recruit top talent including the best way to avoid bias, how to dig deep in the right places, and more! Click here to download it now.

The World has Changed, Not the Privacy Laws

While B.C.’s Privacy Information Protection Act (PIPA) has been under review, nothing has actually changed, yet—except for everything else in a world of work now redistributed in neighbourhoods countrywide.

“In the private sector, in B.C., the legislation has not changed. The general PIPA principles remain the same, although we’re in the process in B.C. of awaiting possible changes,” said Keri Bennett, a partner at the Vancouver-based Roper Greyell LLP, while pointing out how the federal privacy laws apply for many industries as well.

“Organizations that are collecting personal information are subject to federal or provincial privacy laws. Private sector organizations collecting information across borders may be subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) that applies to commercial activities ranging from retailers working nationally to tech companies collecting information nationally, etc,” Keri explained. So, if we are looking at employees within the province, we are looking at B.C.’s PIPA. If we are looking at a tech company’s collection of customer information across the country, then it’s going to be PIPEDA.”

Formed in 2006 from the merging of two leading employment and labour law practices, Roper Greyell is a leader in workplace law—and the past two years have brought Keri’s counsel on privacy and confidentiality to the virtual table time and again.

Employers Taking A lot on Faith and Trust

“In terms of the employment relationship, the sudden shift to home has had a definite impact on the protection of business information and the protection of employees’ personal information,” said Keri, while noting the tech sector had an easier transition than other industries simply the virtue of already having stronger technological security in play.

“I think all industries still have had to consider a broader scope of issues around confidentiality when we’re looking at employees working on confidential issues in their home space, which are not set up for the protection of business confidential information, privacy of clients and customers or the privacy of other employees.”

Knowing the parameters of privacy rights is one thing. Asking the right questions has been key—along with creating the culture trust to make the answers work.

“All organizations have had to think about, “How are we going to protect confidentiality and privacy while facilitating work from home? And how do we make sure people are actually following through when we are not in the room to see what is happening?” said Keri. “Employers are putting a great deal of faith in their teams.”

“Companies are trusting that they have a strong team of professionals who know their responsibilities. They explain the problem, their responsibilities, the legal and professional requirements and what is expected of employees. Then they have established check points, they touch base and various firms even send out regular ‘Privacy Minute Updates’ to keep people vigilant.”

Tech and People Network is a unique peer learning network for People and Culture professionals in Canada’s tech sector. We provide tech sector data, mentors, industry experts and an inclusive peer community. Become a member today!

Tips for Maintaining Remote Privacy

Knowing what is right and remembering it in the moment after two years of business as unusual has not only kept Keri busy, but encouraged the focused tips to follow.

“I think we are all tired and the truth is that we need reminders,” Keri said, providing a list of four essentials for companies looking to escape undue high school confidential dramas and/or complaints to the Commissioner’s office. “I have had an increased number of complaints on my desk arising from communications that could have been considered “common sense.”

  1. If any organization has not yet updated their policy to address remote work—business confidentiality, along with client and employee privacy—that should be the immediate priority;
  2. If training has not happened, make sure that it does;
  3. Organizations need to apply a rethink to how they handle sensitive and confidential information without the privacy of a boardroom setting; and
  4. Organizations need to consider who receives what level of detail and balance transparency with protection;

The Balance Between Transparency and Obligation

“One thing that is great about the tech industry is the transparency and the desire for open conversation about what is going on in the company, but it can be harder to be sure we are protecting those legal lines that still exist relating to customer and employee privacy,” said Keri.

“This is where we come back to the tension between culture and transparency versus a legal requirement to protect the privacy of the employee—sensitive conversations about accommodations, discipline, litigation, ensuring you protect privilege over legal communications, and so on,” said Keri. “For example, slack channels. Who gets the notice about terminations and the rationale for terminations? People are sharing more and more by some form of instant messenger, so organizations need to be asking, “Who needs to receive what level of detail?”

For those who find much of the above to fall into the common sense category, Keri agrees, but cartons with a caveat. “I think that we are seeing a high rate of burnout in all industries and with fatigue comes inadvertent slips. Our vigilance can be down and I end up managing complaints that really should fall under common sense.”

Vigilance aside, we pondered in conversation, is there such a thing 100 percent security in a remote work scenario?

“That’s a great question. From the security aspect of access to networks, I am your friendly neighbourhood privacy lawyer, so I would defer to a company’s security experts on that point, but from a privacy law perspective companies are required to implement appropriate technological safeguards to protect personal information,” said Keri. “When you have people at home working in their living rooms, you are accepting a certain level of risk around your corporate information because you don’t have control over who’s walking into the room.”

Taking OH&S to Home and Heart

That said, Keri reminds employers they do have not only the right, but an obligation to visit that living room—virtually or otherwise—to ensure it meets safety standards.

Oddly, while every employer is acquainted with WCB’s employer requirement of providing a safe workplace, not all of the dots have been connected considering the physical and psychological safety of the remote workplace.

“They actually have an OH&S obligation to check on employees and ensure a safe work space,” said Keri. “That obligation can actually be met by asking for a written report on the workspace, but in some cases a visit might be required. “

Aside from the OH&S, Keri encourages companies to keep vigilance honed with a focus on training and reminders to balance out the act of faith. She also leaves us with some great questions for a Privacy Minute Update to take to the heart of the remote workplace:

  • When you are having online meetings, who is in your workspace?
  • Where are you situated in your home?
  • Who can hear you? Who is walking by your screen?
  • Do you have headphones on?
  • Do you sign out when you leave the computer?
  • Do you fully sign out at the end of the night?
  • Do you ensure no one has access to the system?
  • Are you ensuring you are not discussing company information with anyone else not an employee of the company—and that can include information about company, client or customers, as well as any other employees?”