Data protection while working from home

Many government and public sector organizations had to close their physical offices with little advance notice because of the public health crisis brought on by COVID-19. Staff, contractors, and volunteers are working from home, many in makeshift conditions that were never planned for or anticipated. This creates the potential for new risks to privacy, security, and access to information.

Although this is a challenging situation, Ontario’s access and privacy laws continue to apply. Public institutions must take timely and effective steps to mitigate the privacy and security risks associated with this new reality, while meeting legal requirements. See our guidance on Working from Home during the COVID-19 Pandemic.

What steps can my organization take to ensure the security of our data while working remotely?

We recommend that if you do not have privacy, security, and access to information policies related to working from home, you create them or adapt existing policies to reflect the unique features of the remote work environment.

You should clearly communicate your work-from-home policies to staff and include procedures to ensure:

  • secure remote access to networks, information and work accounts
  • appropriate technologies, software tools and resources are provided to staff
  • effective guidance on using email and other online means to communicate
  • secure home workspace environments
  • the security of paper records
  • record-keeping requirements are met (for access to information purposes)
  • prompt response to security incidents

It’s also important to train your staff to identify potential fraud, phishing scams, and other malicious cyberattacks and equip them with the skills to defend against them.

Our fact sheet, Protect Against Phishing, was published to help institutions and their staff protect themselves from phishing attacks, including while working remotely. The guidance provides advice on how to:

  • recognize phishing messages
  • protect against phishing attacks by adopting best practices
  • respond to a cyberattack and limit the damage

The pandemic has seen a sharp growth in COVID-19-related phishing and fraud scams. In episode one of the IPC’s Info Matters podcast, Don’t get caught! Protect yourself against phishing, Commissioner Kosseim talks to Fred Carter, a senior policy and technology advisor with the IPC, about the steps individuals can take to protect themselves and take control over their privacy.

Public institutions and healthcare organizations in Ontario should contact our office for advice and further guidance. If a successful cyberattack has occurred, public and healthcare organizations should contact our office for advice and additional guidance.

You can reach us at 416 326-3333, 1-800-387-0073 (toll-free), or @email or submit a privacy breach report to us using our online form.

Resources

 

Help us improve our website. Was this page helpful?

Note:

  • You will not receive a direct reply. For further enquiries, please contact us at @email
  • Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
  • For more information about this tool, please see our Privacy Policy.