Out of office tips and tricks
It’s not always possible to get all your work done in eight hours. Sometimes taking work home is unavoidable. But whenever personal information is accessed outside of the office there is an increased risk that it could be lost or compromised. Public bodies and private organizations must keep paper and electronic records safe and secure as required by the Freedom of Information and Protection of Privacy Act (“FIPPA”) and the Personal Information Protection Act (“PIPA”).
Whether you are travelling by bus or air, working from home or a remote location, and using a laptop, USB stick, Smartphone or tablet to access personal information outside the office, here are some common-sense steps to help safeguard the data.
Taking records out of the office
There are a number of things you can do to protect personal information you remove from your office:
- Ask yourself if it is truly necessary to remove personal information from the office.
- Take the least amount of personal information you need and leave the rest behind.
- Check to see if you need management approval before removing records from the office. Your organization should have a sign-out sheet that includes your name, a description of the records, dates the records were removed and name of the manager who approved their removal.
- Encrypt any electronic device that stores personal information. This includes but is not limited to home computers, USB flash sticks, laptops and Smartphones.
- Don’t use your personal email as a means to transfer records containing personal information for work purposes. (Refer to the OIPC’s Use of Personal Email Accounts for Public Business document for more detailed guidance.)
Working remotely with personal information
- Use your organization’s VPN (Virtual Private Network), if available, to more securely send and receive data.
- Log off or shut down your laptop or home computer when you are not using it.
- Be aware of your organization’s Bring Your Own Device guidelines when using your own laptop, Smartphone or other device away from the office.
- Set the automatic logoff to run after a short period of idleness.
- Don’t share a laptop used for working with personal information with other individuals, including family members and friends.
- When records aren’t being used, store in a locked filing cabinet or desk drawer that only you are able to access.
- Avoid sending the personal information of clients, employees, or citizens by email or fax from public locations.
- If you are using your own device for work purposes, make sure you understand and follow your organization’s BYOD (bring your own device) policy.
- If personal information is stolen or lost, immediately notify your supervisor and the person responsible for privacy compliance in your organization or public body, file a police report and notify the Office of the Information and Privacy Commissioner. Your organization or public body should consider notifying the individuals whose personal information has been stolen or lost, telling them the kind of information that has been compromised and the steps that are being taken to recover it.
Check out our guidance documents Protecting Personal Information Away from the Officeand Bring Your Own Device Program Tip Sheetfor more suggestions.