Privacy in the Workspace

Procedure

Category: Privacy
Subject: Privacy in the Workspace
Division: Human Resources and Corporate Services
Procedure Number: CA.58.02.105
Effective Date: August 1, 2015

PROCEDURE

Employees must effectively secure work processes during the work day and at the end of each working day to ensure that confidential information, both paper and electronic, is safe and secure, preventing any unnecessary privacy breach from occurring.

In the office, employees must develop a clean workspace process during the work day and at the end of each working day to ensure that confidential information, both paper and electronic, is safe and secure. Employees must ensure that their workspaces are clean, filing away all work related documents and confidential information. Computers and laptops should be turned off, all filing cabinets and drawers should be locked.

Employees working in the community, home visitors, inspectors, and clinical staff must ensure documentation is secure at all times during travel and when completing specific duties.

Clear Workspace

Reception:

  • The reception desk can be particularly vulnerable to visitors. This area should be kept as clear as possible at all times; in particular, personal or personal health information should not be kept on the desk within reach or sight of visitors.
  • Any visitor logs, appointment or message books should be stored in a locked area when not in use.

Individual workspace:

  • When an employee leaves their workspace for breaks or to attend meetings, etc., confidential materials should be placed in a lockable drawer or filing cabinet.
  • The screen lock functionality ‘Ctrl-Alt-Delete’ should be used to lock computers when away from the desk or office.
  • Keys, including desk, filing cabinet, or office door keys, should not be left in obvious places.
  • Confidential information should not be stored in boxes under employee’s desk; it must be in a locked area.
  • Employees with offices must ensure confidential, sensitive information is filed and locked away.
  • Post-it notes containing names, phone numbers, user names and passwords should not be visible in plain view.
  • Where practically possible, paper and electronic data storage devices should be stored in locked cabinets or drawers when not in use especially outside working hours.
  • All documents must be returned to the proper filing cabinet or drawer at the end of the day and ensure cabinet/drawers are locked.

Printers/copiers/faxes/shredding:

  • Confidential, sensitive or classified information, when printed, should be picked up and cleared from printers/copiers immediately.
  • The “private print” function should be used on printers where possible.
  • Documents from printers/copiers and faxes should be picked up in a timely manner; check the machines to ensure all originals and copies have been picked up. 
  • Shredding facilities or other confidential means should be used to dispose of unwanted copies.  Records containing personal information should always be placed in the shredding box and never placed in the recycling bin or the garbage.
  • Each department should assign an employee to pick up documents for the department from fax machines, and printers at the end of the day to ensure no confidential information is left in plain view. 

Meeting rooms:

  • After using a meeting room, all materials and information from tables, whiteboards and flipcharts must be removed.
  • At the end of a meeting, the organizer must ensure that conference calls are terminated, videoconference equipment is turned off, and the microphone is muted.

Electronic Privacy:

  • Employees must ensure that electronic devices being used are protected as per policy. If they are not, the employee must contact the IT Department to receive a protected device.
  • Electronic documentation should be used whenever possible to reduce the opportunity for paper documents to be left in open view.
  • Passwords should not be shared with anyone.
  • Passwords should be changed frequently.
  • Diskettes, CD’s, USB drives and other electronic media should be treated the same as paper documents and provided with appropriate security, e.g. stored in locked cabinets, electronic password protection, and ensuring they are encrypted.
Working in the Community

Prior to taking confidential information out of the office:

  • Consider alternatives to storing confidential information on mobile devices. Determine if it is possible to access the confidential information needed on a server via a protected remote connection, such as a secure website or a Virtual Private Network (VPN).
  • Remove as few records containing confidential information as possible.  Instead of accessing the entire database, only the subset of records that are needed to work with should be taken, e.g. records for client visiting.  Consider multiple ways to protect the confidential information. If data will be moved to a portable device such as a USB key or laptop, can sensitive fields (such as health card numbers, social insurance numbers or bank account numbers) be removed altogether?  Can the data be made anonymous?
  • A lockable briefcase or laptop case that does not bear visible WDGPH logos should be used.  A card stating “if found, return by calling [phone number]” should be left inside the briefcase or bag, with no other identifying information.

Passwords and encryption:

  • All devices must be protected with passwords:  power-on passwords, screensaver passwords, account passwords.
  • Strong login passwords are comprised of at least eight characters, with 14 or more being ideal.  These should include a combination of upper and lower case letters, numbers and symbols (such as %, &, or #), rather than dictionary words. 
  • Do not use passwords that are predictable, such as birthdays, spouse’s name or favourite sports team, or easy-to-guess combinations of dictionary words, such as frequently used LEtMeIn.  Instead, base a mixed, multi-character password on a phrase or favourite song, book title or TV program.  E.g., My favourite show is 24 on Tuesdays at 9 can become the password: Mfsi24oT@9.
  • If confidential information must be stored on a mobile device, the date must be encrypted and the device password-protected. On its own, password protection is not sufficient. Strong encryption and layered security measures are a must.
  • Protect passwords and encryption keys by:
    • Not writing them down or storing them on the device;
    • Reviewing other options, such as innovative programs from some PDA’s (signature-based, or tapping a certain point on a picture), as alternatives to having to retype your password.
  • Enable the automatic lock feature of a device after 5 minutes or less of idle time.

Wireless security:

  • When using mobile devices featuring Bluetooth technology, security is increased if:
    • Set device so Bluetooth is “off” by default.  Turn it on only when necessary;
    • Keep devices set to “non-discoverable”;
    • Use as many characters as possible for a Bluetooth PIN;
    • Set electronic device preferences in a private location.
  • Only conduct confidential work on controlled mobile devices.  Do not use public computers or networks – or work on confidential material in public places. Even when doing non-confidential work on public wireless networks, Wi-Fi or “Hot Spots” in airports, hotels, coffee shops, public libraries, etc., consider the following points:
    • These networks are inherently open and unsafe.  Data transmitted by a device across the open airwaves can easily be picked up and read by another device;
    • Be aware of shoulder surfing;
    • Never connect to two separate networks (such as Wi-Fi and Bluetooth) simultaneously, which turns a computer into a bridge or access point.
    • Do not carry out confidential work unless using an encrypted link (such as a Virtual Private Network – VPN) to the host network.  Otherwise, any information sent or received travels in plain view, accessible to anyone.  This premise applies to web browsing, e-mail and Instant Messaging.
    • Set the device so Wi-Fi access is “off” by default.  Turn it on only as necessary.
    • If in doubt, DON’T turn on the Wi-Fi access.
  • Do not leave devices containing confidential information in a vehicle. (If it absolutely cannot be avoided, lock them in the trunk before starting the trip, not in the parking lot of the destination or a stopover.  If the vehicle has no trunk, leaving the device in the vehicle is not a secure option.
  • When carrying portable devices, make it a point to go through a quick checklist of belongings when leaving: a cab, hotel room, meeting place, airplane, or restaurant.
  • Secure mobile devices at all times.  Use a cable lock with an audible alarm when not working on them, or lock them away when not in use.
  • If, despite all precautions, a device is lost or stolen, report the loss immediately to the police and WDGPH. If unsure that the confidential information was adequately protected, report this as a potential privacy breach.

RESPONSIBILITIES

Management will:
  • Ensure employees adhere to this policy;
  • Ensure best practices for clear workspace are being followed; and
  • Monitor policy compliance on a regular basis.
Employees will:
  • Adhere to this policy;
  • Ensure workplace is clear and computers are not accessible when not in use;
  • Practice safeguarding methods and behaviours to maintain all confidential information; and
  • Follow procedures to prevent breaches from occurring.

DEFINITIONS

Removable Devices – Laptops, tablets, USB sticks, computer keys/fobs, playbooks, recorders, and BlackBerrys.

REFERENCES AND RELATED FORMS, POLICIES AND PROCEDURES

Corresponding Policy:  N/A
CA.58.01.100 and CA. 58.02.100 Privacy Governance

CONTACT FOR INQUIRIES

Director, Human Resources and Corporate Services 

APPROVED BY

Director, Human Resources and Corporate Service