Records Management and Privacy Office

Records Management and Privacy Office
Records Management and Privacy Office

Working Remotely (PDF, 395 KB)

Working Remotely:  Access to Information, Protection of Privacy, and Records Management

With the current global pandemic ongoing, many Queen’s employees are for the first time working remotely. Some may find difficulty in completing tasks they used to do with ease in the past, in part due to new and different work environments. The shift to a home environment may involve using non-university resources such as private internet connections, personal telephones, and home computers.

The ability of the Queen’s community to adjust to this new work reality is laudable and shows employees’ adaptability, resourcefulness and commitment. What may not be top of mind is employees’ continued recordkeeping responsibilities, ensuring that records documenting university decisions and actions are created and retained, and that information is properly managed at all times. Good recordkeeping is accomplished by being forward thinking and by using the correct tools in an appropriate manner.

In accordance with the Freedom of Information and Protection of Privacy Act (FIPPA), Queen’s has a continued obligation of transparency and accountability to the Queen’s community and the general public who all have a fundamental right to access the university’s general records—about the university’s pandemic response or any other activity—and their own personal information.

Avoiding a privacy breach

The change in work routines not only introduces challenges in maintaining effectiveness and productivity, but also risks the potential for a privacy breach if physical and digital environments at home are not as secure as the ones provided to employees at their office. Queen’s University employees handle a wide array of personal, health, and other confidential information, and must do their utmost to ensure that their remote work environments offer the same level of protection as their work environments on campus.

If a breach of privacy occurs or is suspected, read and follow the privacy breach protocol and contact the Chief Privacy Officer as soon as possible.

Maintaining privacy and confidentiality

Queen’s University is subject to various regulatory and policy-driven requirements regarding privacy and confidentiality of information, including the Freedom of Information and Protection of Privacy Act (FIPPA), the Personal Health Information Protection Act (PHIPA), the Electronic Information Security Policy Framework, and the Records Management Policy. These requirements must continue to be met by Queen’s employees who are working remotely.

Remote workers are required take all reasonable steps to secure and maintain the confidentiality of Queen’s University information and records while they are being transported to and from an employee’s off-site workspace, and while the documents are stored at the off-site workspace regardless if the information is in physical or digital format. Records and information must be protected from being damaged, destroyed, stolen, copied or otherwise accessed by unauthorized individuals.

  • When remotely accessing records and information it is essential that employees use the Queen's Campus Virtual Private Network (VPN). Approved Queen’s VPN services are a safe and easy way to ensure a secure, remote internet connection to on-campus resources.
     
  • If files are accessed remotely it is important for employees to return the documents to their appropriate place of storage. If a file resides on a shared drive, it should be uploaded to that shared drive when an employee has finished working with it for the day.
     
  • If an employee receives documents or records via email it is essential that they file those documents in their departmental shared drive or departmental cloud repository and not leave the records isolated in their in-box.
     
  • Any device (such as a laptop, desktop, cellphone) used to perform university business must be encrypted. This includes personal devices such as a personal cellphone or home computer. Encryption protects against a data breach even if the device is lost or stolen. The Queen’s IT Support Centre offers a free encryption service to help faculty and staff encrypt their devices. Ensure that “Find my Device” is enabled or that the “Find My” app is installed so that in the event of a theft, the device can be located, locked, or erased remotely.
     
  • Queen’s employees working remotely must not allow anyone else, such as a spouse or child, to use devices that contain accessible work-related documents. In addition to being encrypted, devices must be password protected and those passwords are not to be shared with others, including family members. Screens should be set to lock when not in use. Employees should also be conscious of the visibility of their screen to other people in the remote workspace when accessing confidential university records and information.
     
  • With respect to hardcopy documents, employees must be careful about who can view them during the day, and store them away in a box or file folder when not in use. At the end of the day, lock them away in a cabinet or closet if possible.
     
  • When destroying transitory records, employees must take measures appropriate to the medium. Digital records may be simply deleted while non-confidential hardcopy records may be recycled. Ensure that confidential hardcopy documents are shredded using a cross-cut shredder. If such a shredder is not available in the remote workplace, return confidential documents to campus for appropriate disposal using university vendors or facilities. Review the Data Classification Standard to ensure documents you are intending to dispose of are destroyed appropriately.
     
  • For disposal of official records, ensure they are eligible for disposal by referring to the Queen’s University records retention schedules or contact the Records Manager for assistance.

Teleconferencing and video conferencing

When taking part in a teleconference or video conference, employees should maintain an awareness of the confidentiality of those meetings, classes, or events. Consider whether it is possible for others in the remote workplace to overhear confidential conversations. Whether you are the host or a participant, take note of these tips for enhancing confidentiality.

  • Be mindful that while many devices allow for enabling video, some individuals may prefer to participate using voice only, or to obscure the background of their meeting space.
     
  • Unless there is a compelling reason to do so, avoid recording video or audio meetings, classes, or events. Such a recording becomes a record and requires proper management and storage. Furthermore, it may become subject to an access to information request.
     
  • If recording is desirable, give participants notice before beginning to record. Some tools such as Microsoft Teams automatically notify participants when a meeting is being recorded. The notice should also be repeated at the beginning of the recording to document the consent of the participants and to state the purpose of the recording by the person who intends to record.
     
  • If a recording is made, it should be retained no longer than necessary and deleted after its purpose has been met (e.g., after meeting minutes have been created). Recordings leave a variety of indicators as to their creation, existence, and, depending upon the technology used, even their deletion. Deleted recordings in the Teams environment persist in the recycle bin and will only be permanently deleted after 30 days, unless the user manually empties their recycle bin.

If teleconferencing or video conferencing is used to facilitate student advising or other kinds of medical or counselling activities, it is essential that privacy is maintained. Employees must ensure their work environment is private, and that the use of any recording technology will be done only with consent. Consent must be documented. Furthermore, only secure platforms may be used. See the resources listed below and seek guidance from IT Services if you are unsure about which platform to use. 

Creating and managing university records

As university staff work remotely, more and more university business is being handled using a variety of technologies that document our efforts, including email, chat logs, text messaging, and recordings of virtual meetings. While some records may be created with forethought and intent, some tools create ancillary records, digital tracks of the work staff do. While some of these tracks are useful, others are transitory fragments that add up to very little. When using online tools employees must realize that their text conversations, recordings, and even sharing of files could become matters of public record.

Chat messages in the main thread of a Teams space, or as a direct message to another attendee of an online meeting, are no different than email messages in that they are records. While messaging is often less formal and more fluid than email, the content of the messages, when they relate to university business are university records. The language and conduct of the chat should at all times be professional. Additionally, these messages may need to be preserved if they contain substantial decisions or other university business. If messages are transitory and are deleted after they have been read there is still evidence of this deletion. The person posting the message can only delete their own messages; contributions to the conversation before or after the deleted item remain intact and unaffected. Deleted messages can be recovered for up to 30 days. In some instances, it may be better to connect with your collaborators via a phone call or a video meeting rather than use messaging functions.

Similarly, messages in the Team Posts tab can only be deleted one by one; there is no ability to delete an entire conversation barring the deletion of the entire Team group space. If the Team space is deleted entirely the messages in the Posts tab, and any files or other content left behind will be deleted in 93 days. Therefore, the deletion of these materials needs to be done thoughtfully. Be mindful that some of what is communicated using these various tools may need to be produced as evidence of decisions or actions taken to satisfy legal inquires or access to information requests.

FIPPA applies to records in the custody or under the control of an institution. Emails, chats, texts, and other communication sent or received for business purposes, even those sent using personal accounts, have been found by Ontario’s Information and Privacy Commissioner to be under an institution’s control for FIPPA purposes and therefore required to be disclosed. Accordingly, always use these tools mindfully and keep the tone professional.

When employees return to campus after a period of remote work it is crucial that the documents they removed from their office be returned and that any records created while working remotely are filed in their unit’s recordkeeping system (both hardcopy and digital).

Helpful resources