New isolation and quarantine measures introduced to combat the spread of Coronavirus (Covid-19) has left businesses grappling with the problem of maintaining service delivery; both to their customers and by their employees.
The obvious solution most businesses are taking to the forced isolation of staff is to allow employees to work from home, because for most people that sit at a desk and work from a computer, working from home should be as simple as logging in. Unfortunately, this also means large numbers of people are suddenly shifting from working in controlled office environments using company owned equipment, to working in uncontrolled environments, and in a lot of cases, using their own equipment.
This article focuses on two important issues businesses need to consider when directing staff to work from home; work health safety and the protection of confidential information.
Work Health & Safety
Businesses are required under the Work Health & Safety Act to provide a safe work environment and safe systems of work within the workplace. So, what is classified as a workplace? Under the WH&S Act, a workplace is “a place where work is carried out for a business or undertaking and includes any place where a worker goes, or is likely to be, while at work.”
This means that for employees working from home, any home workspace becomes a workplace at law as soon as a worker goes there, or is likely to be there while at work, whether it’s a home office, a dining room table or a sofa, and even includes amenities.
What should employers do to provide safe workplaces and safe systems of work?
Unfortunately, there is no simple answer to this because every individual has different needs, and lives in a unique environment. However, there are a few simple steps employers can take to make sure their staff can work from home safely, such as:
- check that staff have a suitable, quiet space to set up a workstation, including a proper chair and table to work from;
- find out what equipment staff have available to them that they can use at home. This might include having access to a proper computer or laptop, a good internet connection and phone reception;
- Find out whether staff have children at home, and what hours staff might be able to work from home effectively without interruption. This might result in staff working split shifts around periods where they have carer responsibilities; and
- identify any staff that may have a medical condition which might require specialised equipment or other support services and where necessary, obtain an OT assessment of their home workspace.
Another often overlooked factor is that businesses must not permit their staff to work in an abusive or harmful environment, whether at the office, or at home. Businesses therefore need to consider any staff that may be vulnerable to abuse or other harm while working from home. Although this will be a delicate issue for many, if you are considering directing ‘at risk’ employees to work from home, we recommend you seek advice before taking any action.
Businesses should circulate to all employees a clear and direct working from home policy that addresses work health and safety standards, including the businesses expectations around using proper equipment and maintaining a suitable working space and then actively engage with staff to ensure that employees can work safely and effectively from home.
Unauthorised disclosure of personal and commercially sensitive information can have very serious ramifications for businesses and Courts are unlikely to assist a company that suffers or causes harm to others due to its own careless management of its information systems.
What is ‘disclosure’?
When we think of disclosure, it is more common for people to think in terms of person to person communication. However, disclosure of information occurs when it is passed from one source to another. In the digital age, this means ‘disclosure’ can occur simply by transferring data from one electronic device to another.
What are the risks?
In practical terms, businesses lose control of information as soon as it passes from its own systems to devices that are outside its control. Businesses can impose contractual obligations on their staff to protect information, but in reality, contracts will often only provide a remedy after the damage has been done. Also, devices owned and operated by staff are less likely to have strong security software and protocols to prevent against viruses and cyber-attack. The type of damage that might occur through unauthorised disclosure of information could include:
- Loss of data:
This might occur where company information is being stored on staff devices that are not properly backed up.
- Waiver of confidentiality:
If companies direct or simply permit employees to copy data onto their personal devices without informing the employee that the data is confidential, it is possible that a company might lose rights over that over that information, including the right to prevent others from using it, including competitors.
- Data breaches:
Data breaches occur when information held by a company is disclosed to a third party without authorisation. Data breaches can result in businesses becoming liable to others if the disclosure causes harm to the person or business about whom the information relates to.
If the information disclosed is sensitive personal information about an individual, and the unauthorised disclosure will likely result in harm to the person about whom the information relates, that company may have an obligation to self-report the disclosure to the Office of the Information Commissioner under the notifiable data breach provisions of the Privacy Act.
One of the most distressing matters I have been involved in professionally related to the inadvertent disclosure of information by a director to their teenage daughter who unwittingly shared that information with a friend. Unfortunately, the information was an investigation report into an incident of sexual violence committed against an employee by a senior manager. The culprit in this case was a family iCloud account.
- Misappropriation of commercially sensitive information:
The deliberate or innocent copying of business information is much easier and much harder to trace if the devices and systems being used are outside the company’s control.
In an ideal world, remote staff should be able to log in from home, do their work and then log off without any unauthorised or unintended transfer of data from the company’s servers to their employee’s devices. So, what are some factors that companies should look out for?
- Use of company email on personal devices:
If email data can be stored locally on employees’ personal computers and phones, it will be and once it is, it is no longer in the control of the company.
- Synchronisation settings on phones and tablets:
Many businesses that provide phones to employees allow them to connect their devices to personal iTunes and Google accounts. This can result in files being uploaded (sometimes automatically) to personal cloud storage services such as iCloud, OneDrive or Dropbox. Like email, once data makes its way to an employee’s personal cloud storage service, it is no longer in the control of the company.
- Remote access software:
Businesses have a lot of options when it comes to remote access software. I am no IT systems expert, however as a lawyer that practices in this field, the most terrifying remote access software I have seen was one that allowed staff to literally drag and drop files between their office desktop and their personal desktop. On top of all the other security and accessibility considerations that are relevant to which software you choose to use, give some thought to how staff might deliberately or innocently use it improperly.
- Confidentiality terms in employment contracts:
For many businesses, their employees will have contracts drafted that assume their place of work is the company office and so might not contain adequate terms to deal with the types of confidentiality issues that might arise in their new home working environment.
The current Coronavirus climate brings with it new and sudden challenges for businesses and employees alike.
If your business is affected by enforced isolation and quarantine measures, the Employment Law team can assist you with advice and assistance in safely transferring and mobilising your workforce to work from various home offices and ensure you have the correct employment policies in place. Please do not hesitate to contact a lawyer in Coleman Greig’s Employment Law team, who would be more than happy to assist you.