VIU Scenery

Removal of Records from the Worksite and Working Remotely: Best Practices Guide

VIU is committed to protecting the privacy of our employees, students, alumni and guests. VIU is required by FIPPA to keep all personal information in its custody or under its control safe and secure. When information relating to VIU business is used outside of the office or the classroom, there is an increased risk of loss or compromise of personal and confidential information.

Working remotely often means using electronic or paper records containing personal or confidential information off campus and sending or sharing personal or confidential information through email or remote online meetings.

This guide applies to all VIU employees and service providers who work remotely.  Individuals must protect electronic and paper records, especially those containing personal or confidential information, from risks such as unauthorized collection, use, disclosure, access, and destruction.  It is also important that personal and confidential information is protected when used, contained or communicated in telephone calls, emails or videoconference meetings.

Purpose

The purpose of this guide is to:

  • provide employees and third-party service providers instructions on how to safeguard VIUs personal and confidential information when working outside the physical workplace;
  • ensure the protection and security of confidential paper and electronic records while employees and service providers are working remotely;
  • ensure individuals are aware of and understand protocols should records in any format be lost or stolen; and
  • advise on best practices to ensure that VIU continues to meet its privacy obligations when employees work remotely.

Definitions

Confidential Information means a category of information with strict confidentiality requirements including but not limited to:

  • Economic or financial information
  • Third party business information, where its disclosure could harm the third party
  • Legal advice
  • Law enforcement information
  • Other proprietary information of VIU

Contact Information means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual.

Personal information means recorded information about an identifiable individual other than contact information.

Record includes books, documents, maps, drawings, letters, papers, and any other mechanism on which information is recorded or stored by mechanical, graphic, electronic, or other means.

Best Practices for Working Remotely

  1. Paper records must not be removed from the worksite unless operationally necessary and specific authorization is obtained in advance. Records removed from the physical workplace must be secured at all times.
  2. Store physical records in a locked filing cabinet or drawer that you have sole access to and avoid leaving documents unattended while visible. Upon returning to campus, return records to their original storage place as soon as possible and destroy any copies using the shredding services managed by VIU.
  3. Access to electronic records must be made via VIU’s approved Virtual Private Network (VPN) or other preauthorized secure methods.
  4. Ensure that you have applied all security updates and have updated virus/malware protection if connecting from a personal device. (VIU owned/managed devices are updated automatically). This is critical to protect VIU data.
  5. Do not accept software updates that are triggered from a website or email, such as Java or Adobe Flash.
  6. Avoid using public charging stations (i.e. where a charging dock or cable is already provided), such as on a ferry or in an airport, as these are not considered safe for use.
  7. Follow the same cyber-aware protocols in respect of suspicious or unexpected e-mails as you do on campus, including:
    • If an e-mail looks unusual, feels unexpected, has any typos, or it just seems “odd”, do not click any of the links.
    • Verify a link before you click on it by hovering over a hyperlink in your inbox, without clicking. When you hover over a hyperlink, you’ll see the target URL in the lower-left corner of your browser.
    • If you can, call the person or business at a phone number that you trust and ask them if the suspicious email is valid. This gives you a second method of communication to verify the email.
    • If you have clicked on a deceptive link and provided your credentials, change your password immediately.
    • If you clicked a suspicious link or if you believe your computer may be compromised, immediately report the concerns by notifying the IT Help Desk at 250.740.6300 or IThelp@viu.ca.
  8. Ensure all devices and associated records are protected and secure from theft, loss, and unauthorized access by physically securing documents and devices, and by using the following:
    • Password protection
    • Regular password resets
    • Encryption
    • Firewalls
    • Restricted access
  9. Individuals must not use open, public, or unsecured Wi-Fi networks when accessing VIU’s records.
  10. Individuals must log off or shut down a laptop or computer when not in use. An automatic logoff or screen protection must also be installed to run within a short period of time (e.g., 5 minutes) when the device is not in use.
  11. Records should never be stored on any external computer hard drive. 
  12. When using video conferencing:
    • If you want to record a video conference, say for note-taking, you must have permission from everyone on the call.
    • Personal or sensitive business information should not be discussed in public places or in spaces that may include other members of your household.
    • Ensure that any visible personal or confidential data is kept away from camera view.
    • Conduct meetings out of hearing and viewing range of others in your household or other remote workplace.

Reporting a Data Breach

All records relating to VIU business are subject to the access and privacy provisions of FIPPA even if they are created, sent, or received through non-VIU email accounts, or stored on personal devices.

If VIU records are lost or stolen

  1.  immediately notify your manager; and
  2.  report the loss by email: Privacy.Officer@viu.ca 

If a VIU device is lost or stolen

  1. immediately notify your manager. 
  2. report the loss by email: Privacy.Officer@viu.ca; and
  3. notify the IT Help Desk at 250.740.6300 or email: IThelp@viu.ca

The Privacy Officer will advise what next steps should be taken.

Questions Regarding this Policy

If you have any questions regarding this guide, please contact VIU’s Privacy Office at Privacy.Officer@viu.ca.