HR managers in any part of the country can adapt this Model Policy for use at their own workplace.

Policy Statement

In the course of performing your job duties, you may be asked to handle, use, access and store personal data about ABC Company customers, clients, employees and business associates. All employees must be mindful of the need to keep this information secure. In addition to being required by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws, maintaining data security is a moral obligation and a business imperative necessary to protect the Company’s most precious assets—its reputation and the trust of its customers.

1. Purpose

The purpose of this policy is to establish and ensure employees follow standards for maintaining a “clean desk” to safeguard the security of personal data at their workstation. Maintaining a clean desk is vital to prevent third parties from stealing personal data from your desk or accessing, viewing, copying or using it without authorization.

1. Scope

This policy applies to all full-time, part-time and contract employees of ABC Company that handle personal data, including those who work off site or virtually and flexible hours of work.

1. Definition of Personal Data

For the purposes of this policy, personal data means information in electronic, paper or any other media such as photographs or videos which can be used to identify a specific individual either directly, e.g., a name or Social Insurance Number, or in combination with other information. This includes but is not limited to sensitive personal information such as details about a person’s physical or mental health, religion, race or ethnicity, sex life or preferences, political views, criminal convictions, union membership, etc.

1. Standards for a Clean Desk

Maintaining a clean desk means, at a minimum, ensuring that all personal data on your desk or in your workstation or work area is secure before leaving work at the end of the shift or for an extended period during their shift, including (without limitation) that:

• Personal data is not left on desks, tables or work surfaces;
• Personal data is stored in securely locked drawers or filing cabinets;
• Personal data is not left on whiteboards, chalkboards, bulletin boards or other surfaces—including post-its listing passwords;
• Personal data is not left in printers, photocopiers or fax machines;
• Computers are completely logged off;
• Portable computers are locked away in a drawer or bolted or secured with a locking cable so they cannot be removed;
• Workstations are locked;
• Keys to door, drawer and file locks are not left in the open and unattended; and
• Waste papers, CDROM, USB drives and other waste materials containing personal data are shredded or destroyed or securely sealed in designated receptacles for shredding or destruction.

1. Monitoring of Compliance

Supervisors are responsible for monitoring employee compliance with this policy as well as for answering their questions and offering instruction to help employees maintain a clean desk in accordance with this policy.

1. Notification of Breaches

Employees must report any actual or suspected breaches of this policy to their supervisor as soon as possible after becoming aware of them. Reporting of a suspected breach that proves not to be an actual breach will not result in any disciplinary action as long as the reporting employee acts in good faith.

1. Result of Breaches

Failure to comply with this policy may result in discipline up to and including termination in accordance with the ABC Company progressive discipline policy.