Introduction: How to Use This Tool
Like most companies, you may rely on an array of IT solutions to protect the personal information of your customers, clients, employees and business associates against hackers, malware and other cyber threats. But all of these data security measures can be undone by the unwitting actions of a single employee. As HR manager, you need to ensure that you have the right employee policies to prevent inadvertent breaches from happening at your organization. That includes a “clean desk” policy requiring employees to take specific measures to keep the personal data in their workstations secure from theft and the prying eyes of third parties without authorization to access it. Here’s a Model Clean Desk Policy for employers that are subject to federal, Manitoba, New Brunswick, Newfoundland, Nova Scotia, Ontario, Prince Edward Island or any of the 3 territories’ regulation—i.e., employers who are NOT subject to Alberta, BC or Québec regulation.
CLEAN DESK POLICY
- Policy Statement
In the course of performing your job duties, you may be asked to handle, use, access and store personal data about ABC Company customers, clients, employees and business associates. All employees must be mindful of the need to keep this information secure. In addition to being required by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws, maintaining data security is a moral obligation and a business imperative necessary to protect the Company’s most precious assets—its reputation and the trust of its customers.
The purpose of this policy is to establish and ensure employees follow standards for maintaining a “clean desk” to safeguard the security of personal data at their workstation. Maintaining a clean desk is vital to prevent third parties from stealing personal data from your desk or accessing, viewing, copying or using it without authorization.
This policy applies to all full-time, part-time and contract employees of ABC Company that handle personal data, including those who work off site or virtually and flexible hours of work.
- Definition of Personal Data
For the purposes of this policy, personal data means information in electronic, paper or any other media such as photographs or videos which can be used to identify a specific individual either directly, e.g., a name or Social Insurance Number, or in combination with other information. This includes but is not limited to sensitive personal information such as details about a person’s physical or mental health, religion, race or ethnicity, sex life or preferences, political views, criminal convictions, union membership, etc.
- Standards for a Clean Desk
Maintaining a clean desk means, at a minimum, ensuring that all personal data on your desk or in your workstation or work area is secure before leaving work at the end of the shift or for an extended period during their shift, including (without limitation) that:
|i.||Personal data is not left on desks, tables or work surfaces;|
|ii.||Personal data is stored in securely locked drawers or filing cabinets;|
|iii.||Personal data is not left on whiteboards, chalkboards, bulletin boards or other surfaces—including post-its listing passwords;|
|iv.||Personal data is not left in printers, photocopiers or fax machines;|
|v.||Computers are completely logged off;|
|vi.||Portable computers are locked away in a drawer or bolted or secured with a locking cable so they cannot be removed;|
|vii.||Workstations are locked;|
|viii.||Keys to door, drawer and file locks are not left in the open and unattended; and|
|ix.||Waste papers, CDROM, USB drives and other waste materials containing personal data are shredded or destroyed or securely sealed in designated receptacles for shredding or destruction.|
- Monitoring of Compliance
Supervisors are responsible for monitoring employee compliance with this policy as well as for answering their questions and offering instruction to help employees maintain a clean desk in accordance with this policy.
- Notification of Breaches
Employees must report any actual or suspected breaches of this policy to their supervisor as soon as possible after becoming aware of them. Reporting of a suspected breach that proves not to be an actual breach will not result in any disciplinary action as long as the reporting employee acts in good faith.
- Result of Breaches
Failure to comply with this policy may result in discipline up to and including termination in accordance with the ABC Company progressive discipline policy.