Hello Doctor, COVID-19 attacked my data!


Hello Doctor, COVID-19 attacked my data!

Vanessa Deschênes [1]
Lawyers, Patent and Trademark Agents

I often say that issues regarding privacy and data protection are everywhere today, in any context. The COVID-19 situation is no exception.

As we have seen in the media, there is a sense of public concern and urgency, and this situation may present risks and challenges to the protection of personal information and privacy rights.

With the current chaos, your business may be more vulnerable to COVID-19 than what you may think.

To guide you in managing this unprecedented situation, we remind you of some important things to consider.


In the wake of announcements made by the Government of Quebec, several companies have followed suit and decided to allow their employees to work from home. However, this measure is not without risk for businesses. In fact, the dazzling increase in the number of employees working from home may also lead to a significant increase in security risks and non-compliance with regulations regarding data protection and privacy.

Moreover, while some businesses and employees are already well “tuned” to telework, this may well be a new situation for a large majority of the population.

Data protection is not in itself an obstacle to your employees being able to work from home, even when they use their own computer or communications equipment. However, as a company, it is important to ensure that similar and adequate security measures are in place for this type of work.

For example, your employees must take special care not to leave documents containing personal information in plain view. The same applies to computer access, employees should systematically lock their session when they are not in front of it.

We are also aware that with schools closed, parents who have to telework may be more easily distracted. Therefore, it is important to remind your employees to be twice as vigilant when sending emails that contain personal information. An error in the recipient can happen so quickly!

 In summary, your employees should, among other things:

  • Systematically lock their workstation as soon as they are no longer in front of their screen;
  • Do not leave documents containing personal information in plain sight. The same applies to passwords;
  • Do not leave USB keys containing personal information in plain sight and ensure that they are stored in a safe place when not in use;
  • Make sure you have an appropriate place for phone calls that may reveal the personal information of others;
  • Avoid e-mailing documents containing personal information over unsecured networks.


You have probably already heard the saying that one man’s happiness is another man’s misfortune? In times of crisis such as these, it would unfortunately not be surprising to see hackers taking advantage of this chaotic situation to infiltrate your computer systems and and steal data.

The same goes for phishing. Malicious people could take advantage of the current situation to send your employees emails related to COVID-19, such as imitating emails from management or even government authorities. Vigilance is therefore required.


The announcements made by the Government suggest that this outbreak would constitute an exceptional public danger. In such a context, the powers to collect, use and disclose personal information to protect public health can be considerable. In other words data protection and privacy legislation cannot prevent the sharing of information during a pandemic emergency.

Under labour laws, employers have an obligation to protect the health and safety of their employees. In doing so, they are therefore responsible for informing themselves of the health status of their employees with respect to COVID-19. This also means keeping staff informed of confirmed cases in the organization.

However, we would like to bring to your attention this does not mean that you need to point to specific individuals. In addition, we wish to remind you that you should not collect more information than necessary. While you have an obligation to protect the health and safety of your employees, this does not mean that you need to collect a lot of information about them.

For example, it would be reasonable to ask your staff if they have visited a particular country or are showing symptoms of COVID-19. If this information is insufficient, make sure that you collect only what you need and is necessary and ensure that the information collected is treated with appropriate safeguards, taking into account its sensitivity.

You have additional questions, or would you like our support in matters regarding data protection and privacy? Do not hesitate to contact us!

© CIPS, 2020.

[1] Vanessa Deschênes is a Lawyer for ROBIC, LLP, a firm of Lawyers, Patent and Trademark Agents.