The rules of WFH
By Thomas R. Stutler
A virtual employee survival guide for security professionals
By Thomas R. Stutler
Whether the high number of virtual employees due to COVID-19 causes a paradigm shift remains to be seen.
Until then, security and life safety professionals need to assume traditional office employees will be working at home well into the year 2021.
This article will cover five areas to consider related to virtual employee safety and security, as well as provide suggestions to minimize legal risks. A bonus challenge is championing change now when your traditional office employees were turned into virtual employees unexpectedly back in March in an unprecedented way.
Let’s begin this journey with an optional primer to level set. The government uses the term “teleworking” for people who perform office duties from outside the traditional office. Teleworkers maintain contact with work and essentially perform their job using the internet and a telephone. Security professionals are encouraged to learn the difference between a traditional office employee working temporarily from home during a global pandemic, and a designated teleworking employee who has no workspace at the business. The Ministry of Labour, the Canada Revenue Agency and the law does treat these employees differently, so make sure your proposed guidance aligns with your legal and accounting opinions.
For our purposes, all employees working at home pursuant to COVID-19 will be called virtual employees.
If your company is new to using virtual employees, they probably do not have all the governance and guidelines in place to address the relevant health, safety and security practices and risk. At minimum, your company should create (or update) and publish a teleworking policy and standard; consider a formal agreement between employer and the virtual employee; publish guidelines for people managers on supervision and performance monitoring; consider an agreement that addresses equipment and furniture used by the virtual employee; and provide clarity on administrative details such as hours of work being rigid or flexible. Existing governance such as the Code of Conduct should also reflect the new normal. For applicable companies, your operating documents may need to be developed within the provisions of relevant collective bargaining agreements and translated into different languages. Bienvenue dans la nouvelle normalité.
A recommended initial step is to confirm the laws and collective agreements that apply to the virtual employee environment for your business. Across Canada, there are 14 independent jurisdictions, and all of them have three components: The Act, Regulations and Standards. You want to know these because they provide the best way to support your virtual employees, and because, in some situations, there is a strict liability legal standard. Those not familiar with strict liability — this means there are no defences if an investigator determines that you have not met your responsibilities.
While this article is not giving out legal advice and all legal questions should go through your legal team, it is critical to understand that if your company is charged with a violation, you will need to show you exercised due care and diligence to avoid the violation, and it was not practicable to do better than what was done.
Reminding your legal department and other approvers about the potentially strict liability standard may help achieve support. One could argue that the government is giving a lot of companies a pass right now due to COVID-19 for not having formal virtual worker programs, but predictably as virtual employee complaints increase and more inspectors are allowed to do their jobs, the enforcement will increase.
The next step is to know that all the relevant Acts in Canada have a general duty clause that clearly states that employers are accountable for the health and safety of employees. For instance, the Ontario Act states, “An employer shall take every precaution reasonable in the circumstances for the protection of the worker.”
This is very general, but then the governance gets more prescriptive and requires that the employer ensure compliance with the Act; the employer shall prepare a written policy and set up a program; must supervise employees to protect their health and safety; provide protective equipment; and establish health and safety committees.
Additional responsibilities are given to people managers. They need to ensure the employees comply with the Act; advise employees of hazards; provide written instructions for working safely; take reasonable precautions to protect employees; and ensure employees are using equipment safely.
In the same way that employers have a duty of care, employees have a duty of loyalty to the company to comply with health and safety regulations, and understand that security practices at work such as the clean desk policy apply at home, too.
Company code of conducts should be updated to reflect that virtual employees have a duty to report hazards; not to remove protective devices required by employer or by the regulations; not use any equipment that may endanger themselves or others; participate in health and safety activities; and understand their rights.
All Canadian jurisdictions require employers to establish health and safety committees, but specific requirements vary by jurisdiction. These committees, used properly, serve a great purpose of transparency for all parties.
For those new to the virtual employee world, an unfortunate reality is that the employer is held accountable for the health and safety of the employee but the employer will have limited rights to inspect. Only some health and safety acts include provisions for the inspection of a workstation in a private residence. One suggestion for those facing this challenge is to establish an audit schedule that selects a sample group of virtual employees.
In lieu of an in-person inspection, conduct a phone interview that goes over a checklist; require the employee to provide photographic evidence to confirm the workstation; and make sure annual acknowledgements include reference to virtual employee’s duty of loyalty.
Security leaders who focus on physical security should use this unique opportunity to understand and assist with all the risks to the company that are present in the virtual employee ecosystem, including the cyber threats. Most importantly, making sure that remote access does not introduce more risk. Cyber terrorists know that when companies sent millions of people home, many understaffed IT departments were opening remote access ports to keep up with demand, and not all companies have gone back to configure and test the firewalls to only respond to certain static IP addresses.
Regardless of your cybersecurity skills, you are still in a position to engage IT to understand their decisions to take certain actions (or not take action) to implement measures such as two factor authentication or use virtual private networks.
Also, you can work together to educate virtual employees on COVID-19 scams, and update acceptable use policies for employees. Beyond aligning with the cybersecurity team, security leaders should ensure that virtual employees feel safe, and, as mentioned above, are adhering to company rules such as the clean desk policy, shredding documents and storing sensitive materials. An easy win is to communicate and over-communicate with virtual employees by leveraging town halls, lunch and learns, and posting FAQs on the intranet.
There is a steep learning curve for all sides during these times, and sometimes virtual employees have great ideas that you can share with everyone else.
The dark side of virtual work
An area where security leaders can really make a difference is appreciating that many virtual employees will struggle with working in isolation and the abrupt changes to their work-life balance. While some will thrive, many will suffer with scheduling conflicts and feeling overwhelmed. Health Canada research puts work-life conflicts into four categories; namely role overload, work-to-family interference, family-to-work interference and caregiver strain.
All of these unresolved conflicts lead to more stress, and excessive stress can lead to poor health and even injury on the job. COVID-19 only exacerbated these known virtual employee concerns for families with kids (who can’t attend school or camps), and by adding more job insecurities to the equation.
When communicating with employees as the security leader, use the opportunity to mention the importance of mental health; what the early warning signs or symptoms of stress can include; and always speak positively about employee assistance programs, and encourage employees to reach out for help during these times.
If all these moving parts sound confusing or overwhelming, put on your investigator hat and imagine what happens when a virtual employee files an anonymous complaint with the Minister of Labour. Complaints can range from straightforward ones based on ergonomic needs the virtual employee believes were not addressed to absurd ones, such as an employee who wanted his employer to pay for a bay window, so he could enjoy the view of his garden while working. If the government accepts the complaint, the assigned inspector may show up unannounced.
Most likely, the inspector will request your company to produce governance (at a minimum, the virtual employee policy); any signed agreements with the virtual employee; annual acknowledgments; and proof that the company maintained communication with the virtual employee in a meaningful way on topics such as health, safety and security. The ability to provide all these artifacts will help establish that your company has taken reasonable steps to prevent harm to the employee, and met their duty of care.
Fortunately, you are only a few Google searches away from all the checklists, laws, resources and templates you need to succeed.
Thomas R. Stutler is the vice-president, national security operations at Cadillac Fairview Corp. Ltd. (www.cadillacfairview.com)