Protecting Personal Data under Work-from-home Arrangements

Work-from-home (WFH) arrangements have been implemented by organisations from time to time since early 2020 depending on the ferocity of the COVID-19 pandemic. As a result, office data and documents may have to be transferred to and processed via employees’ home networks and personal devices, which are generally less secure than the professionally managed corporate networks and devices. Further, the increase in transfer of data and documents (both electronically and physically) will increase the risk of data breach. This, coupled with the increasingly prevalent use of video conferencing software in a WFH environment, inevitably increases risks to data security and personal data privacy.

In this connection, my Office issued three Guidance Notes under the series “Protecting Personal Data under Work-from-home Arrangements” in late November 2020 to provide practical advice to organisations, employees and users of video conferencing software respectively to enhance the protection of personal data. In this article, I would highlight some of the advice contained in the three Guidance Notes.

General Principles for Data Security

As a general principle, the same standard shall be applied to data security and protection of personal data privacy, regardless of whether one works in the office or works from home. Data Protection Principle (DPP) 4 in Schedule 1 to the Personal Data (Privacy) Ordinance (Cap. 486) stipulates that data users shall take all practicable steps to ensure the security of personal data against, inter alia, unauthorised or accidental access or processing, having particular regard to, among others, (1) the physical location where the data is stored, (2) the security measures incorporated into any equipment in which the data is stored, (3) any measures taken for ensuring the secure transmission of the data, and (4) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data. Organisations and their employees should therefore step up their guard against the new risks posed to data security and personal data privacy under WFH arrangements.

Practical Advice to Organisations

Owing to the COVID-19 pandemic, WFH arrangements have fast become a new normal for many organisations. In preparing for WFH arrangements, organisations should carry out risk assessment to evaluate the data security risk associated with the arrangements and, based on the result of the assessment, update their existing policies and practices as appropriate. For example, organisations should provide their employees with sufficient training to ensure data security, including password management, use of encryption as well as awareness about cybersecurity threats and trends. Designated staff or department should be assigned to respond to questions from employees and provide technical support.

Organisations should, as far as practicable, provide their employees with electronic devices (such as smartphones and notebook computers) under WFH arrangements as employees’ own personal devices may be more vulnerable in data security. Organisations should also ensure the security of the data, including personal data, stored in the electronic devices by, for example, installing proper anti-malware software, firewalls and the latest security patches. To prevent data leakage, organisations should enable remote wipe function to erase data stored in the devices in case the devices are lost or stolen.

Virtual Private Network (VPN) is commonly used to facilitate WFH as it allows employees to access corporate networks remotely and more securely via the internet. However, the level of security offered by a VPN depends on whether it is set up properly. Organisations should enhance the security of a VPN by requiring multi-factor authentication for connection, keeping the security setting of the VPN platform up-to-date, and using handshake protocol for establishing secure communication channels between employees’ devices and the corporate networks. Enhanced security measures should also be in place for remote access to corporate networks.

Practical Advice to Employees

Employees play a vital role in ensuring data security and there are numerous steps they may take to better prepare themselves for a WFH situation. First and foremost, they should adhere to the polices of their employers on the handling of data, and should only use corporate electronic devices for work as far as practicable. Though it sounds obvious, employees should be mindful of setting strong passwords to prevent unauthorised access to corporate devices. They should not share corporate devices with family members or insert personal devices (such as personal USB flash drive) into the corporate devices because personal devices may be more prone to containing malware.

Although electronic communications ensure effective and free flow of exchanges between employers and employees during WFH arrangements, it is of crucial importance to ensure the security of electronic communications to avoid accidental leakage of data. In particular, employees should use wired internet connection as far as practicable. If they cannot avoid using Wi-Fi, up-to-date security protocol of Wi-Fi should be adopted to encrypt the data in transit. Further, employees should use only corporate email accounts (instead of personal accounts) for sending and receiving work-related documents and information, encrypt the documents and information if they contain personal data or restricted information, and double check the names and email addresses of the recipients before sending out an email. Moreover, suspicious emails and messages should be verified with the senders by other channels, such as making direct phone calls.

Transfer of paper documents out of office premises should be avoided as far as practicable because it is more difficult to ensure their security in a home environment. Otherwise, employees should try to redact or remove any personal data and restricted information from the paper documents before they take them away from the office. As a matter of good practice, they should maintain a register to keep track of the documents they have taken home and returned to the office. There should be no disposal of paper documents with personal data or restricted information at home. Such documents should be shredded in accordance with the established procedures in the workplace.

Practical Advice on Use of Video Conferencing Software

Remote workers are now more reliant on video conferencing as the nature of work continues to change. According to one study, around 1.8 million young workers in the UK are using video conferencing tools to interview for new roles.

Given that privacy policies and security measures vary among different video conferencing software, organisations should choose the ones that meet their operational needs. For example, they should use a video conferencing software with end-to-end encryption if they cannot avoid using the software for discussing confidential matters. Organisations should safeguard their user accounts by setting up strong passwords, activating multi-factor authentication, if available, and installing the up-to-date software and security patches.

To prevent unauthorised access to a video conference, organisations should set up a unique meeting ID with a strong and unique password for each video conference, and provide them to intended participants only. Organisations should also validate the identities of participants using the virtual waiting room function, and ‘lock’ the meeting when all participants are admitted.

Ensuing data security and personal data protection is not a one-off process, especially when the pandemic has accelerated technological advancement and intrusion into our daily lives in an unprecedented way, bringing new security and privacy threats with it.

Organisations are encouraged to review and refine their policies and practices in relation to WFH arrangements from time to time in order to effectively alleviate the new risks posed to data security and personal data protection in the new normal.

For details of the practical advice, please refer to the three Guidance Notes, which can be downloaded at the website of my Office:

https://www.pcpd.org.hk/english/resources_centre/publications/guidance/….

Jurisdictions

Barrister, Privacy Commissioner for Personal Data Hong Kong

Barrister, Denis Chang’s Chambers


Paul Harris is a public law and human rights specialist who also has considerable experience of other areas of civil litigation. He practises in Hong Kong, where he is one of the Territory’s leading public law silks, and in London, where he is a member of Doughty Street Chambers.


Paul is most well known for a series of successful human rights cases against the Hong Kong government but has wide experience of other areas of Hong Kong law, including land, commercial disputes, employment, personal injury, injunctions (including Mareva and Anton Piller orders), and contested probate actions. He has handled a number of cases involving difficult issues of conflict of laws.