8 February 2021
Since the start of the COVID-19 pandemic, many companies in Hong Kong have allowed their employees to work from home ("WFH") to avoid the risk of contraction of the disease at work.
Data privacy issues arise as a result of such arrangements if employees are required to work on their employer's documents outside an employer's premises, whether it be physical hard copies or electronic data which is transferred and processed, both on employer provided equipment or personal equipment.
Some of such documents may contain personal data, and employers should be aware of the risk of being in breach of the Personal Data (Privacy) Ordinance (Cap.486) ("PDPO") due to the actions of their employees.
In this article, we will cover how employers may consider to reduce such risk.
Relevant Data Protection Principle
The PDPO sets out 6 data protection principles ("DPPs" or "DPP") which aim to protect the privacy of individuals in relation to their personal data.
Principle 4 of the DPPs is relevant to the WFH situation. Schedule 1 of the PDPO provides:
"Principle 4 – security of personal data
(1) All practicable steps shall be taken to ensure that any personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user is protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to –
(a) the kind of data and the harm that could result if any of those things should occur;
(b) the physical location where the data is stored;
(c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored;
(d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and
(e) any measures taken for ensuring the secure transmission of the data.
……"
"Personal Data" means information which relates to a living individual and can be used to identify that individual; and "data user" is a person who, either alone or jointly with other persons, controls the collection, holding, processing or use of personal data.
For example, in the construction industry, contractors may collect information relating to their sub-contractors and their workers who are working on their construction sites. Such information may include their names, ID cards copies, certificates for the specific trades which they hold, etc. Also, at the entrance of construction sites, contractors may keep records of the names and ID card numbers of persons who have entered the sites. These are examples of personal data which require protection.
Employers should ensure their employees take all practicable steps to comply with the above DPP.
Common activities which may compromise security of data
There are some common activities which may compromise the security of data, or at the very least increase the risk of there being a breach of personal data, whilst employees are working from home.
For example, employees may remotely access their companies' networks using their own personal devices, or may bring electronic or paper documents home for work. Personal electronic devices are generally less secure than their employer's corporate systems and their unregulated use presents a common opportunity for data breaches.
Further, while accessing their companies' networks, whether on corporate systems or not, some employees may not use secured networks. For example, if they work in public places, they may connect to public Wi-Fi networks which are frequently unsecured and may allow potential attackers to exploit the vulnerability to gain access to the companies' data.
Some employees may be using personal email accounts or instant messaging applications to send and receive companies' documents or data, or taking paper documents away from the office (which should be avoided if at all possible). Such practices pose serious risks of theft or loss of data.
What can employers do?
Employers should take steps to enhance data security and protection of personal data privacy under WFH arrangements. Steps which employers may consider adopting include, for example:
-
Assessing the risks on data security (including personal data) to formulate appropriate safeguards;
-
Based on the risk assessments, setting out clear policies on the handling of data (including personal data) during WFH arrangements, in particular in relation to:
-
Transfer by employees of data and documents out of the companies' premises and companies' networks, including the use of USB drives as well as hard copy document procedures;
-
Remote access by employees to the companies' networks and data on secure platforms only, by means of end-to-end encryption and use of passwords and multifactor authentication;
-
The use of company provided email systems to send and receive emails related to company business, and not personal platforms such as Wechat, Whatsapp, Snapchat, etc, or use private personal email servers;
-
Handling of data breach incidents;
-
Providing sufficient training and support to the employees for WFH arrangements to ensure data security, including the following areas:
-
Ensuring company policies on the handling and security of data are followed;
-
Data security techniques;
-
Awareness about cybersecurity and trends;
-
Considering to provide electronic devices to employees, ensuring the security of data by means of, for example, installing proper anti-malware software, performing regular system updates, setting up strong access controls such as requiring the use of strong passwords and multi-factor authentication and the use of virtual private networks (VPNs) and tunnels, and preventing the transfer of data from companies' devices to personal devices, etc.
The Office of the Privacy Commissioner for Personal Data has recently issued three Guidance Notes under the series "Protecting Personal Data under Work-from-Home Arrangements" to provide practical advice to (1) organizations; (2) employees; and (3) users of video conferencing software to enhance data security and the protection of personal data privacy, which can be accessed at the following websites:
-
Protecting Personal Data under Work-from-home Arrangements: Guidance for Organisations: https://www.pcpd.org.hk//english/resources_centre
-
Protecting Personal Data under Work-from-home Arrangements: Guidance for Employees: https://www.pcpd.org.hk//english/resources_centre
-
Protecting Personal Data under Work-from-home Arrangements: Guidance on the Use of Video Conferencing Software: https://www.pcpd.org.hk//english/resources_centre
Employers are suggested to familiarized themselves with these guidelines and ensure their employees are aware of their duties to protect personal data.
For further information, please contact
Christopher Short, Partner, Clyde & Co
Christopher.Short@clydeco.com