11 April, 2020
How does the communication within a team take place in the home office?
Due to the increasing intensity of preventive measures against the spread of corona, more and more companies are closing down their locations and, where possible, relocating business operations to home offices. As a result, the way of communication among employees needs to change from direct contact to alternative means of communication. While the latest technology greatly facilitates remote communications, there are important privacy and cybersecurity considerations which we consider below that are relevant in (almost) every European and U.S. jurisdiction. Ultimately we recommend that the use and implementation of new means of communication, both internal and external, be the result not of individual employee decisions, however well motivated, but of conscious management choice based on an implementation plan and an appropriate compliance check. We’ve suggested points for consideration to help you initiate that check in a hurry if needed.
What alternative communication channels are available?
Alternative communication options mainly include platforms such as WhatsApp, Skype, iMessage, Google Meet, Zoom or Microsoft Teams. But there are also many more chat programs such as Campfire, HipChat or Slack, some of which can be used for business purposes free of cost in order to exchange information as effectively as possible within a team. In our global practice we see our clients quickly embrace these platforms; but the question is whether individual employees are making their own choices on what platform to use, or whether their company is. Often we see individual(s) or teams act on their own in their search to facilitate communication, keeping connected to each other and optimise productivity. We also see employers enable these platforms within their organisation because they often offer means to track productivity or at least connectivity. Although these could all well be justifiable motives and incentives, very often the decision to use or implement these kind of solutions is made on an ad hoc and potentially non-compliant manner.
What data protection issues are involved?
When using the mentioned platforms, employees will transmit both personal data as well as confidential information (often even trade secrets as per Directive (EU) 2016/943) to other employees or even customers. The platform providers may also collect certain usage and other information. Each operates differently so its important to look at the specifics of the terms of use and supply, how it operates in practice and any related privacy policies or notices. Especially if a “consumer” tool is being used for a business purpose. Steps to mitigate privacy risk can then be assessed and applied.
Messaging Apps serve as an illustration. Use has surged but some data protection authorities (such as the German and Dutch) have previously taken the view that companies using certain consumer messaging apps for business communication are in violation of the General Data Protection Regulation (GDPR) if stored contacts and telephone numbers within an individual user’s phone are transmitted without the consent of the affected individuals. However, according to the general terms and conditions of those messaging apps, once an individual grants access to their phonebook, the transmission of all contacts—including work related contacts—occurs automatically. So to address that, access to the contacts should be permanently deactivated directly after installation, or the relevant contacts asked to give their consent for the transmission.
In addition, from a cybersecurity perspective, it is important to protect internal corporate communications against unauthorized access. Encrypted applications like WhatsApp help; but other applications do not necessarily incorporate end-to-end encryption. Furthermore, even with encryption, if a user accesses these services via public internet, for example, it is more likely that hackers can get onto the handset or mobile device and thereby read the unencrypted traffic.
Furthermore a common problem in using messaging services is that, if used for employers’ activities, a DSAR might obligate an employer to ask for access to the employee’s chat history concerning that particular data subject. Leaving the employer in a difficult position of balancing the right of access of one individual against the employee’s right to privacy, even if a provision is incorporated in the employee privacy notice from the beginning. This challenge becomes amplified legally and practically if the messaging service concerned is a consumer messaging service, which is being used for personal and employer activities.
Rush implementation and/or adoption?
All commercial or consumer messaging services could cause significant risks for compliance with the GDPR, California Consumer Privacy Act (CCPA) and other privacy legislation if implemented “on the fly”. We therefor strongly advise against a practise whereby any employer simply accepts or ignores the unauthorised use of any alternative communication methods by his employees in these times of COVID-19 crises. The use and implementation of any such new means of communication, be it only internal or (also) with customers should be the result of a conscious management decision based on an implementation plan and an appropriate compliance check.
A pragmatic compliance check should assess (and act upon the outcome of) among other things the following:
- What data is stored by or transmitted from the concerned platform to the provider and its servers (e.g. chat histories, log-in data, etc.);
- What can the provider do with that data (i.e. can they use it for their own purposes, or can they sell it);
- Whether the platform guarantees a sufficient level of data security. In particular, companies should check whether the provider of the respective platform provides appropriate safeguards for third country transfers (e.g. certification under the US Privacy Shield for transfers from the EU), because their servers could be located in a country where such additional protections are required;
- Whether internal corporate communication via the platform is sufficiently secure (e.g. risk of potential data breaches);
- If internal privacy notices, policies and procedures reflect this processing activity sufficiently or need to be updated (see DSAR example above);
- If a user policy is necessary because of trade secret, competition and/or cybersecurity aspects. For example: employers should consider the need to put a Bring Your Own Device policy in place when platforms are used on private devices. In some instances these platforms are being deployed for the very reason that the employer doesn’t issue corporate devices to all staff and is therefore asking them to use a personal device for work purposes for the first time;
- Depending on the amount and qualification of the data exchanged (such as special category personal data) assess whether a DPIA is mandatory. Further, or as part of that, whether guardrails are needed more broadly on the use of the tools. Updating or putting in place policies around appropriate use is likely to be needed, especially given the “social” and personal use cross over with some of these tools;
- Whether it is likely that employees will exchange personal data or other data protected by the obligation of professional secrecy via these platforms. In that case, an internal policy should be in place to prevent employees from doing that and prescribe alternative and GDPR-compliant ways of communication of this type of data;
- Whether this particular processing activity is included in your register of processing activities.
What security requirements are necessary?
In general, it is the responsibility of a company to ensure sufficient security, regardless of the means by which a user remotely accesses the system. Where a company‘s system is accessed remotely, a potential weakness is created in the system. For this reason the need for such access and the relevant security measures should be properly assessed. Some supervisory authorities have confirmed that where possible only trusted networks or cloud services should be used by companies when alternative methods of communication are being used. Employees should comply with any internal organisational rules and procedures in respect of cloud or network access, login and, data sharing. It is important to ensure that any locally stored data is adequately backed up in a secure manner.
It is also important that effective access controls (such as multi-factor authentication and strong passwords) and, where available, encryption are used to restrict access to devices and various applications and to reduce risk if a device is stolen or misplaced. Devices such as smart cards or tokens, as well as standalone mobile apps, can be used as part of multi factor authentication, to provide authentication either by generating a code to be entered or containing a chip that authenticates with the system being accessed.
They may generate a PIN number that is valid for a very short period of time. This is used in conjunction with a username and password to authenticate the user, and can reduce the risk of ‘brute force’ password attacks or attacks where passwords have been stolen.
What to do with paper records?
Certain supervisory authorities have also confirmed that it is important for companies to remember that data protection compliance mechanisms (such as those mentioned above) apply not only electronically stored or processed data, but also personal data in hard copy. When employees are working remotely with paper records, they should take steps to ensure the security and confidentiality of these records, such as by keeping them locked in a filing cabinet or drawer when not in use, disposing of them securely (e.g. shredding) when no longer needed, and making sure they are not misplaced or stolen. This is particularly inportant in respect of special category data. A record should be maintained of documents that have been taken home by employees.
Right now, responses have to be swift to keep organisations functioning in this unprecedented global scenario. Often the mantra is repeated that “perfection should not be the enemy of the good”. This list of actions/attention points is in no way exhaustive but we hope it offers some timely guidance on relevant aspects of data protection and cybersecurity to consider, if faced with a rush to implement the use of these alternative communication platforms, so you can swiftly and effectively help the business to balance and manage its compliance risk.
This article was authored by Eversheds Sutherland, a relationship firm of LAW Partnership’s.