Covid-19 has undoubtedly transformed the manner in which businesses are now operating. With the ‘stay at home’ order that had been issued by the Government of Jamaica, all non-essential employees across government and the private sector were encouraged to work from home (“WFH”). Though the “stay at home” order has been lifted, many employers have decided to keep WFH arrangements in place. Employers must assess both the benefits and risks associated with such arrangements and a data protection breach is one such risk that must be considered. To the extent possible, employers should seek to provide employees with work specific devices so as to avoid the use of personal devices for work matters. When employees WFH, they often have to rely on their personal devices such as laptops, home computers or mobile devices which may not have the same level of security as the devices used at the office/workplace. Employees may have to share their personal devices with family members which may result in the unauthorized access to personal data. It is therefore prudent for employers to put in place certain technical and organizational measures to protect the personal data of their customers and/or clients while their employees are working from home. Some of these technical and organizational measures are discussed below.
Employees’ Access to Personal Data
Employees’ access to personal data ought to generally be restricted and based on a need-to-know basis. All employees who have access to personal data should be subject to confidentiality/non-disclosure agreements which require employees to observe rules of confidentiality within the confines of their home. For example, telephone conversations about the company’s business ought to be done in private and not in the presence of family members.
Employers should be able to remotely wipe information from the personal devices of their employees in the event of theft. Employers should also be mindful of the many free video-conferencing applications, such as zoom and google hang-outs, being used by their employees at home. Employees ought to use only the video-conferencing applications which have robust security protocols in place to protect confidential information being discussed via their medium.
It is generally advisable that employers have mandatory training sessions on data protection to ensure that employees are properly trained in this area. Lastly and most importantly, employees should always be required to report any actual or suspected data breach as soon as possible.
Data Protection Policies
Employers should implement data protection policies, standards, and procedures which govern the way in which personal data is processed, used or stored by their employees while working from home. For example, one such policy would be to require all employees to save documents to a designated drive or system such as a Virtual Private Network (VPN) which would reduce the risk of unauthorized or unlawful access to confidential information. Employers must ensure that the policies are not only accessible to all employees but that all employees are bound by and continue to observe the terms of the policies while working from home. Employers should also continue to keep track of the activities of their employees to ensure that they are complying with the company’s policies.
All personal devices used by employees should be protected by a strong password. Strong passwords are those that are a combination of at least 10 lower and uppercase letters, numbers and symbols. Additionally, all documents which contain personal information of customers and/or clients should ideally be password protected and the password ought to be communicated by a separate medium such as a telephone call.
It is also recommended that emails containing sensitive personal data ought to be encrypted. Encryption is the process of converting information or data into a code to prevent unauthorized access. This process converts the original representation of the sensitive personal data, known as plaintext, into an alternative form known as ciphertext. Only authorized parties i.e. persons with access to the encrypted key can decipher a ciphertext back to plaintext and access the original sensitive personal data. An encrypted email would reduce the chances of a hacker being able to gain access to sensitive personal information of customers and/or clients.
Employers should require all employees to install up-to-date anti-virus software on their personal devices. The purpose of anti-virus software is to monitor, detect and prevent malware such as viruses, worms and Trojans from gaining access to any confidential information stored on electronic devices. This is of particular importance as it is being reported globally, that since the start of the COVID-19, there has been a dramatic increase in the number of phishing attempts and cyber-attacks.
A personal data breach under the impending Data Protection Act, can result in significant fines and penalties for employers. WFH poses a greater risk of a security breach. As an employer, it is therefore extremely important that the technical and organizational measures outlined above, be considered and where practical, are implemented to avoid the implications of such a breach.
Samantha Moore is an Associate at Myers, Fletcher & Gordon and is a member of the firm’s Commercial Department. Samantha may be contacted via firstname.lastname@example.org or www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.