The COVID-19 pandemic has undoubtedly changed the way in which businesses are run and to a certain extent normalised remote-working arrangements. The Office of the Privacy Commissioner for Personal Data (PCPD) recently issued three guidance notes relating to working-from-home arrangements:
- “Protecting Personal Data under Work-from-Home Arrangements: Guidance for Organisations”;
- “Protecting Personal Data under Work-from-Home Arrangements: Guidance for Employees”; and
- “Protecting Personal Data under Work-from-Home Arrangements: Guidance on the Use of Video Conferencing Software”.
This article summarises the guidelines’ key recommendations for employers and employees, particularly with regard to the use of videoconferencing software.
Employers should assess their data security risks, including with regard to:
- the transfer of data and documents out of company premises and corporate networks;
- remote access to corporate networks; and
- the erasure of data.
Employers should provide training and support to employees regarding data security techniques (eg, password management, use of encryption, secure use of WiFi and awareness about cybersecurity threats).
Employers which provide employees with electronic devices should ensure data security by:
- installing proper anti-malware software, firewalls and the latest security patches on the devices;
- ensuring that all work-related information is encrypted; and
- enabling a remote wipe function.
With regard to the use of virtual private networks (VPNs), the PCPD suggests using a so-called ‘handshake protocol’ to establish secure communication channels and using a full-tunnel VPN where possible.
Employers should also implement network segmentation and enable an account lockout function for employees’ remote access to their corporate networks.
Employees should use only corporate electronic devices for work where possible. Some practical measures include:
- setting strong passwords;
- not connecting personal devices to corporate devices; and
- encrypting data.
Employees should avoid working in public places but if this is unavoidable, they should use screen filters. Employees should avoid using public WiFi.
Employees should opt for a wired connection (instead of WiFi) where possible. Employees should also adopt up-to-date security protocols such as WiFi Protected Access (WPA) 3 or WPA2 to encrypt the data in transit and safeguard against other attacks.
Employees should avoid using personal email accounts or personal instant messaging applications and be aware of phishing and malicious emails.
As far as practicable, employees should avoid removing paper documents from office premises.
The PCPD suggests that organisations use a videoconferencing software with end-to-end encryption.
- safeguard their accounts with strong passwords;
- ensure that the videoconferencing software has the latest security patches installed; and
- use a reliable and secure internet connection.
The conference host should set up a unique meeting ID and a strong password and arrange one more ‘host’ to handle administrative and technical issues.
To prevent unauthorised access, the PCPD suggests:
- setting up a virtual waiting room and validating participants’ identities before allowing them to join the conference; and
- ‘locking’ the meeting when all participants have been admitted.
The conference host should also inform all participants and obtain their consent before recording the conference and delete the records when they are no longer necessary.
Videoconference participants should be aware of their backgrounds and use virtual backgrounds if necessary. They should turn off microphones when not speaking and avoid discussing personal or sensitive information as far as practicable. They should also be careful not to disclose any sensitive information to other participants when sharing screens.
While employers need not comply with the PCPD’s guidance notes, they do provide advice on best practices for complying with data privacy laws and employers are advised to observe them.