Maintaining Data Privacy when "Working from Home"
Due to COVID-19, many companies have grounded staff who must now work from home. This has brought into focus two main risks from a Data Privacy perspective.
DATA PRIVACY WORKING FROM HOME RISKS
Home Working widens the geographic extent and number of unknown parties that data – commercial or personal – may be exposed to, inadvertently or otherwise. Most companies do not know the private living arrangements of their staff, who may live with strangers in shared flats, partners in competing organisations, or in a simple family unit, creating new integrity and confidentiality risks need to be mitigated.
This has also introduced home WiFi’s into company’s network topology as they are required to connect computers and devices at home to the work systems. Because organisations have more available resources than individuals, security measures to protect systems at work are more comprehensive than at home – I.e. using home WiFi more universally introduces extra risk.
LEGAL BASIS FOR PROCESSING
Whilst the purposes and legal bases for processing likely remain unchanged from a GDPR perspective, the policies and practices adhered to in the office which may affect the processing of data are less tangible when working in the home environment. For example, a ban on drinking alcohol at work is now standard, but during the pandemic whilst pubs and bars are closed, home-based alcohol consumption has increased – and because it is freely available at home, there is a risk that the office ban may not be considered during a lonely lunchtime, leading to integrity and confidentiality principles potentially being overlooked.
It is all too easy to forget in the confines of one’s home, where one is supposed to enjoy the least amount of boundaries by design, that treating data with respect is no less important than it is at work. Strict codes are generally observed at work. However, whilst in the more familiar setting at home, the risk of careless comments increases due to looser tongues.
Sovereign Intelligence has adapted to this change and we offer the following advice in case it is useful for your own planning.
RESOLVING THE DATA PROTECTION RISKS OF WORKING FROM HOME
We have acceptable-use policies, BYOD (bring your own device), information security as well as data protection documentation which are important manuals that help to guide everyday working procedures, whether in the office or at home. For example, policies do not allow colleagues to share a computer, but at home, due to a stronger trust, one may succumb to a request to ‘borrow’ a computer – this is how mistakes can happen, leading to accidental or unlawful access of data (‘confidentiality’ breaches) or undesired manipulation or destruction of data (‘integrity’ breaches).
Sovereign has invoked the following technical and organisational measures to mitigate these risks:
A reminder to staff to observe work policies and practices at home, such as only drinking alcohol after work, or not lending work-related equipment to individuals at home;
Instructions not to leave laptops, computers and other work-related devices unsecured in a garden office or elsewhere whilst relocating for lunch with flat-mates or the family;
Cautions re the need to be aware of prying eyes and, as the old adage goes, “keep mum”;
Reminders not to send work-related material to personal accounts, or open emails or click on links unless certain of the source and that the correspondence is expected or normal; and
A request to take time to re-read work policies, both as a refresher, as well as to consider and feedback if there are omissions or elements that are now out-of-date.
RESOLVING THE HOME WIFI RISKS OF WORKING FROM HOME
A company’s risk is extended by the use of Home Wifi. For instance, if other less secure personal computers or devices on the home WiFi network are infected, that infection could use the home WiFi network to jump to the computer or device being used for work purposes. This computer or device may already have sensitive personal data on it – commercial or personal – or it may be subsequently connected to the work network, which the virus may use to infect other connected computers or devices, where sensitive personal data may also reside. The purposes and legal bases for processing remain unchanged in any case.
Either way, the new network topology due to home WiFi does change the nature, scope, and context of the processing operations involved. This therefore makes it more likely that sensitive personal data may be subject to unauthorised access than it was before - such virus attacks typically being either ransomware that may temporarily or permanently disable systems (‘availability’ personal data breaches), or downloading of code that allows illegitimate access for exfiltration of personal data (‘confidentiality’ breaches) or undesired manipulation or destruction of personal data (‘integrity’ breaches).
Sovereign have invoked the following technical and organisational measures to mitigate these risks:
Employees are asked to call their internet provider to ask them to talk through setting up a guest-WiFi at home to isolate the work-related machines, not connect to the family WiFi, and invoke a policy that no other non-work device can access the guest-WiFi; or, if not, then
Employees are encouraged to instead tether their work-related device to their work mobile device and invoke a policy that no other non-work device is connected; or, if not, then
Employees to confirm that all devices on the home WiFI network have secure passwords, using password managers and setting up Multi Factor Authentication for these managers and all other Apps on all connected devices, e.g. LinkedIn, Facebook, Twitter, to avoid hackers monitoring log-in details… MFA can be set up in ‘security settings’ of password manager & Apps to ensure users are alerted for a code when hackers try to gain access;
Employees to confirm their own computers and devices have best-of-breed virus-checkers, and not rely on ‘standard’ ones or ISP ones which may be 4-6 weeks behind on patches.