The Office of the Privacy Commissioner for Personal Data provides new guidance on ensuring data security and personal data privacy when implementing work-from-home arrangements.

The Office of the Privacy Commissioner for Personal Data (PCPD) has published a guidance note setting out recommendations on how to minimise risks to data security and personal data privacy in organisations that implement work-from-home (WFH) arrangements. With the Covid-19 pandemic, WFH arrangements have become relatively common and the guidance note – Protecting Personal Data under Work-from-Home Arrangements: Guidance for Organisations – points out that the transfer of electronic or physical data in WFH arrangements inevitably leads to a higher risk of data breaches.

‘In addition, cybersecurity threats, such as hacking and malware, remain an issue. Organisations should be vigilant and pay special attention to and ensure data security when implementing WFH arrangements. They should provide adequate guidance and support to their employees in order to reduce the risks of breaches of personal data privacy,’ the guidance note says.

The guidance note also establishes the principle that organisations, as data users and employers, are primarily responsible for safeguarding the security of personal data and protecting their employees’ personal data privacy. Moreover, regardless of whether one works in the office or works from home, the same standard should apply to the security of personal data and the protection of personal data privacy.

Organisations that implement WFH arrangements should:

1. set out clear policies on the handling of data (including personal data) during WFH arrangements – as required under Data Protection Principle (DPP) 5 in Schedule 1 to the Personal Data (Privacy) Ordinance (PDPO), and
    
2. take all reasonably practicable steps to ensure the security of data, in particular when information and communications technology is used to facilitate WFH arrangements, or when data and documents are transferred to employees – as required under DPP 4 of the PDPO.

The guidance note sets out the following measures organisations should implement to give effect to the two general principles above.

Risk assessment 

WFH arrangements may be unprecedented or new to many organisations. Organisations should therefore assess the risks for data security and employees’ personal data privacy in order to formulate appropriate safeguards.

Policies and guidance

In light of the results of risk assessment, organisations should review their existing policies and practices, make necessary adjustments and provide sufficient guidance to their employees. Such policies and guidance may cover the following areas:

• transfer of data and documents out of the organisations’ premises and corporate networks
• remote access to corporate networks and data
• erasure and destruction of unnecessary data and materials, and
• handling of data breach incidents.

Staff training and support

Organisations should provide sufficient training and support to their employees for WFH arrangements to ensure data security. Training and support may cover the following areas:

• data security techniques, such as password management, use of encryption and secure use of wi-fi, and
• awareness about cybersecurity threats and trends, such as phishing, malware and telephone scams.

Organisations should deploy designated staff to answer questions from employees and provide necessary support.

Device management

Organisations may provide their employees with electronic devices (such as smartphones and notebook computers) under WFH arrangements. The following steps should be taken to ensure the security of the data, including personal data, stored in such devices.

• Instal proper anti-malware software, firewalls and the latest security patches in the devices.
• Perform regular system updates for the devices.
• Ensure that all work-related information in the devices is encrypted.
• Set up strong access controls, such as requiring the use of strong passwords (with a combination of letters, numbers and symbols). Require passwords to be changed regularly, using multifactor authentication and limiting the number of failed login attempts.
• Prevent the transfer of data from corporate devices to personal devices.
• Enable a remote wipe function so that information in the devices can be erased if the devices are lost. 
• Avoid putting the names, logos and other identifiers of the organisations on the devices conspicuously to avoid unwarranted attention.

Virtual Private Networks 

Virtual Private Networks (VPNs) are an important and popular tool for WFH arrangements because they enable employees to access corporate networks remotely and more securely via the internet. The following steps should be taken to ensure the security of VPNs.

• Use multifactor authentication when connecting to a VPN.
• Keep the security settings of VPN platforms up-to-date.
• Use handshake protocols (such as Internet Protocol Security, Secure Socket Layers and Transport Layer Security) to establish secure communication channels between employees’ devices and corporate networks.
• Use full-tunnel VPNs where possible (use split-tunnel VPN only when necessary, such as where there is insufficient bandwidth). 
• Block connections with insecure devices.

Remote access

In addition to using VPNs, organisations should implement the further security measures for remote access to their corporate networks as listed below.

• Divide corporate networks into multiple segments or subnets, thereby reducing the risk and magnitude of data breach incidents, as well as enhancing the protection for critical and sensitive data. 
• Only grant access rights to employees where necessary, for instance using role-based access controls. 
• Enable an account lockout function to prevent logins by a user after multiple failed login attempts. 
• Review logs of remote access to identify any suspicious activities.

The above guidance note can be accessed via the Publications section of the PCPD website: www.pcpd.org.hk. In addition to the guidance note for organisations, the PCPD has published guidance notes addressing the privacy implications of WFH arrangements for employees, and the use of video conferencing software.