The coronavirus has put pressure on employers to move their offices to their employees’ premises and to resort to various applications and technologies for continuing their business activity, like messenger applications, time tracking or videoconferences systems.
Although the focus at this moment is on business continuity and public health, security risks like data hacking, theft of trade secrets or unauthorised access to commercial information via unsecured connections continue to pose the same level of danger as before the outbreak of the pandemic.
Moreover, as more and more businesses move online amid the social distancing measures, the General Data Protection Regulation (GDPR) continues to regulate the manner in which data pertaining to clients, business partners, site visitors, and even employees is processed and protected by the data controllers.
Given the amount of new technologies introduced when implementing telework it is important to also keep an eye on ensuring protection of data systems, traceability of personal data collected and observance of data principles (i.e. don’t collect more data just because there is economic uncertainty in the market).
Any processing of employee data by the employer in the context of teleworking, for example for exercising monitorisation of the employee’s activity must be explicitly notified in advanced to the employee, providing the information regulated in art. 12 of the GDPR.
Moreover, it should be noted that national provisions regulate the obligations to consult in advance the employee’s representatives or trade union should the employer envisage to implement monitoring systems on the devices provided to employees or of the systems used. A privacy assessment is also mandatory to be performed prior to its implementation on the necessity of such means of surveillance and on why other less intrusive forms have not proven their effectiveness before.
Given that no express derogations from the above regulations has been set forth, they will continue to apply in the same manner.
Company equipment vs. personal equipment
Telework as defined by the employment legislation is any activity that can be performed using information technology and other means of communication (i.e. laptop, tablets, mobile telephone, etc.). Depending on the specifics of the activity performed or category of data processed, the employee may use company provided equipment or personal equipment.
Irrespective of the type of equipment, it is important to ensure that security of data processes is provided (i.e. by way of technical and organizational measures as defined by art. 32 of the GDPR), respectively that computers/devices have up-to-date security software and security patch levels, that users are regularly reminded to check patch levels and that adequate IT resources are in place to support employees in case of technical issues while teleworking.
The use of personal equipment for conducting business activity should, nevertheless, carefully assessed. In order to ensure the level of security prescribed by the GDPR or other industry-specific regulatory frameworks, employers must be careful in ensuring confidentiality of business information as well as not to breach the employee’s privacy. There have been cases where data security audits found that the IT teams could capture the employee’s browsing activity, transmit login details in plain text and monitor outbound and inbound communications.
Organisational security measures
As emphasised by many DPAs, the burden of data security must also be shared with the employees, respectively employees should receive proper instructions on how to handle personal data or confidential information around family members and how to ensure physical security of the equipment at home. Ensuring that policies for responding to security incidents and personal data breaches are in place and that staff is appropriately informed of them is even more important given the social distancing measures and that support can only be provided remotely.
The Danish data protection authority has recently fined a state municipality for not ensuring the integrity and confidentiality of data, respectively the data was not encrypted thus being possible to be accessed by unauthorised persons very easily.
The data protection authority became aware when the municipality reported a breach of personal data security as one of the employee’s work laptop was stolen and which contained personal data of about 1,600 city government employees, including sensitive information and information about social security numbers. As the computer was not protected by encryption, the loss of personal data therefore posed an unnecessarily high risk to citizens.
Having regard to the above, data protection compliance continues to be a component of teleworking and requires both technical measures as well as organisational measures instructing the employee on how to process personal data, as well as to react in case of data breach.