Data Protection & Privacy
Since the start of the COVID-19 pandemic, many companies in Hong Kong have allowed their employees to work from home ("WFH") to avoid the risk of contraction of the disease at work.
Data privacy issues arise as a result of such arrangements if employees are required to work on their employer's documents outside an employer's premises, whether it be physical hard copies or electronic data which is transferred and processed, both on employer provided equipment or personal equipment.
Some of such documents may contain personal data, and employers should be aware of the risk of being in breach of the Personal Data (Privacy) Ordinance (Cap.486) ("PDPO") due to the actions of their employees.
In this article, we will cover how employers may consider to reduce such risk.
Relevant Data Protection Principle
The PDPO sets out 6 data protection principles ("DPPs" or "DPP") which aim to protect the privacy of individuals in relation to their personal data.
Principle 4 of the DPPs is relevant to the WFH situation. Schedule 1 of the PDPO provides:
"Principle 4 – security of personal data
(1) All practicable steps shall be taken to ensure that any personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user is protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to –
(a) the kind of data and the harm that could result if any of those things should occur;
(b) the physical location where the data is stored;
(c) any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored;
(d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and
(e) any measures taken for ensuring the secure transmission of the data.
"Personal Data" means information which relates to a living individual and can be used to identify that individual; and "data user" is a person who, either alone or jointly with other persons, controls the collection, holding, processing or use of personal data.
For example, in the construction industry, contractors may collect information relating to their sub-contractors and their workers who are working on their construction sites. Such information may include their names, ID cards copies, certificates for the specific trades which they hold, etc. Also, at the entrance of construction sites, contractors may keep records of the names and ID card numbers of persons who have entered the sites. These are examples of personal data which require protection.
Employers should ensure their employees take all practicable steps to comply with the above DPP.
Common activities which may compromise security of data
There are some common activities which may compromise the security of data, or at the very least increase the risk of there being a breach of personal data, whilst employees are working from home.
For example, employees may remotely access their companies' networks using their own personal devices, or may bring electronic or paper documents home for work. Personal electronic devices are generally less secure than their employer's corporate systems and their unregulated use presents a common opportunity for data breaches.
Further, while accessing their companies' networks, whether on corporate systems or not, some employees may not use secured networks. For example, if they work in public places, they may connect to public Wi-Fi networks which are frequently unsecured and may allow potential attackers to exploit the vulnerability to gain access to the companies' data.
Some employees may be using personal email accounts or instant messaging applications to send and receive companies' documents or data, or taking paper documents away from the office (which should be avoided if at all possible). Such practices pose serious risks of theft or loss of data.
What can employers do?
Employers should take steps to enhance data security and protection of personal data privacy under WFH arrangements. Steps which employers may consider adopting include, for example:
The Office of the Privacy Commissioner for Personal Data has recently issued three Guidance Notes under the series "Protecting Personal Data under Work-from-Home Arrangements" to provide practical advice to (1) organizations; (2) employees; and (3) users of video conferencing software to enhance data security and the protection of personal data privacy, which can be accessed at the following websites:
Employers are suggested to familiarized themselves with these guidelines and ensure their employees are aware of their duties to protect personal data.
If you wish to discuss this article, please contact Christopher Short or Stephanie Lau.