Teleworking & Personal Data [: and the utopia (?) regarding their protection …]
Telework is a special form of flexible employment, and it holds a special value. Its utilization has, in recent times, been impressive. Yet normal -thanks to the pandemic. It is true that safeguarding personal data has not been our priority. Would it, however, be unrealistic to try to protect them?
Flexible forms of employment and telework: a familiar reality in today’s world.
Flexible forms of employment are gaining ground in the job market. To some extent, they seem to have been demonized by some people. They are, however, a reality. Probably not unpleasant for the vast majority of employees who enjoy the benefits that come with them.
Distance working and (its most common form) teleworking have begun to slowly gain ground, in our country’s labor market. These B.P. (: before the pandemic). We have analyzed common telework in a previous article.
The national legislature has addressed telework in the past. The relevant legislative effort, however, has gaps. However, the application of this form of work had remained at the discretion of both parties involved. Employer and employee had to agree to apply telework.
The need of businesses to utilize the service of their employees is always a given. And this does not change at the time of the pandemic.
The extraordinary circumstances created by coronavirus (SARS-CoV-2) resulted in the adoption of emergency measures. Among them is the employer’s ability to (unilaterally) determine “… that the work provided by the employee in the workplace under an individual contract, will be carried out with the system of remote work” (art. 4 par. 2 of LD/ 11.03.2020).
Working remotely has, in our minds, become identified with teleworking. The latter (: teleworking) has become the necessary means to ensure continuity in the provision of services to a large number of businesses. To continue to employ a large number of employees.
The vast majority of businesses already enjoy its benefits.
As a result (among others of emergency measures), telework has been established-even temporarily. This event is a good omen for its further use and development. And A.P. (: in the era after the Pandemic).
However, the turn to telework for the temporary handling of some emergencies, was not organized. Many businesses appear, even today, poorly prepared: They have to face the challenges as they come. These businesses (and not only them) are exposed to significant risks. Among the most important risks: the risk for the security of personal data.
The risk relating to personal data
Teleworking often involves remote processing of personal data. A processing that does not offer the protection that, as a rule, a corporate network offers. Employees who have remote access to the employer’s infrastructure are not protected by the (cyber) security measures that (usually) cover the business’s facilities. The risk of unauthorized access to personal data appears – and is – increased. Loss, unauthorized use or destruction of relevant data by employees, associates and customers may also occur.
This danger is not unprecedented. It had already been identified by the Working Party (of Article 29) (Opinion 2 / 08.06.2017 on the processing of data at work).
A lot has happened since then. Extraordinary conditions, mass and “knee-jurk” turn to teleworking, the need to raise awareness and inform the controllers, processors, employees regarding the obligations arising from the GDPR and law 4624/2019, were some of those things. All that, among other things, led the Personal Data Protection Authority (DPA) to issue Guidelines. Specifically, in the “Guidelines of the Protection Authority for taking security measures in the context of teleworking”.
The Guidelines of the DPA
The DPA draws attention to the seriousness of the risks posed by remote work. It emphasizes the need for adequate information of employees and valuable assistance of the Controller (DPO-when deemed necessary of such to exist by law). It also points to the obligation of businesses to protect the personal data of their employees. A protection that is particularly important in the case of teleworking. The reason; The blurring of the boundaries between professional and private life. The need to protect the latter. Reasonably, as “the employee, due to the fact that they at home, has a higher expectation for the protection of their private life.”
In addition, the DPA recommends taking specific measures when applying telework. These measures regard: (a) Internet access, (b) the use of e-mail/messaging applications, (c) the use of terminals/storage devices, (d) teleconferencing.
Regarding the Internet access
Ensuring safe remote access to the business’s information system is considered vital. The DPA recommends the use of a virtual private network. A network in which data is encrypted and users are authenticated (eg IPSec VPN). The business must determine and limit the resources to which remote access is allowed. To the absolutely necessary, depending on the duties of each teleworker.
Teleworkers, in turn, need to use a secure WPA2 (Wi-Fi Protected Access II) secure protocol with a strong password when connected to the Internet over a wireless network (Wi-Fi). They should also avoid storing files with personal data on online storage services (eg Dropbox, One Drive). Unless the appropriate conditions are ensured and the appropriate guarantees (eg encryption) …
Regarding the use of e-mail applications / messaging
When addressing e-mails, the DPA points out the need to avoid the use of personal e-mail addresses when teleworking. Receipt and sending of messages, which may contain personal data, must be done through the professional e-mail address of the business. However, there is also the case of technical inability to use the professional e-mail address. In this case, the Authority recommends the need for appropriate encryption of the content of personal data messages. It even reminded that the use of personal data in the subject of the e-mail message should be avoided.
In addition (although it goes without saying) the Authority recommends avoiding the use of messaging applications (text and / or video) for the purposes of teleworking, when these messages contain personal data, the leakage of which would pose a risk.
Regarding the use of a terminal device / storage media
The DPA also emphasizes the special care that the employee must take – always according to the employer’s directions – for the devices (eg computer, laptop, etc.) through which telework is provided.
Indicatively: These devices must have installed and regularly updated antivirus programs. In addition, they must have the latest updates of the software of the applications and operating system installed. Internet browsing programs (eg Firefox, Chrome, etc.) used by teleworkers should also be updated to the most resent versions available. It is also advisable for teleworkers to either use anonymous browsing or delete their browsing history that is related to telework at the end of each task. They must also separate the files that contain personal data (related to their work) from their personal files. It is possible (at least not unlikely) that third parties (members of, for example, the employee’s family) have access to the computers used. For this reason, the devices, but especially the specific files and work environments, must be “locked” (: protected) with strong passwords.
Correspondingly, however, businesses must support teleworkers with appropriate encryption procedures of files that contain personal data. Especially when such files are stored in a portable / detachable storage medium (eg usb stick). Businesses also need to support the backup process. In particular, with regard to personal data files, which are processed in the context of teleworking activities.
With regard to teleconferences
The pandemic was the cause for a significant, further, exploitation of teleconferences and the facilities they offer. However, in terms of teleconferencing, satisfactory measures must be taken to ensure the security of personal data.
The risk of businesses of taking disproportionate measures to protect personal data
In an effort to mitigate the risk of personal data, businesses may be exposed to another risk. A danger lurking on the opposite side. That of obtaining disproportionate, and ultimately illegal, means of personal data protection. In particular, they may consider it justified to use software that has the ability, for example, to record the sequence of keyboard characters and mouse movements, to record screenshots (either randomly or at regular intervals), to record the applications used (and their time of use) and, on compatible devices, activating webcams and collecting recorded material.
These technologies are widely available. However, the Working Party of Article 29 (Opinion 2 / 08.06.2017) has already ruled on them. In particular, it considered that the processing carried out in the context of these technologies is disproportionate. The employer cannot substantiate the legal basis of their legal interest. Such practices are prohibited. Employers must not adopt them (obviously not even) in the context of telework. A pandemic cannot be an excuse.
Teleworking (continues to be) an important tool in dealing with some of the consequences of the pandemic.
Concepts, connection and communication protocols, platforms previously unknown to the general public have already become widely known. To a great extent: familiar. Sometimes even: necessary work tools.
We already know very well that technology tools expand horizons and capabilities. But they also increase risks. Some of the risks increased are related to the management and protection of personal data.
The DPA reminds us of those risks.
In any case: Teleworking is not at any risk from the care for personal data. On the contrary, personal data are at risk from the (careless) use of telework. Their protection, in the context of telework, is not a utopia.
Let us concern with their protection. But not because the “Authority says so”.
The risks we face from their misuse are real.
And closer than we think.
And economically measurable.
Disclaimer: the information provided in this article is not (and is not intended to) constitute legal advice. Legal advice can only be offered by a competent attorney and after the latter takes into consideration all the relevant to your case data that you will provide them with. See here for more details.