The COVID-19 pandemic has greatly affected the way on how people conduct their duties and responsibilities in their respective careers and professions. In line with the government’s measures in curbing the spread of the virus, the Department of Labor and Employment (“DOLE”) encouraged employers from the private sector to adapt to the “new normal” which includes telecommuting.
Telecommuting, as defined under Republic Act No. 11165 is defined as a work arrangement that allows an employee in the private sector to work from an alternative workplace with the use of telecommunications and/or computer technologies. With this, reliance on technology has dramatically multiplied for the past months as data exchanges are widely adopted by utilizing the internet and/or online platforms.
With the sudden spike in its demand, issues on data privacy began to circulate. The National Privacy Commission (“NPC”) puts emphasis on the fact that the adoption of computer technology in the workplace is not risk-free. To prevent unauthorized access to an improper disposal of documents containing personal data due to unprotected home devices, the NPC released guidelines which cover general security measures which may be implemented by organizations and individuals as provided for under NPC PHE Bulletin No.12 on 15 May 2020.
Authorized Information Communication Technology (ICT) Assets:
1. Computers and other ICT peripherals.
– Ideally, employers should issue their staff with appropriate ICT resources to adequately perform their duties
2. Removable Devices.
– Personnel are encouraged to only use organization-issued ICT peripherals (such as USB flash drives, USB mouse, USB keyboard, etc.)
3. Software.
– Only softwares authorized by the organization must be used and only for official purposes.
4. . Proper configuration and security updates.
– Install security patches prior to and while WFH is enforced to prevent cyber security exploits and malicious damage
5. Web Browser Hardening.
– Ensure that your browser is up to date & properly configured.
6. Video conferencing.
– If available, only use video conferencing platforms contracted by your organization, which should pass its privacy and security standards.
Acceptable Use
Organizations must have an Acceptable Use Policy (AUP) that defines allowable personal uses of ICT assets. This may include:
- Personal emails;
- Browsing of news and articles;
- Social media/networking (can be defined in a separate organizational policy); and
- Video streaming.
The AUP should also define unacceptable and unauthorized uses, which may include:
- Uses contrary to laws, customs, mores & ethical behavior;
- Uses for personal benefit, entertainment, profit-oriented, partisan, or hostile activities;
- Uses that damage the integrity, reliability, confidentiality and efficiency of ICT resources; and
- Uses that violate the rights of other users
Access Control
– Personnel access to organization data must only be on a “need-to-know-basis”, anchored on pre-defined user profiles, and controlled via a systems management tool.
User Authentication
– Require strong passwords to access personnel credentials and accounts. *Passwords must be at least eight (8) characters long, comprising of upper- and lower-case letters, numbers and symbols.
Prohibit sharing of passwords.
Set up multifactor authentication for all accounts to deny threat actors immediate control of an account with a compromised password.
Network Security
When organization ICT assets are connected to personal hotspots and/or home Wi-Fis, observe the following:
- Don’t visit malicious webpages. Always look for the “https” prefix on the URL to ensure it is encrypted;
- As much as possible, ensure high availability and reliability of internet connection;
- Configure the WiFi Modem or Router; and
- Avoid connecting office computers to public networks, such as coffee shop Wi-Fis. If left with no choice, use a reliable Virtual Private Network (VPN) when connecting
Records and File Security
Set up policies to ensure sensitive data is processed in a protected and confidential manner to prevent unauthorized access, including:
- A records management policy;
- A policy against posting sensitive documents in unauthorized channels, such as social media sites;
- A policy imposing the use of a file’s digital version instead of physical records, whenever possible; and
- A retention policy for processing sensitive data in personal devices
Emails
When transferring sensitive data via email, encryption of files and attachments should be done.
Also, ensure that personnel always use the proper “TO, CC and BCC” fields to avoid sending to wrong recipients or needlessly expose other people’s email addresses to all recipients.
Physical security
Create workspaces in private areas of the home, or angle work computers in a way that minimizes unauthorized or accidental viewing by others.
- Lock away work devices and physical files in secure storage when not in use.
- Never leave physical documents with sensitive data just lying around, nor use them as a “scratch paper”.
Security Incident Management
Personnel must immediately notify his or her immediate supervisor in case of a potential or actual personal data breach while working from home.
The organization’s Data Protection Officer and/or Data Breach Response Team should immediately be alerted
It’s better to adopt preventive measures than curative measures. As we venture into various alternatives in conducting our livelihood, specifically telecommuting, we must take into consideration the confidentiality of our personal information.
For further queries on this matter or other legal concerns, you may contact us from Mondays to Fridays, 9:00 AM to 6:00 PM, through our email: solutions@fbrtlawfirm.com.ph, and our website at https://fbrtlawfirm.com.ph/.
Related Reads:
- FBRT is ready to assist you in your Data Privacy Compliance Journey
- Striking a Balance on the Mandatory Public Disclosure of Information on COVID-19 and the Confidentiality of a Patient’s Medical Records
- DTI and DOLE Supplemental Guidelines on Workplace Prevention and Control of Covid-19