Working remotely and Data Protection in the face of a crisis.

You do have a disaster plan, right ?

Microsoft and Google offer free access to advanced video-conferencing capabilities to facilities working from home. How prepared is our private sector?

On March 2, 2020 the Minister of Health and Wellness Dr. the Hon. Christopher Tufton delivered a National Statement on COVID 19:

  “we can accept, given the rate of spread, which has seen more than 30 new countries impacted in the last week alone, that Jamaica is not immune to COVID-19.

. . . Jamaica’s assault on COVID-19, for which robust and ongoing public support is critical, is happening on two fronts: Actions to minimize the risk of exposure among the local population; and actions to enhance the capacity of the public health system to manage patients in the event that we have cases.”

British Prime Minister Boris Johnson on March 3 2020 announced his four point action. Under the four-point plan – contain, delay, research and mitigate – the government estimates that up to a fifth of the workforce being absent at the peak of the outbreak. . . . Among the measures that will be deployed once the outbreak is deemed to be at its peak is encouraging greater home working. It is thought this could last for around 12 weeks in order to fully mitigate the spread of coronavirus, while ensuring the country’s ability to continue to run as normally as possible.” Prior to the statement of the Prime Minister Johnson we have witnessed the total shutdown of several towns and cities in China and now in Italy in an attempt to stop the spread of the disease.

In preparation for the arrival of the deadly virus the Prime Minister of Jamaica the Honorable Andrew Holness on the 5th day of March 2020 convened the National Disaster Risk Management Council in accordance with the Disaster Risk Management Act to treat with the eminent threat of COVID -19 that may occur in Jamaica.

Consistent with what has been done in other countries it is highly likely that   Minister Tufton in an attempt to minimize the risk of exposure among the local population impose similar measures of locking down portions of the corporate area or any other at risk areas. The Prime Minister went further and out of an abundance of caution said if you are showing symptoms stay home.

In light of this eminent national disaster it begs the question what systems have been put in place by the government and businesses to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. Are there business continuity plans in place to facilitate remote working? Have the necessary risk assessments been conducted to facility safe remote working? What technical measures need to be in place to facilitate safe remote working?

The seventh processing standard of the Data Protection Bill that will apply to all businesses that process personal data and requires that appropriate technical and organizational measures be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data. That is how the first draft of the Data Protection Act was drafted; it was however subsequently amended to fall in line with article 32 to the GDPR. Article 32 of the GDPR requires that organisational measures be taken to ensure a level of security appropriate to the risk, including inter alia as appropriate: . .  .the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. In other words there may now be a statutory obligation to ensure that there is a business continuity plan in place as long as your business processes personal data.

The extent to which this forms part of the final draft of the bill is left to be seen. Regardless of whether this forms part of the final bill data controllers still have an ongoing obligation in processing personal data to ensure that data subjects can access their data promptly. This is even all the more important when it comes to sensitive personal data such as medical records. A part of ensuring the resilience of processing systems and services is to facilitate remote working.

A wide range of tools currently exist to help organizations facilitate their staff members to work remotely. This all depends on the type of industry you are a part of. Knowledge workers will be able to leverage these and adopt much quicker than other categories of employment. 

Cloud Computing to the rescue 

The National Institute of Standards and Technology in the United States defines cloud computing as a model for enabling ubiquitous, convenient, on?demand network access to a shared pool of configurable computing resources that can be rapidly supplied and released with minimal management effort or service?provider interaction. In plain english - cloud computing means that your applications or software, data, and computing needs are accessed, stored, and delivered over the Internet or “in the cloud” - sometimes it is free, most times it is for a fee.

The major cloud service models are Software as a Service (SaaS), Platform as a Service (PaaS),  Infrastructure as a Service (IaaS). Which one is best for you ? 

Software as a Service (SaaS) allows users to run a variety of software applications on the Internet.  You don't have to worry about the installation, setup and running of the application. (e.g., Salesforce.com, Gmail, Microsoft Outlook & Office 365.).

Platform as a Service (PaaS) provides a computing platform to support building of web applications and services completely residing on the Internet (e.g.,WS Elastic Beanstalk, Windows Azure, Heroku, Force.com, Google App Engine, Apache Stratos).

Infrastructure as a Service (IaaS) allows the use of computer hardware and system software, including operating systems and communication networks in which the cloud provider is responsible for hardware installation, system configuration, and maintenance (e.g., Amazon EC2, Citrix Cloud Center).

With those definitions out of the way, consider that most organizations already utilize software applications that are specific to their industry to run their business. These applications are either installed locally on computers inside their own offices or deployed via cloud technologies.    

As a general precautionary response, many organizations with offices in higher risk areas have begun to call for employees to work remotely. Cloud software giants Microsoft and Google recently announced various special offers on their conference/meeting software to better support “work from home”. In a recent tweet, Google CEO Sundar Pichai said “We want to help businesses and schools impacted by COVID-19 stay connected: starting this week, we'll roll out free access to our advanced Hangouts Meet video-conferencing capabilities through July 1, 2020 to all G Suite customers globally.”  A Microsoft spokesperson tweeted “At Microsoft, the health and safety of employees, customers, partners and communities is our top priority. By making Teams available to all for free for six months, we hope that we can support public health and safety by making remote work even easier.”

Microsoft’s Office 365 or Google’s G Suite are examples of Software as a Service that offer all the tools necessary for complete remote working facilities including meetings. Microsoft’s Office 365 includes Outlook, OneDrive, Word, Excel, PowerPoint, One Note, Teams, and other Microsoft apps. Google’s G Suite includes Gmail, Google Drive, Google Docs, Sheets, Slides, Calendar, Keep, Hangouts, and other Google apps..

Remote access software

If you happen to have business software that is not “cloud ready”, you might still be able to have secure access to your business software from home. Remote access software or remote control software, let you remotely control a computer at your office from a computer at your home. This remote control software allows you to take over the mouse and keyboard and use the computer you've connected to just like your own. Examples of Remote access software include Teamviewer,  LogMeIn , GoToMyPC and RemotePC. Check with whoever is responsible for your IT Security to see which software is approved for use in your organization. . 

Remote meeting Systems

Access to business applications is one thing, what about all the meetings with your internal team and those outside of your office. Thankfully many meeting and conference software applications are available. Microsoft Teams, GotoMeeting, Google Hangouts Meet,Webex Meetings and Zoom are just some of the picks for teleconferencing solutions that can bring everyone together - virtually. 

Working from home and using these remote working solutions however pose a number of risks to data subject’s privacy rights:

• An employee’s family or friends can use the device accessing the organization’s systems and see sensitive information or personal data.
• Hardcopy material containing personal data used at the remote work site can be lost or stolen.
• The device itself can be lost or stolen.
• A device lost or stolen can be used to gain unauthorized access to the organization’s systems.
• Information can be intercepted during transmission between the organization and the device.
• The communication channel can be intercepted and used to invade the organization’s environment.
• An outdated device can be compromised and used to invade the organization’s systems.
• Information could be copied and extracted from the organization’s environment without anyone knowing.
• It’s important to note that, although all devices are at risk of being lost or stolen, the nature of mobile devices (e.g., size, portability, and value) increases this risk.

Data controllers in accordance with the seventh processing standard while making processing systems available remotely will be obliged to ensure the confidentiality and integrity of personal data. They are some basic actions that can be taken to mitigate the risks associated with remote working.

Create a remote access policy. A remote access policy is simply a set of rules that identify clearly whom should have access to what. It should state clearly the names and the responsibilities of every individual that has the right to access company’s servers. No employees, whether remote or not, should have complete access to the company’s servers or to files they don’t use for their daily tasks. 

Implement strong password systems. Implementing strong password policies are a key factor in ensuring data security for your organization. Any access to work related documents, emails, or network should be controlled by strong passwords. 

The use of public Wi-Fi. Connecting to a public Wi-Fi without taking any precautions can put data at risk. Companies who are concerned about their data security should state in their policy that remote workers are not allowed to use public Wi-Fi. In case your remote workers have no other option but to use an unsecured network, make sure they use a VPN and limit file sharing. 

Encrypt devices. Encrypt all your remote employees’ devices and enforce data encryption on all devices. You can install an encryption software which encrypts the whole desk or only certain files. Another option is to install a remote-wipe app which erases all data when the device gets stolen or lost. 

While the nation is preparing for the threat of the COVID-19 data controllers/businesses  should be similarly refining if not putting a business continuity plan in place. In the process of putting a business continuity plan in place in addition to putting the necessary technologies in place to facilitate remote working, data controllers must be mindful of the obligation to ensure personal data remains confidential. Business continuity plans should be a normal part of your business plan as Jamaica faces the threat of hurricanes every year and we sit on an active fault line.

This article was co authored by Christopher Reckord the CEO of tTech Limited a company that helps organizations implement and maintain Microsoft Office 365 Tools and Chukwuemeka Cameron a Data Protection Officer and the founder of Design Privacy, a consulting firm that helps you comply with privacy laws and build trust with your customers. Feedback can be sent to [email protected] or [email protected]