The above situation will probably sound familiar to most business owners around the world as businesses have adopted a range of remote, flexible and hybrid working models for their businesses. But, is there a greater risk in staff working more remotely and your business and client information potentially being accessed outside the safe perimeters of your office?
From a legal perspective, it is important to take note of the Protection of Personal Information Act 4 of 2013 (“POPIA”), which demands much greater protection of the personal information of data subjects, i.e., those persons whose personal information is being processed by a business. These responsible parties are legally required to regulate how employees, including employees that work remotely, comply with POPIA as well as the data security policies and procedures of the business that give effect to this framework of obligations.
Breach of these obligations not only mean potential sanctions and penalties, but also, serious reputational risk, particularly if the business relies heavily on the trust of its clients. That is why it is essential that every business has a data protection framework in place, or that such a framework is expanded to accommodate the working situation of staff working outside the office.
When looking at data protection and the requirements of POPIA, there is no difference in the obligations imposed on staff that work remotely and those that work at the office. All that differs is the work environment, with staff remaining equally responsible to ensure that the business remains compliant with POPIA and the business still being equally liable for any breach of data security by a staff member, whether at the office or at a remote location.
This means that employers should not differentiate between office and remote working employees in their responsibility to ensure data protection. What may differ though, are the policies and procedures that regulate different working environments to achieve the same data protection result. Differences in these documents may be because of different risks posed by the different work environments, and a business would need to assess these risks to accurately address those risks in its data protection framework policies and procedures.
When a business undertakes an assessment of the different remote work environments where its staff work, the following may be useful to keep in mind as part of the assessment (and eventual policy formulation):
- A good starting point is to create awareness among staff of what possible physical risks, cyber threats and human errors may place the business at risk, and to provide guidance on what to do should they find that they have been exposed to these risks or have any related concerns. The responsibilities of the business and its employees in terms of POPIA and their duty to report any possible data breaches to the employer, are also important considerations to bring to the attention of staff.
- We would recommend that your business have a written protection protocol which sets out how staff should conduct themselves when handling business devices and documents (including physical and electronic files). Measures such as the storage of physical files in lockable file cabinets or secure safes, and shredding as a means of disposal, could also be helpful.
- Review any current policies and procedures relating to data security and POPIA and assess to what extent they need to be amended to include remote working staff. This might include implementing specific conditions for remote working staff to ensure that these staff members understand and guard against the potential risks that are perhaps either uncommon to the office environment, or have already been effectively mitigated there.
- The importance of keeping a degree of separation between personal and business devices, where possible, cannot be understated. Where it is necessary to use personal devices for work, personal devices should be configured with the same protection measures that are used on business devices.
- Staff should take care to not leave physical files and devices unattended or to give access to other persons, as unauthorised individuals might in this way gain access to personal information which the business is obliged to keep private and confidential. This means remote working staff will need to carefully consider their remote workspace and make sure that they are not exposing any business information to other persons who potentially work, live and have access to this particular space.
- Staff should be mindful of the physical security conditions of the remote locations where they choose to work. It may be necessary for businesses to consider setting minimum standards, and establishing guidelines, for employees to qualify for remote working arrangements.
- It may even be prudent for businesses to place restrictions on where certain information can be accessed and by whom, which may limit the amount of information that is potentially exposed at any given time. Requiring authorisation for access to information, based on necessity, serves the dual purpose of limiting potentially exposed information and keeping record of when particularly sensitive information is being accessed. These restrictions and authorisations may apply to physical files/documentation that staff may want to take home, as well as information that is on the business servers, but are being accessed remotely.
- Secure video or teleconferencing platforms also allow a measure of protection for meetings and calls, particularly those in which personal information will be discussed or shared. It is good practice, if not an essential requirement for all businesses, to try and use secure networks and add an extra layer of protection by using virtual private networks (“VPN’s”) when remotely accessing the business servers.
- As far as the use of devices (such as cell phones, tablets and laptops) go, the use of password protection, the installation of anti-virus software and software firewalls, as well as the encryption of these devices and networks to which they have access to, might also be worth considering.
- Ensure that staff, especially remote working staff, have a clear understanding of what exactly a “data breach” and a “data incident” is, as well as the business’ policies and response plans in this regard.
The long and the short of it is that a business cannot escape liability for data breaches or a lack of compliance with POPIA by staff, purely because they are not working at the office. It is the employer’s responsibility to put the necessary policies and procedures in place to make sure that staff know what is expected of them and that the remote working locations are regulated and safe to the same extent as at the office. This may also include site investigations, regular spot checks and even additional security measures and electronic safeguards to ensure the necessary security measures are in place.
Should your business not have a data security framework in place, or not yet have incorporated remote working staff into this framework, we advise that you contact a data security specialist to assist you with this without delay.