COVID-19: Privacy Concerns of Working from Home

A Massive Disruption

“Disruptive” is a catchy buzzword that has been around for more than two decades. First coined by Professor Clayton M. Christensen of Harvard Business School in 1997, “disruptive technology” refers to an innovative technology that displaces an established technology and shakes up the existing industry. A disruptive technology can also lead to ground-breaking products and services that create completely new industries, e.g. the personal computer displaced the typewriter, the digital camera displaced the film-based camera, and email displaced traditional snail mail.

While there are deliberate strategies, plans and trials to introducing disruptive technologies, products and services, the largely unanticipated COVID-19 pandemic caught the whole world by surprise in early 2020 and led to unprecedented disruption to the way we live, work, learn, play and socialise. In almost every country, governments imposed measures to contain the spread of the dreaded virus such as social distancing, contact tracing, health monitoring and testing, and even going to the extreme of “locking down” entire cities or municipalities where millions of people were ordered to stay at home for weeks or months, except for those who were providing essential services.

What’s Changed?

Even under lockdown conditions (or “circuit breaker” in Singapore government’s parlance), life has to go on, businesses have to continue to function, and schools have to complete their teaching curricula. Within a short span of time, multitudes of people have to learn how to use online technologies and tools to communicate, to do business, to buy and sell, to collaborate in work, to conduct training, and to hold conferences. Traditional brick-and mortar stores have to quickly adapt to setting up e-shops to sell their wares, collect payment and deliver the goods to customers. In short, people have to adapt to working remotely from home.  According to guideline from the government¹, work-from-home remains the default mode of working even as some employees may return to the workplace to better support work and business operations from 28 September 2020.

Privacy Concerns of Working from Home

To a number of organisations and their employees, it is a whole new experience when a large percentage of their work force are "forced" to work from home due to the lockdown. There are privacy concerns they have to be aware of and how to address them, especially when they have to handle the organisation’s personal or sensitive data remotely from their homes. Most employees may not have the luxury of having a dedicated, undisturbed workspace for themselves in their own homes. More likely they have to share the workspace with their family members, be it in the study, bedroom, living room or dining room. Family members may inadvertently view personal or sensitive data displayed on the computer screen or in printed paper documents on the table. Or they may inadvertently overhear confidential conversations on the phone or via video conferencing platforms.

Therefore organisations need to put in place a remote working policy that spells out the do’s and don’ts for their employees to abide by when they are working remotely from home.

Among other things, this policy should contain the following guidelines:

Care of Personal Data

• Only access the type of information in IT application systems and databases which are permitted to be accessed remotely from home
• Only bring out of the office the types of paper documents or files which are permitted to be brought home
• Only use approved computing devices to connect remotely to the organisation’s IT networks, application systems and databases - if the organisation already has a Bring Your Own Device (BYOD) policy, this should be reviewed
• Enable the security features in these computing devices, e.g. VPN, firewall
• Enable the security features in portable storage devices, if these are used, e.g. encryption of USB thumb drives and portable hard disks
• Position the computer screen such that family members cannot view what is displayed without coming close to the screen - use of a privacy filter is recommended
• Make sure that paper documents and files are kept out of view of inquisitive eyes, and secure them in drawers or cabinets when not in use
• Collect printouts from the printer immediately, if the printer is shared with other family members
• Shred all hardcopies that are no longer needed - if there is no shredder at home, tear the papers into tiny bits and put them in an opaque rubbish bag that is tied up securely 
• Follow the organisation’s rules in sharing personal or sensitive data with third parties outside the organisation or outside the country

Use of Video Conferencing Platforms

• Understand the features and limitations of the video conferencing platforms (e.g. Zoom, Webex, Microsoft Teams, Google Meet, Skype) you plan to use, especially the security features - choose the ones that have end-to-end encryption 
• Upgrade to the latest versions with the enhanced security features
• Use a paid version rather than a free version as the latter may not have implemented some of the essential security features
• Be familiar with the settings in the video conferencing platforms and make sure you know when to enable/disable certain settings
• Choose a quiet part of your home to engage in the online meeting so that family members do not eavesdrop on your conversations accidentally - use headphones if possible and do not speak too loudly
• When you are hosting an online meeting, admit participants who sign in with the correct password and make them wait in the waiting room first to verify they are indeed the ones you have invited
• As a host you should control the sharing of screens and content to prevent the so-called “Zoom bombing” where unauthorised person(s) post unsavoury or offensive images
• Do not share personal or sensitive data openly unless those participants in the meeting are entitled to such information
• Do not record the session unless you have notified the participants in advance

Use of Instant Messaging / Chat Groups

• For communicating official business matters via instant messaging / chat groups (e.g. WhatsApp, WeChat, Telegram, Signal), invite only those persons with a ‘need to know’ to join the group
• Do not share personal or sensitive data of one of the members with the whole group unless that particular individual has given his/her consent
• Do not forward such personal or sensitive data outside the group
• Do not use the instant messaging / chat group as a medium to attach documents containing personal or sensitive data - use secure email or password-protected shared drives/folders instead
• Do not allow your family member to have access to the instant messaging / chat groups on your mobile device by password-protecting your device

In addition to the remote working policy, organisations have to communicate information security guidelines to their employees working from home. As more and more people are using online networks, platforms and systems to collaborate in work, share confidential and sensitive information, and conduct virtual meetings, hackers are also working equally hard to exploit the network and system vulnerabilities. Hackers are well aware that the wireless networks and routers in the homes usually have weaker security controls compared with those deployed in corporate or business settings. So here are some of the main preventive measures which organisations should require of their employees working from home:

• Turn on the firewall in the home computer and access the organisation’s IT networks and systems via VPN or other secure channels - change the login ID and password regularly according to the organisation’s password policy
• Update the anti-virus software in the home computer to the latest version
• Make sure that the login ID and password of the home wireless equipment are not the default ones from the day the equipment was first bought - change these immediately if you have not done so
• Do not share your personal computer for business use with any of your family member - to prevent the risk of corrupting the data in the hard disk due to improper use or the infiltration of malware due to visiting dubious websites or downloading unsafe content

A “New Normal” in Working from Home?

As at this point of writing, 2 June 2020, Singapore’s circuit-breaker measures have been in place for two months and is gradually being relaxed with the re-opening of schools and certain businesses. There has been an announcement of vaccination available for the population.  Even before that happens, a new strain of COVID-19 virus has been found circulating in the UK.  Whether this is going to be the “new normal” remains to be seen. But one thing is for sure, as long as the COVID-19 pandemic continues unabated with new affected cases each day, working from home is the most likely mode. And some companies are planning to factor working from home as an alternative work arrangement as they have experienced for themselves that it is workable and work gets done. Who knows, in days to come, not all employees may be required to commute to the office to work, they can work from home.

by: By Kevin Shepherdson, CEO, Straits Interactive Pte Ltd,  CIPM, CIPP/A, CIPP/E, CIPT, FIP, Exin (GDPR, Infosec), GRCP, 

The views and opinions expressed in this article are summarised as interpreted by the author and may not necessarily reflect the official view or position of DPEXNetwork nor the PDPC.

1 -    https://www.mom.gov.sg/covid-19/requirements-for-safe-management-measures