Case Notes

Loss of notebook computer containing work files – DPP 4 – security of personal data

Background

A government department reported to the PCPD that a staff member lost an official notebook computer on public transport. The computer, provided to the staff member for work-from-home (WFH) arrangement, contained encrypted personal data (names, email addresses, posts, and staff numbers) of about 400 staff members of the department.

Remedial Measures

While encryption lowered the risk of unauthorised access to the personal data, the department reminded staff to take extra care in handling official portable devices.

Besides, the department requested staff to access work files through VPN connection instead of storing work files locally when practicable.

Lesson learnt

The outbreak of COVID-19 prompted organisations to adopt WFH arrangement, making personal data more susceptible to breach. In November 2020, the Privacy Commissioner issued three “Protecting Personal Data under Work-from-Home Arrangements” Guidance Notes. They provided practical advice for organisations, employees and users of video conferencing software to enhance data security and personal data protection.

Organisations may make reference to these Guidance Notes when reviewing their WFH policies. Generally speaking, organisations should:

• Set out clear policies on the handling of data (including personal data) in WFH arrangements;
• Take all reasonably practicable steps to ensure the security of data, in particular when information and communication technology is adopted, or when employees possess source or copies of data and documents to work from home;
• Provide sufficient training and support to employees; and
• Ensure the security of the data stored in the electronic devices provided to employees.

(Uploaded in June 2022)