Skip to content

Newspaper Column

PCPD in Media

"Work-from-home Brings New Challenges to Data Protection" -- Privacy Commissioner's article contribution at Hong Kong Lawyer (April 2022)

The surge of Omicron cases in early 2022 serves as a bitter reminder to us that the COVID-19 pandemic is still severe. Organisations which have asked their staff to resume working in offices in 2021 have to revert to work-from-home (WFH) arrangements now. Since the pandemic, some organisations have acquired experience in implementing WFH. That said, the transfer of electronic or physical data leads ineluctably to a higher risk of data breaches. In addition to that, cybersecurity threats, such as hacking and malware, remain an issue of concern.

WFH Arrangements and Data Breaches

Whilst WFH arrangements can reduce the risk of transmission of the coronavirus variant, they carry inherent risks of data breaches. A global survey (covering respondents in Hong Kong) conducted in mid-2021 revealed that 85% of organisations with WFH policies had experienced network security breaches, 20% higher than those with the majority of staff working from offices. When it comes to mitigation, it is reported that organisations with more than half of their employees working from home took 58 days longer to identify and contain breaches.

Different surveys and studies highlighted several reasons why WFH arrangements have made organisations more vulnerable to data breaches. For example, employees may misuse corporate devices for non-work purposes. A survey in 2021 found that more than 50% of employees in the United Kingdom and the United States used company devices for activities not related to work, such as online shopping. A lack of awareness and training also contributes to the risk. Another survey in 2021 showed that nearly 50% of office workers aged 18 to 24 considered security policies a hindrance, and only about 36% had received training on protecting their home networks.

Behind the massive cyberattack of an American major oil pipeline company last year, which resulted in fuel shortages in the United States and cost the company a colossal amount of ransom, the hacker was believed to have gained access to the company’s networks through an abandoned virtual private network (VPN) account with compromised passwords. The company also reportedly failed to activate multi-factor authentication for the accounts.

Regardless of whether the pandemic could die down within this year, it appears that remote work environments are irreversibly becoming a new normal. Back in November 2020, almost a year into the pandemic, Bill Gates predicted that “over 30% of days in the office will go away.” Locally, a survey conducted by Hong Kong Productivity Council in 2021 showed that 62% of the employers surveyed considered implementing hybrid work mode permanently. It therefore remains pivotal for different parties, organisations and employees in particular, to ramp up efforts to ensure data security when working remotely.

Tips to Safeguard Personal Data

For organisations, when they implement WFH arrangements, they should assess the risks of data security and personal data privacy and devise protection measures correspondingly. As far as practicable, they should provide employees with corporate electronic devices (such as smartphones and notebook computers), and ensure that appropriate security settings be enabled for the devices. In view of the risk entailed in the use of remote access, it is advisable for organisations to devise policies and guidance on the transfer of data and documents, remote access to corporate networks, and handling of data breach incidents. They should also ensure that appropriate security settings be adopted for VPNs. Finally, organisations should always consider providing employees with suitable training on, among others, password management, encryption and awareness of cybersecurity threats.

Employees should also do their parts while working from home. They should adhere to employers’ policies on data handling. Insofar as practicable, they should only use corporate electronic devices and email accounts for work. When connecting to the internet at home, it is desirable that they ensure that their Wi-Fi connections are secure, such as by adopting WPA3 or WPA2 security protocols. More importantly, they should avoid using public Wi-Fi for work.

Whilst video conferencing allows us to stay connected, users should choose a platform with adequate data security functions, and consider using those providing end-to-end encryption. Users are advised to safeguard their accounts by setting up strong passwords and activating multi-factor authentication, and ensure that the video teleconferencing (VTC) software be up-to-date, with the latest security patches installed. It is always desirable for the host of video conferences to set up a unique meeting ID and a strong password for each conference, and use the virtual waiting room function to validate participants’ identities.

Privacy Expectations of VTC Companies

Given the privacy risks associated with video conferencing, my office, apart from issuing practical guidance to VTC users, joined forces with the data protection authorities from five other jurisdictions (namely, the United Kingdom, Australia, Canada, Gibraltar, and Switzerland) to issue an open letter in July 2020 to VTC companies, reminding them of their obligations to comply with the applicable laws and handle users’ personal data in a responsible manner. The letter also identified some areas of concern, including data security, privacy by design and default, transparency and fairness, and end-user control. Positive responses were received from major VTC companies, which adopted various privacy and security practices consequently.

In October 2021, the six authorities published a joint statement which identified possible areas for VTC companies to further improve their data protection practices, such as making end-to-end encryption available to all users, only processing users’ information for a secondary purpose if users are explicitly informed and have expressly opted in, and being fully transparent with users on the locations where data is stored, to name a few.

On a separate note, to enhance public understanding of the necessary data security measures under WFH arrangements, we have also published a leaflet entitled “Protecting Personal Data under Work-from-Home Arrangements”, which is available for downloading at https://www.pcpd.org.hk/english/resources_centre/publications/files/wfh_pamphlet_eng.pdf