The protection of personal data in a teleworking situation

Recommendations for companies responsible for processing personal data in the face of the teleworking situation in which their employees are operating during the state of alarm decreed to deal with the COVID-19 health crisis.

As a result of the present situation caused by the state of alarm in which we find ourselves, there are many companies that, in compliance with the compulsory confinement and in order to try to reduce as much as possible the impact of such a circumstance on their results, have been forced to implement a teleworking system so that their employees can continue to carry out their activity.

The teleworking scenario represents a new way of doing business for organisations that had not previously implemented this system. This entails the emergence of new risks and threats in terms of personal data protection, as employees are working with different means and resources than usual.

This is why the Spanish Data Protection Agency (AEPD) has published a series of recommendations to protect personal data in situations of mobility and teleworking, aimed at both those responsible for processing and employees, which we summarise in this text.

Recommendations for data controllers:

1. Define an information protection policy for mobility situations
A policy should be defined for mobility situations, telework in this case, which should be based on the company’s own data protection and information security policy. This policy must contemplate the specific needs and risks applicable to the telework situation, as well as establish what forms of remote access are allowed, through what devices and the level of access permitted, taking into account the role and functions of each worker.

Functional guides adapted in accordance with these policies must be provided in order to train workers in this area, including a series of recommendations on how to proceed and informing them of the new risks and threats that exist in the new situation concerning both the workers themselves and the other interested parties from whom personal data may be processed.

A company contact point must be established to which any incident regarding data protection can be reported and the appropriate channels for doing so must be indicated.

Employees should be made to sign a teleworking agreement in which they undertake to comply with privacy and data protection policies and guidelines.

2. Choosing reliable and guaranteed solutions and service providers
It is necessary to select suppliers of applications, solutions and other processes that facilitate teleworking, who offer sufficient guarantees in terms of data protection, requiring the signing of a data processor contract or similar document that complies with the requirements of Article 28.3 of the RGPD in the event that such a supplier has access to the personal data for which the company is responsible.

3. Restricting access to information
Access to information and various company documents should be restricted according to the responsibility and role of each employee, with even greater restrictions being desirable than in normal office situations. Such restrictions should also be designed taking into account the type of device through which it is accessed and the security guarantees it offers.

4. Periodically configure the equipment and devices used
Remote access servers must be reviewed, updated and configured to comply with the security policy designed for teleworking.

In this sense, it is necessary to update at application and operating system level, disable services that are not necessary, install only applications authorized by the company, have updated antivirus, have local firewalls activated, make use only of communications and ports necessary for the development of tasks, incorporate information encryption mechanisms and have a default configuration of minimum privileges set by the ICT services that cannot be deactivated by employees.

The use of personal devices should be limited as much as possible, as it increases the risk of not incorporating the same security controls as corporate equipment.

5. Monitor access to the corporate network from the outside
Monitoring systems should be established to identify abnormal patterns of behaviour in network traffic carried over remote access in order to prevent the spread of malware over the corporate network and unauthorised access to resources.

Employees must be informed of the scope of these control and supervision activities, and in the event that they are also used to control the compliance of workers’ work obligations, they must be informed in advance and in a clear, express and concise manner of the measures adopted within the framework of the control functions provided for in the Workers’ Statute. These measures must respect the digital rights provided for in the LOPDGDD.

The relevant supervisory authority and, where appropriate, the data subjects must be informed in the event of a security breach.

6. Rational management of data protection and security
The privacy policy and the measures and safeguards included in it should be based on a prior risk analysis which has weighed up the proportionality between the benefits of telework for the company and the stakeholders and the potential impact of a security gap due to the circumstances in which it is operated.

Recommendations addressed to employees:

1. Respect the information protection policy in situations of mobility defined by the company
The employee must be aware of the measures and recommendations contained in the data protection and security guidelines and policy provided by the company and act in accordance with them, ensuring the security and confidentiality of personal data to which they have access in the performance of their work tasks.

2. Protecting the device used in teleworking and access to it
You must use secure access passwords different to those used in the personal area, not download applications or software not authorized by the company, avoid connecting the devices to the corporate network from public places or non-secure WIFI networks, not use the corporate devices for personal use, check the legitimacy of the communications received, have an active and updated antivirus and disconnect the device once the work tasks are completed.

3. Ensuring the protection of the information being processed
The confidentiality of the information handled must be guaranteed. To this end, the use of information in paper format should be minimised as much as possible and its correct destruction should be ensured when it is no longer useful, and precautions should be taken with regard to unauthorised access to the information.

4. Save the information in the enabled network spaces
It is advisable to avoid storing information locally on the device used, preferring to use the cloud storage platforms made available by the company.

In the event of using a personal device, do not under any circumstances use applications that have not been authorised by the company.

5. Immediately report the security breach if you suspect that information may have been compromised
Any anomaly that may affect the security of the information and personal data processed must be notified to the person responsible or, where appropriate, the data protection delegate, as soon as possible and through the channels specified by the company in the guides and privacy policies designed.

From AddVANTE’s Commercial Department we remain at your disposal for further information or to resolve any doubts that may arise in relation to this article.