NPC PHE Bulletin No. 12: Protecting Personal Data in a Work From Home Arrangement

May 15, 2020 | 10:26 AM GMT+0800 Last Edit: May 15, 2020

As the Philippines was placed under varying levels of community quarantine to address the COVID-19 pandemic, organizations in the government and private sector implemented a work from home (WFH) setup, which is a type of telecommuting. Republic Act 11165 or the Telecommuting Act defines telecommuting as a “work arrangement that allows an employee in the private sector to work from an alternative workplace with the use of telecommunications and/or computer technologies.”

Given the public health emergency that the country faces, the National Privacy Commission (NPC) supports the adoption of the WFH set up as a viable strategy to balance the need to preserve the health and well-being of an organization’s workforce with the need to continuously operate and provide services to the public.

WFH and other telecommuting modes, is a management option determined by the organization as part of its Business Continuity Plan to facilitate organizational operations to continuously deliver work in the face of events such as typhoons, public safety or public health emergencies.

This setup, however, is not risk-free. Unauthorized access to and improper disposal of documents containing personal data due to unprotected home devices and physical files are just some of the potential dangers that come with it.

Thus, the NPC advises organizations operating under a WFH setup and other modes of telecommuting, to consider the following measures to ensure that the data privacy of data subjects remain protected.

These guidelines cover general security measures that organizations and individuals working on their own can take, not only during the pandemic but whenever a telecommuting arrangement is implemented.

GUIDELINES

Authorized Information Communication Technology (ICT) Assets. Organizations are responsible for making sure telecommuting employees are provided the proper ICT assets. In return, employees are accountable and responsible for the physical care of those assets.

  1. Computers and other ICT peripherals. Employers should issue their staff with appropriate ICT resources to adequately perform their duties.

    Personal devices may be used if provision of organization-owned ICT resources is impractical. Such practice, however, must be governed by the organization’s Bring Your Own Devices (BYOD) policy.

  2. Removable Devices. Personnel are encouraged to only use organization-issued ICT peripherals (such as USB flash drives, USB mouse, USB keyboard, etc.) When using portable media, (such as disks or USB flash drives) to store or transfer data, the use of data encryption must be ensured.

  3. Software. Only softwares authorized by the organization must be used and only for official purposes. Avoid storing the organization’s digital files, including those with personal data, on external services and softwares.

  4. Proper configuration and security updates. Install security patches prior to and while WFH is enforced to prevent cyber security exploits and malicious damage, including the following:

    • Automatic update & installation of operating system security patches
    • Periodic scheduling & scanning of authorized antivirus software
    • Automatic update, installation & configuration of web browser and its preferences
    • Automatic update & installation of personal productivity softwares (i.e., word processor, spreadsheet processor, presentation software, etc.)
    • Update and configuration of video conferencing software / platform
  5. Web Browser Hardening. Ensure that your browser is up to date & properly configured.

    Below are the configurations for popular browsers.

    Measures Chrome configuration Firefox configuration Edge configuration

    Browse in private

    Use Incognito Window and delete private data when exiting browser

    Use Private Window and delete private data when exiting browser

    Use InPrivate Window and delete private data when exiting browser

    Disable autofill of passwords and information

    In Settings, disable Autofill Passwords, Payment methods, Addresses and more

    In the Privacy and Security tab, disable Ask to save login and passwords; Enable Suggest and generate strong passwords; Enable Suggest and generate strong passwords

    In Profiles, disable offer to save passwords and save and fill information

    Prevent tracking

    Enable “Do Not Track” request with your browsing traffic

    Enable strict enhanced tracking protection;

    Set to “Always” send websites a “Do Not Track” signal that you don’t want to be tracked

    Enable Strict Tracking Prevention
    Check password exposure in breaches Warn you if passwords are exposed in a data breach Show alerts about passwords for breached websites Not applicable
    Control permissions Set all to “Ask before accessing” Set all permissions to “Block” by default Set all to “Ask first” Set all to “Ask first”
  6. Video conferencing. If available, only use video conferencing platforms contracted by your organization, which should pass its privacy and security standards.

When availing of free platforms, use only an up-to-date version, one that offers adequate privacy & security features, and is properly configured:

  • Set your meeting ‘private’ by default. Do not reveal meeting IDs in public domains
  • Require meeting participants a password upon joining
  • Make sure the meeting host is notified when people join and verifies identity of each
  • Carefully control screen sharing & recording
  • Keep cameras & microphones turned off, unless when speaking
  • Avoid transferring files

Acceptable Use. Organizations must have an Acceptable Use Policy (AUP) that defines allowable personal uses of ICT assets. This may include:

  • Personal emails
  • Browsing of news and articles
  • Social media/networking (can be defined in a separate organizational policy)
  • Video streaming

While organization ICT assets should only be used for authorized purposes, the AUP must acknowledge that occasional personal use by employees may occur without adverse effect to the organization’s interests.

The AUP should also define unacceptable and unauthorized uses, which may include:

  • Uses contrary to laws, customs, mores & ethical behavior
  • Uses for personal benefit, entertainment, profit-oriented, partisan, or hostile activities.
  • Uses that damage the integrity, reliability, confidentiality and efficiency of ICT resources
  • Uses that violate the rights of other users

Access Control. Personnel access to organization data must only be on a “need-to-know-basis”, anchored on pre-defined user profiles and controlled via a systems management tool.

User Authentication. Require strong passwords to access personnel credentials and accounts. Passwords must be at least eight (8) characters long, comprising of upper- and lower-case letters, numbers and symbols. Prohibit sharing of passwords. Set up multifactor authentication for all accounts to deny threat actors immediate control of an account with a compromised password.

Network Security. When organization ICT assets are connected to personal hotspots and/or home Wi-Fis, observe the following:

  • Don’t visit malicious webpages. Always look for the “https” prefix on the URL to ensure it is encrypted. Also, inspect the site’s certificate manually to validate owner identity.
  • As much as possible, ensure high availability and reliability of internet connection.
  • Configure the WiFi Modem or Router. Review and configure the following:
    • Current devices connected;
    • Encryption/Security: Wi-Fi Protected Access 2 (WPA2) Advanced Encryption Standard (AES) with a strong password.
  • Avoid connecting office computers to public networks, such as coffee shop Wi-Fis. If left with no choice, use a reliable Virtual Private Network (VPN) when connecting.

Records and File Security. Set up policies to ensure sensitive data is processed in a protected and confidential manner to prevent unauthorized access, including:

  • A records management policy
  • A policy against posting sensitive documents in unauthorized channels, such as social media sites
  • A policy imposing the use of a file’s digital version instead of physical records, whenever possible
  • A retention policy for processing sensitive data in personal devices.

Emails. When transferring sensitive data via email, encryption of files and attachments should be done. Also, ensure that personnel always use the proper “TO, CC and BCC” fields to avoid sending to wrong recipients or needlessly expose other people’s email addresses to all recipients.

Physical security. Create workspaces in private areas of the home, or angle work computers in a way that minimizes unauthorized or accidental viewing by others.

  • Lock away work devices and physical files in secure storage when not in use. Should there be a need to print documents, the personnel must ensure that physical and digital documents are properly handled and disposed of – in accordance with office policy.
  • Never leave physical documents with sensitive data just lying around, nor use them as a “scratch paper”.

Security Incident Management. Personnel must immediately notify his or her immediate supervisor in case of a potential or actual personal data breach while working from home. The organization’s Data Protection Officer and/or Data Breach Response Team should immediately be alerted.

For further guidance, please review the NPC Circular on Personal Data Breach Management (click here).



RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner

# # #