By: Bounteous M. Servito
Since a lot of organizations in the government and private sector are now adopting a work from home (WFH) set up during this pandemic, the National Privacy Commission (NPC) issued NPC PHE Bulletin No. 12 on May 15, 2020, advising organizations operating under different modes of telecommuting to consider certain measures to ensure that the data privacy of data subjects remains protected.
NPC warns the public that unauthorized access to and improper disposal of documents containing personal data due to unprotected home devices and physical files are just some of the potential dangers that come with a WFH setup. Hence, NPC provided guidelines that cover general security measures that organizations and individuals working on their own can take.
Below are the Frequently Asked Questions (FAQs) relating to how we can protect personal data under telecommuting arrangements.
Personal Information and Sensitive Personal Information
Q: What is personal information?
A: Republic Act No. 10173 or the Data Privacy Act defines “personal information” as any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Q: What is sensitive personal information?
A: Sensitive personal information refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified.
Q: What is the basis for the protection of personal and sensitive personal information?
A: The Right to Information and Communications Privacy is recognized under Article III, Sec. 3(1) of the Constitution which states that the privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.
Q: What are the unauthorized acts punishable under the Data Privacy Act?
A: The Data Privacy Act enumerates the following as acts punishable by imprisonment and fine: processing of personal or sensitive personal information without the consent of the data subject or existing laws, accessing personal and sensitive personal information due to negligence, improperly disposing of personal and sensitive personal information, processing of personal and sensitive personal information for unauthorized purposes, unauthorized access or intentional breach, malicious disclosure, and unauthorized disclosure.
Information Protection in a WFH Arrangement
Q: What is a Work from Home setup?
A: A WFH setup is a type of telecommuting. Under Republic Act 11165 or the Telecommuting Act, telecommuting is defined “as a work arrangement that allows an employee in the private sector to work from an alternative workplace with the use of telecommunications and/or computer technologies.”
Q: What are the responsibilities of employer organizations and their employees under a WFH arrangement?
A: Employers should issue their staff with appropriate Information Communication Technology (ICT) assets to perform their duties. In return, employees are accountable and responsible for the physical care of those assets.
Q: What if issuing ICT assets to employees is impractical for the organization?
A: Personal devices may be used if provision of organization-owned ICT resources is impractical. Such practice, however, must be governed by the organization’s Bring Your Own Devices (BYOD) policy.
Q: Is it safe for employees to use their personal devices for work?
A: No. Personnel are encouraged to only use organization-issued ICT peripherals (such as USB flash drives, USB mouse, USB keyboard, etc.) When using portable media, (such as disks or USB flash drives) to store or transfer data, the use of data encryption must be ensured.
Q: What video conferencing platforms should employees use?
A: If available, only use video conferencing platforms contracted by your organization, which should pass its privacy and security standards.
Q: How can employees protect data and information when using free video conferencing platforms?
A: When availing of free platforms, employees should use only an up-to-date version, one that offers adequate privacy & security features, and is properly configured. Individuals are advised to:
- Set your meeting “private” by default. Do not reveal meeting IDs in public domains
- Require meeting participants a password upon joining
- Make sure the meeting host is notified when people join and verifies identity of each
- Carefully control screen sharing & recording
- Keep cameras & microphones turned off, unless when speaking
- Avoid transferring files
Q: How could employees ensure network security when ICT assets are connected to personal hotspots and/or home Wi-Fis?
A: Employees should make sure to observe the following:
- Don’t visit malicious webpages. Always look for the “https” prefix on the URL to ensure it is encrypted. Also, inspect the site’s certificate manually to validate owner identity.
- As much as possible, ensure high availability and reliability of internet connection.
- Configure the WiFi Modem or Router. Review and configure the following:
- Current devices connected;
- Encryption/Security: Wi-Fi Protected Access 2 (WPA2) Advanced Encryption Standard (AES) with a strong password.
- Avoid connecting office computers to public networks, such as coffee shop Wi-Fis. If left with no choice, use a reliable Virtual Private Network (VPN) when connecting.
Q: How would employees know the acceptable use of ICT assets?
A: Employees must be aware of the organizations’ Acceptable Use Policy (AUP) that defines allowable personal uses of ICT assets. This may include:
- Personal emails
- Browsing of news and articles
- Social media/networking (can be defined in a separate organizational policy)
- Video streaming
Q: How could individuals physically secure data and information?
A: Create workspaces in private areas of the home, or angle work computers in a way that minimizes unauthorized or accidental viewing by others. Consider also the following:
- Lock away work devices and physical files in secure storage when not in use. Should there be a need to print documents, the personnel must ensure that physical and digital documents are properly handled and disposed of – in accordance with office policy.
- Never leave physical documents with sensitive data just lying around, nor use them as a “scratch paper”.
Q: What should one do in case of a potential or actual personal data breach while working from home?
A: Personnel must immediately notify his or her immediate supervisor. The organization’s Data Protection Officer and/or Data Breach Response Team should immediately be alerted.
Q: How could organizations limit the employees’ personal use of the ICT assets?
A: Organizations should have an Acceptable Use Policy (AUP) that defines allowable personal uses of ICT assets. The AUP must however have an acknowledgement that, while organization ICT assets should be used for authorized purposes, occasional personal use by employees may occur without adverse effect to the organization’s interests. Also, the AUP should also define unacceptable and unauthorized uses, which may include:
- Uses contrary to laws, customs, mores & ethical behavior
- Uses for personal benefit, entertainment, profit-oriented, partisan, or hostile activities
- Uses that damage the integrity, reliability, confidentiality and efficiency of ICT resources
- Uses that violate the rights of other users
Q: How could employer organizations control access to organization data?
A; Personnel access to organization data must only be on a “need-to-know-basis”, anchored on pre-defined user profiles and controlled via a systems management tool.
Q: How could users be authenticated?
A: Require strong password to access personnel credentials and accounts. Passwords must be at least eight (8) characters long, comprising of upper- and lower-case letters, numbers, and symbols. Prohibit sharing of passwords. Set up multifactor authentication for all accounts to deny threat actors immediate control of an account with a compromised password.
Q: How could records and files be secured?
A: Policies should be set up to ensure sensitive data is processed in a protected and confidential manner to prevent unauthorized access, including:
- A records management policy
- A policy against posting sensitive documents in unauthorized channels, such as social media sites
- A policy imposing the use of a file’s digital version instead of physical records, whenever possible
- A retention policy for processing sensitive data in personal devices.
Q: How could emails be protected?
A: When transferring sensitive data via email, encryption of files and attachments should be done. Also, ensure that personnel always use the proper “TO, CC and BCC” fields to avoid sending to wrong recipients or needlessly expose other people’s email addresses to all recipients.
Software, updates, and configurations
Q: Is it advised for employees to use external software?
A: No. Only software authorized by the organization must be used and only for official purposes. Avoid storing the organization’s digital files, including those with personal data, on external services and software.
Q: Is it advised for employees to install security patches and application updates?
A: Yes. Security patches shall be installed prior to and while WFH is enforced to prevent cyber security exploits and malicious damage, including the following:
- Automatic update & installation of operating system security patches
- Periodic scheduling & scanning of authorized antivirus software
- Automatic update, installation & configuration of web browser and its preferences
- Automatic update & installation of personal productivity software (i.e. word processor, spreadsheet processor, presentation software, etc.)
- Update and configuration of video conferencing software/platform.
Q: What are the configurations for popular web browsers?
A: Below are the proper configurations for popular web browsers:
|Measures||Chrome configuration||Firefox configuration||Edge configuration|
|Browse in private||Use incognito Window and delete private data when exiting browser||Use Private Window and delete private data when exiting browser||Use InPrivate Window and delete private data when exiting browser|
|Disable autofill of password and information||In Settings, disable Autofill Passwords, Payment methods, Addresses and more||In the Privacy and Security tab, disable Ask to save login and passwords; Enable Suggest and generate strong passwords||In Profiles, disable offer to save passwords and save and fill information|
|Prevent tracking||Enable “Do Not Track” request with your browsing traffic||Enable strict enhanced tracking protection’ Set to “Always” send websites a “Do Not Track” signal that you don’t want to be tracked||Enable Strict Tracking Prevention|
|Check password exposure in breaches||Warn you if passwords are exposed in a data breach||Show alerts about passwords for breached websites||Not applicable|
|Control permissions||Set all to “Ask before accessing”||Set all permissions to “Block” by default; Set all to “Ask first”||Set all to “Ask first”|
Given all of these data privacy guidelines, it is expected that more employees and companies will be sensitive to keeping appropriate information confidential as they surf in the next normal.