The National Privacy Commission (NPC) has issued guidelines on data protection in work from home (WFH) arrangements (NPC PHE Bulletin No. 12 on “Protecting Personal Data in a Work from Home Arrangement; issued May 15, 2020). The full text of the guidelines can be found here: https://www.privacy.gov.ph/2020/05/npc-phe-bulletin-no-12-protecting-personal-data-in-a-work-from-home-arrangement/.
The following are some of the key points of the NPC’s WFH guidelines:
- 1. Authorized Information Communication Technology (ICT) Assets. Organizations are responsible for making sure telecommuting employees are provided the proper ICT assets. In return, the employees are accountable and responsible for the physical care of those assets.
- a. Computer and other ICT peripherals. Employers should issue their staff with appropriate ICT resources to adequately perform their duties. Personal devices may be used if provision of organization-owned ICT resources is impractical. Such practice, however, must be governed by the organization’s Bring Your Own Devices (BYOD) policy.
- b. Removable Devices. Personnel are encouraged to only use organization-issued ICT peripherals (such as USB flash drives, USB mouse, USB keyboard, etc.). When using portable media (such as disks or USB flash drives) to store or transfer data, the use of data encryption must be ensured.
- c. Software. Only software authorized by the organization must be used and only for official purposes. Avoid storing the organization’s digital files, including those with personal data, on external services and software.
- d. Proper configuration and security updates. Install security patches prior to and while WFH is enforced to prevent cyber security exploits and malicious damage.
- e. Web Browser Hardening. Ensure that your browser is up to date and properly configured. The NPC bulletin lists the configurations for popular browsers such as Chrome, Firefox, and Edge.
- f. Video conferencing. If available, only use video conferencing platforms contracted by your organization, which should pass its privacy and security standards. When availing of free platforms, use only an up-to-date version, one that offers adequate privacy and security features, and is properly configured.
- 2. Acceptable Use. Organizations must have an Acceptable Use Policy (“AUP”) that defines allowable personal uses of ICT assets. While organization ICT assets should only be used for authorized purposes, the AUP must acknowledge that occasional personal use by employees may occur without adverse effect to the organization’s interests. The AUP should also define unacceptable and unauthorized uses.
- 3. Access Control. Personnel access to organization data must only be on a “need-to-know basis,” anchored on pre-defined user profiles and controlled via a systems management tool.
- 4. UserAuthentication. Require strong passwords to access personnel credentials and accounts. Passwords must be at least eight (8) characters long, comprising upper- and lower-case letters, numbers and symbols. Prohibit sharing of passwords. Set up multifactor authentication for all accounts to deny threat actors immediate control of an account with a compromised password.
- 5. Network Security. When organization ICT assets are connected to personal hotspots and/or home Wi-Fis, observe the security measures listed in the NPC bulletin, such as avoiding malicious webpages, ensuring high availability and reliability of internet connection, configuring the Wi-Fi Modem or Router, and avoiding connecting office computers to public networks.
- 6. Records and File Security. Set up policies to ensure sensitive data is processed in a protected and confidential manner to prevent unauthorized access.
- 7. Emails. When transferring sensitive data via email, encryption of files and attachments should be done. Also, ensure that personnel always use the proper “TO, CC, and BCC” fields to avoid sending to wrong recipients or needlessly expose other people’s email addresses to all recipients.
- 8. Physical security. Create workspaces in private areas of the home, or angle work computers in a way that minimizes unauthorized or accidental viewing by others. Lock away work devices and physical files in secure storage when not in use. Should there be a need to print documents, the personnel must ensure that physical and digital documents are properly handled and disposed of in accordance with office policy. Never leave physical documents with sensitive data just lying around, nor use them as “scratch paper.”
- 9. Security Incident Management. Personnel must immediately notify his or her immediate supervisor in case of a potential or actual personal data breach while working from home. The organization’s Data Protection Officer and/or Data Breach Response Team should immediately be alerted.