Privacy expert: Employees need to be data conscious

By Edwin Concepcion 

Ever since the Covid-19 pandemic turned the world upside down, upending our concepts of what work is, where and how it can be conducted, and whether we need traditional workplaces at all, organisations have grappled with the right approach to take.

Some organisations have started to insist that employees return to the office full-time, back to the way things were pre-pandemic, while some have embraced a full remote arrangement with their staff, leveraging on video conferencing and other digital collaboration tools to conduct work-as-usual.

Then, there are the organisations who rotate their staff from home-based and office-bound schedules periodically, or allow them the flexibility to shuttle between the two schedules.

One of the chief concerns of organisations when they were compelled to adopt work-from-home arrangements was the worry that productivity would dip; they worried that staff would not perform at optimal levels if they were not supervised as they would be in the office.

To keep up with data protection trends and news from across the Southeast Asian region, please visit the News feed on DPEX Network.

Kevin Shepherdson, CEO of Straits Interactive, called this the “Don’t Watch Netflix” Employer Syndrome.

“Many employers may be concerned whether their employees are really doing work at home,” so they resort to surveillance technologies, some of which may be overly intrusive – taking screenshots or recording staff behaviour on the computer – and inadvertently collect personal data.

“[As an employer] you need to take this surveillance into account as part of your data protection and privacy practices.”

I agree with his assessment that productivity has been a top priority in this New Normal. In fact, I experienced such surveillance myself even within the office. At my previous employment, me and the other employees had to provide our fingerprints, have their photos taken and key in our employee ID codes every day.

There’s definitely a lot of monitoring and even CCTVs installed to watch the workstations.

However, just as Kevin has brought up surveillance, there are significant data privacy and data protection concerns that need to be addressed.

To learn how to develop and implement a privacy programme framework, about the programme operational life cycle, and how to structure a privacy team, consider obtaining the Certified Information Privacy Manager (CIPM) certification.

Good data protection habits needed

Many people may think that having a good infosecurity system would shield your organisation from the multiple risks that exist when it comes to securing your organisation’s assets and systems.

But you can have security without privacy, but you can’t have privacy without security. What this means is that you may have excellent infosecurity, but you may not be compliant with data privacy laws, such as the Data Privacy Act, or DPA, of the Philippines.

So if your organisation is both privacy- and security-aware, you would want to extend this posture to staff who operate outside of your office environment – and this can be challenging to enforce when you have a portion of your workforce conducting business operations at home or in remote locations.

In Filipino culture, we like to share everything we do with others, whether on social media or with family and friends. In so doing, many of us do not consider the implications of our actions, whether our own personal data and that of others is being exposed.

The DPO ACE programme teaches the principles and frameworks for personal data governance, such that you can support your organisation in demonstrating accountability and compliance to the Data Privacy Act of the Philippines.

For example, home-based or remote workers may have to handle their customers’ personal data. At the office, the following good practices are highlighted and put in place:

1. Respect the confidentiality of data by not sharing with co-workers or non-employees who have no legal right to view and use the data

2. Don’t keep records of the data, such as by taking screenshots or even selfies

3. Keep customer engagements or conversations private – this is especially pertinent as a recent TikTok trend has Business Process Outsourcing (BPO) staff publishing their interactions with customers

4. Don’t click Reply All or CC when you don’t intend to – this might expose personal information and reveal email addresses that could raise the risk of phishing attacks

Meanwhile, some additional risks include becoming the subject of phishing attacks, accessing work systems and data using personal devices and unsecured home networks, using weak passwords, and not using encryption when sharing files and sensitive information.

For employers who can’t monitor this behaviour and reinforce good practices, this poses a significant challenge. While the Data Protection Officer (DPO) and IT staff could highlight these good practices, staff that handle personal data also play a vital role in safeguarding such data.

DPOs and company leadership need to prioritise employee training and education on best practices, implement the use of complex passwords and multi-factor authentication, conduct regular risk assessments, and implement protocols and policies that address the identified risks.

To learn more about various regional laws, including those of Indonesia, Thailand, Singapore, Philippines, Malaysia and China, consider taking the modules of our Advanced Certificate in Data Protection Principles.

Manage your vendors

Today, with more business processes being outsourced, and more of these outsource partners also adopting work-from-home or remote working, this is a wake-up call for companies to review their vendor management practices.

Doing adequate due diligence without fail is important to ensure that your prospective vendor does not introduce data protection gaps and risks into your organisation’s operations.

For example, on the production floor of a BPO, staff are not allowed to bring any personal mobile devices because they are prohibited from capturing any confidential and sensitive information. In a work-from-home or remote setting, it would be difficult to implement this type of control.

It’s about people

According to a recent survey, nearly 80 percent of Philippine firms have been hit by data breaches over a recent 12-month period.

These breaches have resulted in the leak of sensitive and confidential data such as credit card details, passwords and other personally identifiable information. The report highlighted that the majority of these breaches are a result of human error, such as the lack of security awareness training and weak passwords.

Read more

This article was originally published on 19 March 2023 in The Manila Times. To read the full article, click here.