Protecting data in the age of COVID-19
Microsoft and Google offer free access to advanced video-conferencing capabilities to facilities working from home. How prepared is our private sector?
On March 2, 2020 the Minister of Health and Wellness Dr Christopher Tufton delivered a national statement on COVID-19:
“We can accept, given the rate of spread, which has seen more than 30 new countries impacted in the last week alone, that Jamaica is not immune to COVID-19…
“Jamaica’s assault on COVID-19, for which robust and ongoing public support is critical, is happening on two fronts — actions to minimise the risk of exposure among the local population; and actions to enhance the capacity of the public health system to manage patients in the event that we have cases.”
British Prime Minister Boris Johnson, on March 3, 2020, announced his four-point action plan — contain, delay, research, and mitigate. That Government estimates that up to a fifth of the workforce being absent at the peak of the outbreak. “…Among the measures that will be deployed once the outbreak is deemed to be at its peak is encouraging greater home working. It is thought this could last for around 12 weeks in order to fully mitigate the spread of coronavirus, while ensuring the country’s ability to continue to run as normally as possible,” a release stated. Prior to the statement of the Prime Minister Johnson we have witnessed the total shutdown of several towns and cities in China, and now in Italy, in an attempt to stop the spread of the disease.
In preparation for the arrival of the deadly virus the prime minister of Jamaica Andrew Holness, on March 5, 2020, convened the National Disaster Risk Management Council in accordance with the Disaster Risk Management Act to treat with the eminent threat of COVID-19 that may occur in Jamaica.
Consistent with what has been done in other countries, it is highly likely that Minister Tufton, in an attempt to minimise the risk of exposure among the local population, will impose similar measures of locking down portions of the Corporate Area or any other at risk areas. The prime minister went further and, out of an abundance of caution, said if you are showing symptoms stay home.
In light of this eminent national disaster it begs the question what systems have been put in place by the Government and businesses to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. Are there business continuity plans in place to facilitate remote working? Have the necessary risk assessments been conducted to facility safe remote working? What technical measures need to be in place to facilitate safe remote working?
The seventh processing standard of the Data Protection Bill that will apply to all businesses that process personal data and requires that appropriate technical and organisational measures be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data. That is how the first draft of the Data Protection Act was drafted; it was, however, subsequently amended to fall in line with article 32 to the General Data Protection Regulation (GDPR).
Article 32 of the GDPR requires that organisational measures be taken to ensure a level of security appropriate to the risk, including inter alia as appropriate: [T]he ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. In other words there may now be a statutory obligation to ensure that there is a business continuity plan in place as long as your business processes personal data.
The extent to which this forms part of the final draft of the Bill is left to be seen. Regardless of whether this forms part of the final Bill data controllers still have an ongoing obligation in processing personal data to ensure that data subjects can access their data promptly. This is even all the more important when it comes to sensitive personal data such as medical records. A part of ensuring the resilience of processing systems and services is to facilitate remote working.
A wide range of tools currently exist to help organisations facilitate their staff members to work remotely. This all depends on the type of industry you are a part of. Knowledge workers will be able to leverage these and adopt much quicker than other categories of employment.
Cloud computing to the rescue
The National Institute of Standards and Technology in the United States defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly supplied and released with minimal management effort or service provider interaction. In plain English, cloud computing means that your applications or software, data, and computing needs are accessed, stored, and delivered over the Internet or “in the cloud”; sometimes it is free, most times it is for a fee.
The major cloud service models are Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS). Which one is best for you?
Software as a Service (SaaS) allows users to run a variety of software applications on the Internet. You don’t have to worry about the installation, set-up, and running of the application (eg, S alesforce.com, Gmail, Microsoft Outlook & Office 365).
Platform as a Service (PaaS) provides a computing platform to support building of Web applications and services completely residing on the Internet (eg,WS Elastic Beanstalk, Windows Azure, Heroku, Force.com, Google App Engine, Apache Stratos).
Infrastructure as a Service (IaaS) allows the use of computer hardware and system software, including operating systems and communication networks in which the cloud provider is responsible for hardware installation, system configuration, and maintenance (eg, Amazon EC2, Citrix Cloud Center).
With those definitions out of the way, consider that most organisations already utilise software applications that are specific to their industry to run their business. These applications are either installed locally on computers inside their own offices or deployed via cloud technologies.
As a general precautionary response, many organisations with offices in higher risk areas have begun to call for employees to work remotely. Cloud software giants Microsoft and Google recently announced various special offers on their conference/meeting software to better support “work from home”. In a recent tweet, Google CEO Sundar Pichai said: “We want to help businesses and schools impacted by COVID-19 stay connected. Starting this week we’ll roll out free access to our advanced Hangouts Meet video-conferencing capabilities through July 1, 2020 to all G Suite customers globally.”
A Microsoft spokesperson tweeted: “At Microsoft, the health and safety of employees, customers, partners, and communities is our top priority. By making Teams available to all for free for six months, we hope that we can support public health and safety by making remote work even easier.”
Microsoft’s Office 365 or Google’s G Suite are examples of SaaS that offer all the tools necessary for complete remote working facilities including meetings. Microsoft’s Office 365 includes Outlook, OneDrive, Word, Excel, PowerPoint, One Note, Teams, and other Microsoft apps. Google’s G Suite includes Gmail, Google Drive, Google Docs, Sheets, Slides, Calendar, Keep, Hangouts, and other Google apps.
Remote access software
If you happen to have business software that is not “cloud ready” you might still be able to have secure access to your business software from home. Remote access software, or remote control software, let you remotely control a computer at your office from a computer at your home. This remote control software allows you to take over the mouse and keyboard and use the computer you’ve connected to just like your own. Examples of remote access software include Teamviewer, LogMeIn , GoToMyPC, and RemotePC. Check with whomever is responsible for your IT security to see which software is approved for use in your organization. .
Remote meeting Systems
Access to business applications is one thing, what about all the meetings with your internal team and those outside of your office. Thankfully many meeting and conference software applications are available. Microsoft Teams, GotoMeeting, Google Hangouts Meet,Webex Meetings, and Zoom are just some of the picks for teleconferencing solutions that can bring everyone together — virtually.
Working from home and using these remote working solutions, however, pose a number of risks to data subject’s privacy rights:
* An employee’s family or friends can use the device, thereby accessing the organisation’s systems and possibly seeing sensitive information or personal data.
* Hard copy material containing personal data used at the remote worksite can be lost or stolen.
* The device itself can be lost or stolen. A device lost or stolen can be used to gain unauthorised access to the organisation’s systems. It’s important to note that, although all devices are at risk of being lost or stolen, the nature of mobile devices (eg, size, portability, and value) increases this risk.
* Information can be intercepted during transmission between the organisation and the device. The communication channel can be intercepted and used to invade the organisation’s environment. An outdated device can be compromised and used to invade the organisation’s systems.
* Information could be copied and extracted from the organisation’s environment without anyone knowing.
Data controllers, in accordance with the seventh processing standard, while making processing systems available remotely will be obliged to ensure the confidentiality and integrity of personal data. They are some basic actions that can be taken to mitigate the risks associated with remote working.
1) Create a remote access policy: A remote access policy is simply a set of rules that identify clearly whom should have access to what. It should state clearly the names and the responsibilities of every individual that has the right to access company’s servers. No employees, whether remote or not, should have complete access to the company’s servers or to files they don’t use for their daily tasks.
2) Implement strong password systems: Implementing strong password policies are a key factor in ensuring data security for your organisation. Any access to work-related documents, e-mail, or network should be controlled by strong passwords.
3) Banning use of public Wi-Fi: Connecting to a public Wi-Fi without taking any precautions can put data at risk. Companies who are concerned about their data security should state in their policy that remote workers are not allowed to use public Wi-Fi. In case your remote workers have no other option but to use an unsecured network, make sure they use a VPN and limit file sharing.
4) Encrypt devices: Encrypt all your remote employees’ devices and enforce data encryption on all devices. You can install an encryption software which encrypts the whole desk or only certain files. Another option is to install a remote-wipe app which erases all data when the device gets stolen or lost.
While the nation is preparing for the threat of the COVID-19 data controllers/businesses should be similarly refining, if not putting a business continuity plan in place. In the process of putting a business continuity plan in place, in addition to putting the necessary technologies in place to facilitate remote working, data controllers must be mindful of the obligation to ensure personal data remains confidential. Business continuity plans should be a normal part of your business plan as Jamaica faces the threat of hurricanes every year and we sit on an active fault line.
This article was co authored by Christopher Reckord and Chukwuemeka Cameron. Reckord is the CEO of tTech Limited, a company that helps organisations implement and maintain Microsoft Office 365 Tools. Cameron, LLM, is an attorney, trained data protection officer, and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. Send comments to the Jamaica Observer, info@ttech.com.jm, or ccameron@designprivacy.io.