Introduction:
With the effect of the Corona Virus Disease ("Covid-19"), Organizations all around the world have compulsorily had to migrate their daily business activities and transactions to remote work platforms. Ordinarily, an organization would test such a system before implementation but the sudden spring of Covid-19 has made many organizations adopt the pattern without any proper planning and test implementation. Proper planning would include proper staff training on the use of specified virtual offices and data protection, implementation of proper cybersecurity systems, introduction to modified documents access, such as the Microsoft sharepoint, etc.
In Nigeria, where the concept of virtual offices is bourgeoning, technology has become more essential than ever in light of the pandemic as the lockdown rules and social distancing measures have forced the implementation of stay-at-home orders.
Very importantly, remote working presents its own unique data
and cybersecurity challenges. All risks associated with remote
working have the capacity to impact an organization's
compliance with Data
Protection and Privacy Regulations. This briefing note focuses on
highlighting key issues arising from the adoption of remote working
and measures that can be taken to ensure security of personal data
while working remotely.
Key Issues/Risk Mitigation Strategies:
1. Training and Staff Awareness
As required by the Nigeria Data Protection Regulation
("NDPR" or the "Regulations"), all persons
entrusted with Personal Data of a Data Subject or who are in
possession of the Personal Data of a Data Subject owe a duty of
care to the said Data Subject. [1] Therecent case of WM Morrison
Supermarkets Plc v. Various Claimants (2020) UKSC 12 (the
"Morrison case") underscores the importance of ensuring
that an organization's staff deals properly with whatever
personal information a Data Subject has entrusted to the
organization. In that case, an embittered employee published the
personal information of 98,998 employees of Morrison Supermarkets
on a public website, thereby exposing the personal information of
these employees.
The aggrieved employees brought an action for vicarious
liability against Morrison.
The trial courts and appeal courts held that Morrison was
vicariously liable for the conduct of the embittered employee.
Ultimately, the UK Supreme Court held that the employee's
conduct was not so
closely connected with acts which he was authorized to do that it
can fairly and properly be regarded as done by him while acting in
the ordinary course of his employment. Organizations are therefore
encouraged to ensure employees/staff put in place best data
protection practices to ensure compliance with the Regulations and
avoid the risk of suits from aggrieved Data
Subjects.
2. Review of Internal Policies
The NDPR requires that for any medium through which Personal Data
is being collected or processed, a simple and conspicuous privacy
policy that the class of Data Subject being targeted understands
must be displayed. At this time when organizations have migrated
virtually, it has now become important to ensure
privacy policies and other internal policies such as: policy on
email use, policy on password protection, policy on confidential
information, policy on access control, policy on information
transfer, communication security and teleworking, among others are
duly observed by employees/staff. Flowing from this, it is
recommended that organizations must ensure that internal Data
Protection policies are either put in place or reviewed and revised
to ensure efficiency in remote work environments.
3. System Protection
As a consequence of remote working, new work setups will come with
many new challenges, including the protection of Sensitive Personal
Data. Without the security protections that come with being in the
office, such as IP addresses, Local Area Network (LAN), and WIFI,
the organization becomes exposed to an array of security
vulnerabilities such as hacking, phishing, malware, not to mention
employees not given to the remote working system. Information
security must therefore be a top priority during this
time.
Organisations are therefore advised to put in place certain
security features such as firewalls (e.g. proxy firewalls,
packet-filtering firewalls, stateful inspection firewalls, hardware
firewalls, software firewalls), anti-virus, and endpoint
protections on all assets given to employees. In the event of
phishing, there are several steps a Data Controller may take to
mitigate and eventually stop these phishing activities. A Data
Controller may carry out a Vulnerability Assessment Test in order
to detect any vulnerabilities in its system especially with regards
to security of its data base.This is to ensure that there is no
flaw in its data processing activities which may lead to a breach
of personal data. Where a flaw is discovered, steps should be taken
to fix such flaws. Furthermore, a Data Controller may contact data
subjects who receive
phishing emails or phone calls and communicate measures to be taken
to disrupt these phishing activities in order to reduce the risk of
a data breach and mitigate the impact in the event that a breach
has already occurred.
4. Data Transfer Pseudonymization and
Encryption
It is recommended that where Personal Data is to be transferred
from one location to another, it should be pseudonymised or
encrypted to protect it, in the event it is intercepted during the
transfer.
Pseudonymisation is the processing of Personal Data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.
Encryption refers to the procedure that converts clear text into a hashed code using a key, where the outgoing information only becomes readable again by using the correct key. While, pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.
Organisations are therefore advised to encrypt or pseudonymize Personal Data during transfer using encrypting applications. Please note that encryption can pseudonymization can be done for remote working arrangements as well. There are off the shelf applications that do this and can be easily purchased.
5. Technology Solutions
A number of technology solutions may be considered to help secure
remote working:
(a) Voice over Internet Protocol, VoIP: VoIP has become ubiquitous and thus cuts communication costs, keeping the team's virtual connectivity alive at the same time. Teleconference tools keep the communication channel open with clients and co-workers, meetings schedule, webinars, presentations, instant messaging;
(b) VPN: A virtual
private network (VPN) is a network that is constructed using public
wires usually the internet to connect remote users or regional
offices to a company's private, internal network. Putting
this in place will make it possible for employees to connect to the
office resources from the comfort of their homes. VPN provides a
secure communication channel through public Internet connections to
existing private network in the office;
(c) Malware Protection: Default firewall and
antivirus protection that comes with most PCs is not enough.
Anti-malwares should be installed on all devices both personal and
official used to process Personal Data. Constant update and upgrade
is also necessary to drive efficient business security solutions.
It is necessary that every Sensitive Personal Data sits behind a
firewall (an intrusion detection system) at the very
least;
(d) Password Combinations: Organisations need to ensure tighter password credentials for internet routers used by staff outside the office;
(e) Network Security: Network security in
an organization is paramount. The IT team needs to ensure that the
core organisation infrastructure sits behind a firewall;
(f) Data Backup/Recovery: It is essential to make
sure employees working remotely have access to backup solutions to
prevent data loss. Dual backup of primary and secondary storage
locations could go on cloud and onpremise location at the same time
to avoid downtime. Do ensure you review organisation's
policies with them to ensure they are always backing up. There are
a host of cloud infrastructure online that can be subscribed
to.
Conclusion
In order to stay secure and also ensure compliance, it is recommended that Data Controllers and Administrators regularly consult their Data Protection Officers, Data Protection Compliance Organizations as well as the Regulation – to ensure full compliance and protection of information.
This briefing note has been put together by Taxaide Technologies Limited and AO2LAW. For further information on the foregoing (none of which should be taken as legal advice), please contact:
Chiedu Mokwunye (c.mokwunye@taxaide.com.ng)
Uwemedimo Atakpo (u.atakpo@taxaide.com.ng)
Kitan Kola – Adefemi (kitan.kola-adefemi@ao2law.com)
Oyeyemi Oke (Oyeyemi.oke@ao2law.com)
Originally published 4 May, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.