Working From Home – The Hong Kong Privacy Commissioner’s Practical Guidance for Employers and Employees on Data Security and Personal Data Protection

• Hong Kong

• Other

18-01-2021

On 30 November 2020, the Office of the Privacy Commissioner for Personal Data, Hong Kong (“the PCPD”) issued three guidance notes relating to work-from-home (“WFH”) arrangements for (1) organizations, (2) employees and (3) users of video conferencing software, providing guidance on measures to enhance data security and protect personal data privacy.

The PCPD’s Recommendations for Organizations

General principles: Organizations should set out clear policies on the handling of data (including personal data) when employees WFH; and take all reasonably practicable steps to ensure the security of data, in particular when information and communications technology is used to facilitate WFH arrangements, or when data and documents are transferred to employees working from home.

Practical Advice: Organizations should conduct data security and privacy risk assessment and establish appropriate policies and guidance in light of the assessment results; provide sufficient training and support to employees for WFH arrangements to ensure data security; and ensure data security by putting in place the suggested device, virtual private network (VPN) and remote access management controls.

The PCPD’s Recommendations for Employees

General principles: Employees should adhere to the employers’ policies on the handling of data (including personal data); and take all reasonably practicable steps to ensure the security of data, in particular when information and communications technology is used to facilitate WFH arrangements, or when the data and documents are transferred during the work process.

Practical Advice: Employees should use only corporate electronic devices for work as far as practicable; ensure proper device management; avoid working in public places and take precautions to prevent accidental disclosure of personal data or restricted information; opt for wired connection where available, and put in place suggested security enhancing measures for Wi-Fi connections and electronic communications (including emails and instant messages); ensure proper handling of data when it is necessary to take paper documents out of office premises.

The PCPD’s Recommendations on Use of Video Conferencing Software

Practical Advice for Organizations and Users of Software: Organizations and users should choose a video conferencing software which meets their needs after reviewing the software’s data security and privacy policies and measures (e.g. end-to-end encryption is needed for discussion of confidential matters); and pay attention to general security measures, e.g. the use of passwords and multi-factor authentication.

Practical Advice Specifically for Hosts and Participants of Video Conferences: Hosts should follow the suggested security measures to, among other things, ensure the virtual meeting room is password-protected and locked to prevent unauthorised access, participants’ identities are validated, consent is given for recording conferences, and such records are stored securely. Participants are reminded to pay attention to their personal data privacy during video conferences.

For details of the practical advice, please refer to the three guidance notes:

Practical Guidance for Organizations

Practical Guidance for Employees

Practical Guidance on the Use of Video Conferencing Software