“I’m the owner of a small financial services firm. With Covid-19, like many businesses, we enabled staff to work from home. The arrangement is working well and we are contemplating retaining the option of remote work for some of our staff. Is there anything specific we need to do from a POPIA perspective in respect of such remote working staff?”
Remote work has most certainly become an increasingly common phenomenon thanks largely also to the Covid-19 pandemic. Many businesses have been forced to enable staff to work remotely without much thought always to the concomitant security issues relating to such remote work. Now that remote work is becoming a more recognised part of the work landscape, businesses, like yourself are rightly starting to wonder about these additional home office environments and what risk they pose in respect of security of information, data breaches, uncontrolled environments, to name but a few.
From a Protection of Personal Information Act (POPIA) perspective, POPIA aims to ensure that businesses protect personal information and that they and their staff adhere to the principles of POPIA. POPIA makes no distinction as to whether staff work remotely or not, and requires the same level of compliance from businesses irrespective of where their staff work from.
So what does this mean for a business with staff working remotely? It means that such a business will also have to regulate how such remote staff must comply with its data security procedures to ensure that as a whole the business is POPIA compliant.
Most businesses have put data security and other physical security measures in place at their offices, including procedures for collecting, processing, storing and destroying information. But what happens if an employee is not working at the office? Can that employee throw papers in their own rubbish bin, or leave their computer open for general use, or even have client information lying around in a room with uncontrolled visitors passing through? Clearly these types of risks need to be dealt with by a business taking into account the nature of the employee’s work and the risks relating to the type of personal information the employee may have access to whilst working remotely.
To address these types of risks, it will require the business to review its current policies and procedures relating to data security and POPIA and ensure that these extend also to remote working employees. In effect, it may require that the business implement specific conditions for remote working which such employees will have to comply with to ensure that these potential risks are mitigated. The business may even need to conduct inspections, obtain confirmations or undertake other forms of ensuring that these conditions are met by remote working staff. Additionally, the business may need to look at which types of personal information remote working staff may access and even limit accessibility based on potential security concerns.
POPIA further imposes an obligation on businesses to deal with potential security breaches, irrespective of whether physical or electronic. A business would therefore need to ensure that this obligation is extended to its remote working employees, and that the business is informed of any (actual or potential) data breach occurring at the remote working location. Remote working employees will accordingly have to be made specifically aware of their responsibility to report and mitigate any such data breach.
What should be clear from the above is firstly, a business cannot escape liability for POPIA compliance or data breach because employees work remotely. Secondly, a business would need to carefully assess its requirements for remote work and the associated risks and accordingly incorporate the requirements for remote work into their policies and procedures and ensure that these are communicated, monitored and updated as necessary from time to time, to ensure continuing compliance. Accordingly, it is highly advisable to consult your attorney or a data or POPIA specialist to help you assess your remote working risks and incorporate the necessary aspects into your current policy framework.