Protecting personal data in extraordinary circumstances

Print

With an increased number of the Bailiwick’s workforce working remotely, it’s a good opportunity to explore how best to ensure that your organisation’s protection of personal data is maintained.

Remember: the object of data protection legislation is to protect people’s rights in relation to how their data is treated.

All organisations, from sole-traders to multinational companies, charities to governments handle personal data of their staff/clients/suppliers/citizens. Doing this well enables trust and good relationships to be maintained, and prevents people being harmed by misuse of their data.

With this in mind, all local organisations need to consider the fact that remote working may pose an increased risk to personal data. It is possible to take positive and effective steps to mitigate this risk by considering these common-sense steps:

  1. Make sure staff are aware of, and able to implement, your existing policies surrounding remote-working.
  2. Depending on what your staff are doing with personal data whilst they’re working remotely, consider whether it may be helpful (or legally required) for your organisation to perform a Data Protection Impact Assessment.
  3. If you identify a potentially high-risk processing activity involving personal data you need your staff to perform remotely, seek advice from your Data Protection Officer (if you have one), or visit odpa.gg/advice-guidance.
  4. Ensure staff only use secure network connections, and that all devices have appropriate and up-to-date anti-virus software and other security measures.
  5. Take extra care when transporting any paperwork or devices that may contain personal data: where appropriate use additional security measures such as two-factor authentication for devices, or use physical locks for storing paperwork.
  6. Be extra vigilant to social engineering (e.g. criminals impersonating your staff/suppliers/clients) in all its forms, as criminals are actively trying to take advantage of the current disruption.
  7. Inevitably people’s attention-to-detail, focus and vigilance may suffer from not being in their usual workplace. This is especially true if their attention is being demanded by other household members, such as small children who are in their care. So be realistic with your staff about what level of productivity you are expecting from them and think about limiting them to performing only low-risk, business-critical tasks.
  8. Think about the accountability principle: is your organisation using personal data in a new (or different) way as a result of the current public health situation? If so, document the decision-making process that led to this and update any relevant policies.

Is the ODPA taking a more ‘relaxed’ approach to enforcement activities during the current public health situation?

We would like to reassure local organisations that we are taking a realistic and pragmatic approach to regulatory activities during the Bailiwick’s ‘lockdown’.