Amidst the Wuhan Coronavirus Pandemic: Confidentiality and Data Privacy Issues Arising from Work-from-home Arrangements in Hong Kong
14 Feb 2020
Prelude
With death toll and confirmed cases mounting up, HK and many other major cities have experimented the largest scale of flexi-working and/or working from home arrangements for its employees in an unprecedented way to safeguard their health and safety. Although affording employees with the option to work from home can no doubt reduce close personal contact and thereby disease spreading, and is advantageous from a public health viewpoint, what sort of legal risks do companies put themselves into when this happens? This article examines this topical question by focusing on the confidentiality and data privacy issues arising from such work-from-home arrangements, as well as the dangers they present in terms of confidential information and data privacy. Finally, it suggests the “vaccines” which may eradicate such confidentiality and data privacy pitfalls.
Confidentiality and Data Privacy Obligations
What confidentiality and data privacy obligations are certain employers and professionals bound by, which equally apply in work-from-home arrangements?
Confidentiality
In addition to the general common law principles on confidentiality, many professionals are expected to comply with tighter industry-specific confidentiality obligations in relation to client’s information and other confidential information. Such requirements are often enshrined in their respective code of conduct or guidelines. For lawyers, it can be found, for example, in Principle 8.01 of the Hong Kong Solicitors’ Guide to Professional Conduct, which expressly states that:
“a solicitor has a legal and professional duty to his client to hold in strict confidence all information concerning the business and affairs of his client acquired in the course of the professional relationship, and must not divulge such information unless disclosure is expressly or impliedly authorized by the client or required by law or unless the client has expressly or impliedly waived the duty.”
Accountants, on the other hand for instance, are subject to no less stringent confidentiality requirements. Section 100.5(d) of the Code of Ethics of Professional Accountants of HKIPCA requires practitioners to:
“…respect the confidentiality of information acquired as a result of professional and business relationships and therefore, not disclose any such information to third parties without proper and specific authority, unless there is a legal or professional right or duty to disclose, nor use the information for the personal advantage of the professional accountant or third parties.”.
Breach of such confidentiality obligations by a certified public accountant can result in various serious penalties such as reprimand, fine, cancellation of practicing certificate, removal from the register of certified public accountants and non-issue practicing certificate for a specified number of years.
Data Privacy
As for data privacy, companies in any trade or profession who collect data from third-parties including clients are bound by the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). In the case of accounting firms, access to underlying documents (including employment contracts, employer’s returns etc.) during the auditing exercise may contain personal data and trigger privacy issues. There are six data protection principles (DPPs) set forth in the PDPO, which include:
- DPP1 Data Collection
- Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user, data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred, and data collected should be necessary but not excessive;
- DPP2 Accuracy & Retention
- Practicable steps shall be taken to ensure personal data is accurate and not kept longer than is necessary to fulfil the purpose for which it is used;
- DPP3 Data Use
- Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject;
- DPP4 Data Security
- A data user needs to take practicable steps to safeguard personal data from unauthorized or accidental access, processing, erasure, loss or use;
- DPP5 Openess
- A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used; and
- DPP6 Data Access & Correction
- A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.
Contravention of the PDPO may result in civil claim by data subject or offence which could lead to a maximum fine of HK$50,000 and imprisonment for 2 years.
It should also be noted that a company or organisation may also be subject to the General Data Protection Regulation (EU) 2016/679 (GDPR) under EU laws if it has an establishment in the EU, where personal data is processed in the context of the activities of the establishment, regardless of whether the data is actually processed in the EU; or it does not have an establishment in the EU, but offers goods or services to or monitor the behaviour of individuals in the EU.
Confidentiality and Data Privacy Risks in Work-from-home Arrangements
Whilst being cognizant of the confidentiality and data privacy obligations expected to be strictly adhered to at all times by such companies and professionals, what sort of hidden risks are those workers working from home peculiarly exposed to in this regard?
Professionals and workers working from home inevitably rely on their home networks during their work. Home or public networks and WIFIs are often less secure than that of an intuitional setup with proper VPNs, firewalls and antivirus software. Confidential information is therefore more vulnerable to hacking and leakage.
Second, a home worker may also utilize what is termed cloud-based service, a popular off-site Internet access data storage tool to store and access client’s information and data. Example of such cloud-based application includes the emerging use of Robotic Process Automation (RPA) in auditing. While basic protection such as use of account name and password is in place for such cloud-based service, without the aforesaid IT protection, risk to data leakage and accidental loss of data by reason of using one’s own personal computer cannot be overlooked.
Third, if a home worker takes a physical file or documents from office to work on remotely, be it in a coffee shop or at home, it may be difficult to keep wandering eyes of those around you off your computer screen or the documents.
All these situations could pose great risks to the workers, for which the company may be liable by reason of vicarious liability.
Measures to Minimize Risks
In light of the danger of confidential information and private data loss that may arise from work-from-home arrangements and the adverse consequences which may result in as discussed, stringent safety measures are advised to be implemented to mitigate loss in this regard.
Enhancing IT Securities | Assessment over areas of risk associated with Flexi-working/ Work from Home arrangementPre-vetting and authorization on employees’ devices used during Flexi-working/ Work from HomeInstallation of properly configured firewall on such devicesGuidance over teleconferencing/ video-conferencing systemPronouncing internal control policy over e.g. employees’ access right, password complexity,means of data transmission, encryption of clients’ personal data or business confidential information, data back-up etc. |
Putting in Place Privacy Policy | Developing a Comprehensive Privacy Management ProgramDesignating privacy officer within organizdionClear guidance on PDPO compliance such as duraion of data up-keep; maters or scenario requiring report; handling of data user enquiriesStaff training on privacy regulations and awarenessoversight and review plan to track data collection, usage, storage etc. – effective controls to periodically audit data handling by staff |
Contractual Protection – with IT suppliers | inclusion of Representations and Warranties from the service/product providersinclusion of Indemnification clause to ensure risk allocation in case of defaultexample – “Party A (i.e. IT Service Providers) agrees to indemnify and hold the Company harmless for any and all claims (including third party daims), causes of action, suits, debts, losses, costs or expenses (including reasonable legal fees), judgments, liabilities and demands relating to or arising from any negligence, fault, error or omission of Party A or any fraud, misrepresentation or breach by Party A of this Agreement.” |
Contractual Protection – with clients | inclusion of Exclusion or Limitation of liabilities clause by for example, putting a cap on professional liabilityinclusion of Disclaimers in contracts/ websites to disclaim risk associated with IT securities in the contract |
In closing, this article has shown that companies can indeed be vulnerable to confidentiality and data privacy risks arising from work-from-home arrangements. Without proper safety measures against the risks of loss of confidential information and private data, the issue can be “epidemic” for the company. Through traversing the confidentiality and data privacy obligations on the part of the companies, especially those in the professional fields, this article argues that proper safeguards should be implemented, and suggests the “cure” to eradicate such risks and issues. As every company is unique and faces different confidentiality and data privacy risks at different times, companies are strongly advised to seek legal advice on how to properly set up an adequate and effective framework to tackle such issues in accordance with their needs.
OLN provides a range of advisory services in the confidentiality and data privacy context. If you have any questions on the above, please contact anna.chan@oln-law.com, and we will be pleased to answer and assist.
Disclaimer: This article is for reference only. Nothing herein shall be construed as Hong Kong legal advice or any legal advice for that matter to any person. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.