Meeting POPIA Requirements When Working Remotely

Social distancing has forced many of us to stay at home for the foreseeable future, meaning remote working is, for many, no longer an option but a necessity. Whilst individual safety is at the top of everyone’s priorities, doctors, service providers, accountants, agents and business owners must also be aware of the safety of their data during the crisis.

While there are several advantages of working remotely, there’s a monstrous risk for those that are obligated to comply with POPIA: keeping clients’ personal information safe. Not convinced it’s a big deal? Information Regulators worldwide levies hefty financial penalties when entities fail to properly manage their clients access and protection of personal information.

Real Life Examples

  1. Cancer Care Group in the USA agreed to a settlement of $750,000, after a remote employee lost a laptop and backup drive to car theft. The laptop contained more than 50,000 patients’ personal information. It was determined that prior to the breach, the Cancer Care Group was in widespread non-compliance with the HIPAA Security Rule. They failed to conduct an enterprise-wide risk analysis when the breach originally occurred. It was also found that they did not have a written policy regarding the removal of hardware containing personal information into and out of its facilities.
  2. A similar settlement cost respiratory medical group Lincare almost $240,000. A remote employee breached the personal health information of 278 patients by exposing and abandoning their sensitive information. The court ruled that Lincare did not have adequate policies and procedures in place to safeguard patient information that was taken off-site despite the fact that employees who worked in patients’ homes routinely removed personal information from Lincare offices.

How To Protect Your Clients’ Personal Information When Working Remotely

First and foremost, if you have remote employees, you must set rules for them in your Security Policies and Procedures. Use the following checklist as a guide for what to include in this section.

  • Make a list of remote employees.
  • Indicate the level of information to which they have access.
  • Describe Equipment, Software, and Hardware requirements in an inventory – forms 04.1 to 04.7 of Assent Compliance’s POPI Compliance Framework.
  • Encrypt home wireless router traffic using WPA2-AES. This is a pretty standard configuration, and most routers these days come pre-configured.
  • Change default passwords for wireless routers to something difficult. This provides an extra layer of protection.
  • Make sure that all devices accessing your network are properly configured by IT. Devices must be encrypted, password protected, and installed with software firewalls and anti-virus software is installed.
  • Require that employees use a VPN when they access the company’s Intranet remotely.
  • Encrypt and password protect any personal devices employees use to access personal client information.
  • Have your IT department or vendor configure personal devices before allowing them access to the network. Specify what brands and versions of personal devices can access the company data.
  • Describe Security and Privacy requirements:
  • Employees should not allow any friends, family, etc. to use devices that contain client personal information.
  • Have each employee sign a Confidentiality Agreement to assure the utmost privacy when handling client personal information.
  • Create a Bring Your Own Device (BYOD) Agreement with clear usage rules.
  • Employees who store hard copy (paper) client personal information in their home office need a lockable file cabinet or safe to store the information.
  • Employees need a shredder at their location for the destruction of paper client personal information once it is no longer needed. The company needs to specify when it is ok to dispose of any paper records.
  • Employees must follow the organisation’s Media Sanitization Policy for disposal of all client personal information or devices storing client personal information – see for example form 02.4 of Assent Compliance’s POPI Compliance Framework.
  • Make sure employees disconnect from the company network when they are done working. Usually, IT configuring timeouts take care of this.
  • Employees cannot copy any client personal information I to external media not approved by the company. This includes flash drives and hard drives. You may require all client personal information to stay on the company network – see for example form 05.10 of Assent Compliance’s POPI Compliance Framework.
  • Keep logs of remote access activity and review them periodically. IT should disable any accounts inactive for more than 30 days.
  • Mandate that any employees in violation of these procedures will be subject to the company’s Disciplinary Procedures.

Conclusion

  1. Remote employees aren’t exempt from following the protection of personal information rules. It’s in your best interest to define all remote employee guidelines and to ensure all signed documents involving remote work are up-to-date, signed, and safely stored. Taking these steps will ensure you’re compliant should the Information Regulator come calling!
  2. It’s impossible to foresee and plan for every variation of this scenario, which really means that to maintain compliance with POPIA, companies must account for all possibilities. Three aspects of remote working, in particular, must be addressed to adequately manage risk and also demonstrate to regulators that your organisation has taken necessary steps to meet requirements.
  3. Device Security
  4. Information Management
  5. Policy Awareness
  6. Need help securing your own or your employees homework environment?

Assent Compliance (Pty) Ltd specializes in creating customised POPIA-related documentation and training for our clients. We provide documents like Security Policies and Procedures, Disaster Recovery Policies, Confidentiality Agreements, and Bring Your Own Device (BYOD) Policies (our POPI / PAIA Compliance Management Framework Documentation Toolkit). For questions about policies, documentation, or best practices for remote employees, please complete this form:

Leave a Reply

Your email address will not be published. Required fields are marked *