GDPR and work from home

O

OakieBoy

Registered User
Messages
7
I would like to ask about Data Protection GDPR . I made an FOI to a local authority. It is answered by someone who is at their home. They log in to the council system to check their mail through a secure connection. But they are viewing it on personal, not work, computer.

So my FOI, with my personal details like my name /address /FOI request is downloaded to someone's personal computer in their home. How can i know who has access to that computer? Or who is in the house when it is opened. ? Is it not then on a personal, not work, computer in the temp files at least? Is this not a breach of GDPR?
 
Anyone who works from home is given a work computer or laptop to use exclusively for their work. The staff member will be able to view your information and so would anyone who is standing directly behind them. There are screens staff get that allow them to further ensure what is in the screen is private.
Depending on the nature and security of the work then employers can put in place additional controls.
I doubt if your local authority will give you enough info to satisfy you that there will be no breach of data without you telling them why you are asking. So you will have to decide if you will take the risk or not. After you have obtained the response you need you can of course ask to be forgotten by the local authority. I would take the risk but the decision is yours alone.
 
Always remember GDPR will not fix /stop people who have access to companies computer systems lots outsource IT support computer remote repair and such like ,
Lots of Companies don't understand how open they are leaving themselves to information going astray ,
Most don't even know it has happened to them ,
 
Last edited:
Typically the employee working from home will have to state in writing before that arrangement starts that they have a separate lockable room for their work. The company employing them will have had to assess risks to data, and would normally be supplying the computer, which can only be used for work as per Clamball above. And they should be using a fully tunnelled (routed and encrypted all the way) VPN connection. Regarding remote support, it would be normal before any connection is established for the support person to remind the worker that they should not have any windows open that contain sensitive information. If you are dealing with a reputable organisation, no issue. I'd be more concerned about lack of funds/resources resulting in outdated equipment or operating systems in current use.
 
What really is the difference between whether theybwork from office or home vis a vis GDPR?

If working from the office they could concievably take out their mobile phone and take a photo of the comouter screen which has your personal data. There arent really any effective controls that im aware of that can prevent this particular thing from happening
 
Clamball said:
Anyone who works from home is given a work computer or laptop to use exclusively for their work. The staff member will be able to view your information and so would anyone who is standing directly behind them. There are screens staff get that allow them to further ensure what is in the screen is private.
Depending on the nature and security of the work then employers can put in place additional controls.
I doubt if your local authority will give you enough info to satisfy you that there will be no breach of data without you telling them why you are asking. So you will have to decide if you will take the risk or not. After you have obtained the response you need you can of course ask to be forgotten by the local authority. I would take the risk but the decision is yours alone.
Click to expand...
I have established that the local authority in question does not give work computers so i assume they use their own
 
Lot of places now using cloud based solutions like Google Docs or Office 365. They can often log into that from anywhere and on anything.
 
If the home pc is remote connecting / using vpn then in theory nothing should be on the home computer.
 
jim said:
What really is the difference between whether theybwork from office or home vis a vis GDPR?

If working from the office they could concievably take out their mobile phone and take a photo of the comouter screen which has your personal data. There arent really any effective controls that im aware of that can prevent this particular thing from happening
Click to expand...
Ah this is my area :).

Information Security isn't really about certainties, it's about risk management. You'll tend to assess risks based on the impact they would have if they came about and the liklihood of them happening, multiply the two together and you get a risk score, then you work to reduce your risks starting with the highest numbers.

In your example the impact of data being lost is the same in both cases, however for a worker in the office to take photos of their screen to steal data you're firstly assuming you have a disgruntled employee (possible but unlikely), that somebody will not see them do it and take action and taking photos of screens is only going to get you fairly small amounts of data.
Now take the personally owned home PC scenario: there are no other staff members around to notice odd behaviour, the PC is unlikely to be managed so rather than small amounts of data a threat actor could be downloading databases with millions of records, it's highly likely the PC is being used by the employee's spouse, kids, maybe housemates and/or visitors who could take data or just be using the PC in a way that it is more likely to get infected with malware than a work protected machine, it's more likely to be stolen in a breakin and less likely to be encrypted.

People lose data (like BitCoin encryption keys as an example) from their home PCs via malware all the time, it would be hard not to give this the highest possible liklihood, compared to a work PC in the office where data loss is relatively rare and it requires a disgruntled employee with some privacy, it's going to be close to the lowest possible liklihood.

So big difference if I was running their Information Security...
 
Zenith63 said:
...
Now take the personally owned home PC scenario: there are no other staff members around to notice odd behaviour, the PC is unlikely to be managed so rather than small amounts of data a threat actor could be downloading databases with millions of records, it's highly likely the PC is being used by the employee's spouse, kids, maybe housemates and/or visitors who could take data or just be using the PC in a way that it is more likely to get infected with malware than a work protected machine, it's more likely to be stolen in a breakin and less likely to be encrypted.
...
Click to expand...

Its more likely to be VPN or just a web application.
With probably auditing and logs, to see what people are looking up.
Automatic warnings to IT security if any odd behavior happens.
End users would not have any means to download large amounts of data.
They will run with restricted access to see limited data and just do their job and no more.

Maybe.
 
But data loss can happen whereby an individual takes a photi of specific data using their personal device in an office or in their home it doesnt matter. the risk impact depends on the nature of the data etc and the liklihood can obviously vary aswell. Its not possible to meaningfully quantify the risk in this way. The risk impact is potentially severe and the likelihood is potentially medium so overall its a severe risk i think that canot be effectively nitigated. Its futile to speculate on an employees motivation/being disgruntled etc. Fact is they can do this - how can it be mitigated effectively?
 
Hooverfis i cannot quote you. Even if vpn used once pdf is viewed it is downloaded
Zenith63 said:
Ah this is my area :).

Information Security isn't really about certainties, it's about risk management. You'll tend to assess risks based on the impact they would have if they came about and the liklihood of them happening, multiply the two together and you get a risk score, then you work to reduce your risks starting with the highest numbers.

In your example the impact of data being lost is the same in both cases, however for a worker in the office to take photos of their screen to steal data you're firstly assuming you have a disgruntled employee (possible but unlikely), that somebody will not see them do it and take action and taking photos of screens is only going to get you fairly small amounts of data.
Now take the personally owned home PC scenario: there are no other staff members around to notice odd behaviour, the PC is unlikely to be managed so rather than small amounts of data a threat actor could be downloading databases with millions of records, it's highly likely the PC is being used by the employee's spouse, kids, maybe housemates and/or visitors who could take data or just be using the PC in a way that it is more likely to get infected with malware than a work protected machine, it's more likely to be stolen in a breakin and less likely to be encrypted.

People lose data (like BitCoin encryption keys as an example) from their home PCs via malware all the time, it would be hard not to give this the highest possible liklihood, compared to a work PC in the office where data loss is relatively rare and it requires a disgruntled employee with some privacy, it's going to be close to the lowest possible liklihood.

So big difference if I was running their Information Security...
Click to expand...
Is it true as someone said the pc is just a window? In a personally owned home PC scenario are the files viewed over a secure vpn not downloaded? If someone else uses the computer could they access them in tem file or whatever?
 
Depends on the vpn. Some allow files to be downloaded some don't. Some only connect to a virtual or remote desktop and you can't do anything or send anything outside that desktop.

Virtual private network - Wikipedia

en.m.wikipedia.org en.m.wikipedia.org

You can have many layers and the VPN is only one of them.
 
AlbacoreA said:
Depends on the vpn. Some allow files to be downloaded some don't. Some only connect to a virtual or remote desktop and you can't do anything or send anything outside that desktop.

Virtual private network - Wikipedia

en.m.wikipedia.org en.m.wikipedia.org

You can have many layers and the VPN is only one of them.
Click to expand...
OK if they "only connect to a virtual or remote desktop ", would there be anything visible to a subsequent user of the PC
 
OakieBoy said:
OK if they "only connect to a virtual or remote desktop ", would there be anything visible to a subsequent user of the PC
Click to expand...

No.

There is an option in our place to have remote access to work from personal or work devices. If you use a personal device you only have VPN access to a remote desktop and can only move data within the network i.e. there can be no transfer of data to the local device. Any other user of the device sees nothing (unless they know the login credentials of course). Separately there is a whole network scan of all data exiting the network irrespective of mechanism which catches and quarantines anything with confidential personal data including email of file transfer... USB drives don't work for example.

Our place is pretty tied down though... Not sure if the council would have the same tech.
 
Depends how its set up. Hackers use VPNs to hide and grab information.

But in a work situation, some places make you bring in your own pc or laptop and they set it up so you can only do work stuff. They lock you out of everything else.
 
You must log in or register to reply here.
Back
Top