I have established that the local authority in question does not give work computers so i assume they use their ownAnyone who works from home is given a work computer or laptop to use exclusively for their work. The staff member will be able to view your information and so would anyone who is standing directly behind them. There are screens staff get that allow them to further ensure what is in the screen is private.
Depending on the nature and security of the work then employers can put in place additional controls.
I doubt if your local authority will give you enough info to satisfy you that there will be no breach of data without you telling them why you are asking. So you will have to decide if you will take the risk or not. After you have obtained the response you need you can of course ask to be forgotten by the local authority. I would take the risk but the decision is yours alone.
I have established that the local authority in question does not give work computers so i assume they use their own
....
So my FOI, with my personal details like my name /address /FOI request is downloaded to someone's personal computer in their home. ...
Ah this is my areaWhat really is the difference between whether theybwork from office or home vis a vis GDPR?
If working from the office they could concievably take out their mobile phone and take a photo of the comouter screen which has your personal data. There arent really any effective controls that im aware of that can prevent this particular thing from happening
...
Now take the personally owned home PC scenario: there are no other staff members around to notice odd behaviour, the PC is unlikely to be managed so rather than small amounts of data a threat actor could be downloading databases with millions of records, it's highly likely the PC is being used by the employee's spouse, kids, maybe housemates and/or visitors who could take data or just be using the PC in a way that it is more likely to get infected with malware than a work protected machine, it's more likely to be stolen in a breakin and less likely to be encrypted.
...
....Fact is they can do this - how can it be mitigated effectively?
Is it true as someone said the pc is just a window? In a personally owned home PC scenario are the files viewed over a secure vpn not downloaded? If someone else uses the computer could they access them in tem file or whatever?Ah this is my area.
Information Security isn't really about certainties, it's about risk management. You'll tend to assess risks based on the impact they would have if they came about and the liklihood of them happening, multiply the two together and you get a risk score, then you work to reduce your risks starting with the highest numbers.
In your example the impact of data being lost is the same in both cases, however for a worker in the office to take photos of their screen to steal data you're firstly assuming you have a disgruntled employee (possible but unlikely), that somebody will not see them do it and take action and taking photos of screens is only going to get you fairly small amounts of data.
Now take the personally owned home PC scenario: there are no other staff members around to notice odd behaviour, the PC is unlikely to be managed so rather than small amounts of data a threat actor could be downloading databases with millions of records, it's highly likely the PC is being used by the employee's spouse, kids, maybe housemates and/or visitors who could take data or just be using the PC in a way that it is more likely to get infected with malware than a work protected machine, it's more likely to be stolen in a breakin and less likely to be encrypted.
People lose data (like BitCoin encryption keys as an example) from their home PCs via malware all the time, it would be hard not to give this the highest possible liklihood, compared to a work PC in the office where data loss is relatively rare and it requires a disgruntled employee with some privacy, it's going to be close to the lowest possible liklihood.
So big difference if I was running their Information Security...
OK if they "only connect to a virtual or remote desktop ", would there be anything visible to a subsequent user of the PCDepends on the vpn. Some allow files to be downloaded some don't. Some only connect to a virtual or remote desktop and you can't do anything or send anything outside that desktop.
You can have many layers and the VPN is only one of them.
OK if they "only connect to a virtual or remote desktop ", would there be anything visible to a subsequent user of the PC
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?