GDPR and work from home

OakieBoy said:
I can ask the DPC to investigate. I was just wondering in general if by looking at files remotely there would be anything downloaded to the computer
Click to expand...

If you want them to investigate, it’ll need to be something specific, not your idle “wondering in general”...
 
Are you on the electoral register? Are you on Social Media?
[/QUOTE]
Why is it that relevant
 
OakieBoy said:
I can ask the DPC to investigate. I was just wondering in general if by looking at files remotely there would be anything downloaded to the computer
Click to expand...

Unlikely but not impossible. Even if it was it's probably encrypted and no one else could see it, even if the computer was stolen.

Rather than a FOI request this is probably something to get your local politicians to ask. As they are likely to get a proper answer, and it's one of those sound bite issues they love.
 
jim said:
But data loss can happen whereby an individual takes a photi of specific data using their personal device in an office or in their home it doesnt matter. the risk impact depends on the nature of the data etc and the liklihood can obviously vary aswell. Its not possible to meaningfully quantify the risk in this way. The risk impact is potentially severe and the likelihood is potentially medium so overall its a severe risk i think that canot be effectively nitigated. Its futile to speculate on an employees motivation/being disgruntled etc. Fact is they can do this - how can it be mitigated effectively?
Click to expand...
It's certainly not a perfect way of quantifying risk, but again there is no perfect in Information Security, you're trying to do the best you can and mitigate as much as possible to reduce the residual risk.

You're absolutely right that the impact could vary, but you're considering what is the maximum possible impact at this time. So if there is no remote viewing solution in-place and few other controls then the impact is potentially all your network data being lost and you won't even know about it, so very high impact and it pops out at the top of your risks to address. So you put a remote viewing solution in-place and some way of monitoring/reporting on that, now the maximum impact is that somebody can probably just take screen captures of small amounts of data, so the impact has now come down to say low and this risk is now out of your top 10 so you can stop worrying about it and focus on other higher risks.

It isn't futile to speculate on employee disgruntlement at all. If you're a very popular company to work for, pay well, have very good staff management with regular one-to-ones with staff including flagging low morale employees (maybe a Google or well run accountancy firm) vs. a company that is maybe in financial trouble in a declining market with no HR department and very poor people management (say a video rental store 10 years ago, or printing companies 15 years ago) then it is reasonable to factor in the higher liklihood of disgruntled staff when calculating risks - it's a statisitical certainty that you will have more unhappy staff in the second company.

Keep in-mind that mitigating is not the same as eliminating, you're reducing the risk to the point that it is bareable or impractical to mitigate further. So I'd argue that you've done a very good job of mitigating this risk effectively if you've put a remote viewing solution in-place that disallows downloading of data, only allows you see a single screen of data at a time not lists, you've put some sort of management in-place on the home machine that does not take control but ensures anti-malware is in-place and up-to-date, that the remote viewing solution locks quickly on inactivity, that the user must use a second factor to login to ensure it is them and not somebody who has found their password, that you have a home working policy in-place, that you're not allowing high risk employees (ie. underpaid, low morale, transitory etc) work from home etc. Compared to an open home PC with access to all the companies data, I'd say this risk has gone from very high to very low and would be acceptable for most scenarios.

This is a fairly standard form of risk management across most industries, not just IT/security, it's how it is done and it works!
 
  • Like
Reactions: Leo
GDPR has led to some nonsense. You have no evidence of a data breach. No evidence of data being using for another purpose than it was intended. No evidence that your data was shared inappropriately. No evidence that you data is wrong. The council hasn't refused to correct your data. You haven't asked to be forgotten and the council are refusing. You have nothing apart from someone was working from home. Let me save you a trip to the DPC. Don't bother.

You can go the council and share your concerns but it is not a GDPR issue.
 
OakieBoy said:
Are you on the electoral register? Are you on Social Media?
Click to expand...
Why is it that relevant
[/QUOTE]

If you are on the electoral register your name and address is on the internet. https://www.checktheregister.ie/

If you were ever a director of a company, your name, address and date of birth is freely available on the internet. Depending on the size of your company, your salary is too. If you are self employed, less information is provided.

On Social media, you have provided tons of information. Next time a website puts up a privacy notice, before you click I Agree, click on the option which shows you the amount of companies they are sharing information with. It is literally hundreds. We have given out so much information to companies for free that the likes of Facebook and Google tailor the ads we see.
 
Sunny said:
GDPR has led to some nonsense. You have no evidence of a data breach. No evidence of data being using for another purpose than it was intended. No evidence that your data was shared inappropriately. No evidence that you data is wrong. The council hasn't refused to correct your data. You haven't asked to be forgotten and the council are refusing. You have nothing apart from someone was working from home. Let me save you a trip to the DPC. Don't bother.

You can go the council and share your concerns but it is not a GDPR issue.
Click to expand...
you do not know what evidence i have of anything, as if i would put it here so youdo not know if it is a GDPR or not
 
We have no idea what the OP was asking about. So we have no idea if its public information or not. There is no reason to speculate.

The issue of GDPR and working form home is an interesting one in itself.
 
OakieBoy said:
you do not know what evidence i have of anything, as if i would put it here so youdo not know if it is a GDPR or not
Click to expand...

Well then what is your complaint because your original post is just nonsense. It is 2020. Remote working is common practice across every single industry. Are they all in breach of GDPR? You e-mail any organisation, chances are that the e-mail is going to an outsourced partner often in another jurisdiction to deal with your query. Is that a breach of GDPR? Companies still print out reports with personal data. Is the printing of data a breach in itself of GDPR? The days of companies giving work phones are gone. We all use our own phones with software to access work e-mails. Is that a breach of GDPR?

What are you accusing the employee of doing with your data that is a breach of GDPR?
 
AlbacoreA said:
We have no idea what the OP was asking about. So we have no idea if its public information or not. There is no reason to speculate.

The issue of GDPR and working form home is an interesting one in itself.
Click to expand...

It's not really. Working from home doesn't mean the same IT and general data protection policies that apply when you work from the office don't apply at home. Any company that allows you to download files from their server to your personal PC should be shot but that in itself is not a breach of GDPR. They are exposing themselves to huge risk and they will fail any proper IT audit but what exact complaint are you making under GDPR? If they lose data or suffer a data breach for that reason, then they can expect a huge fine. But there is no evidence here that the employee or the council have done anything wrong.
 
Its a bit of a stretch but,

I can imagine a scenario where someone had personal information they should have no access to.
However they know someone who does work from home on a system that would have that information.

There's been some issues around pulse and people looking up lotto winners things like that.

As for the OP they asked a vague question and got a vague answer.
 
@SBarrett has answered the reason why I asked about the electoral register and social media (more eloquently than I could have). I'm struggling to see what your actual issue is.
Was the FOI answered to your satisfaction?
You do know that if it had been answered in the council office any number of people could have had access to it as well. I just think your "GDPR" concerns are misplaced and frankly pointless. If it had been posted in how do you know the post delivery person didn't open and have a gander at it beforehand.
There are many more things to be paranoid about (especially with regard to social media) than some public servant looking at an FOI on their home pc.
 
AlbacoreA said:
I can imagine a scenario where someone had personal information they should have no access to.
However they know someone who does work from home on a system that would have that information.
Click to expand...

Gossip as a means of transmission of data happens regardless of someone working from the office or home. It's a separate issue.
 
I see so if its a data breach or loss, its ok if its gossip.


Irrelevant but the gossip bit reminds me of....
 
AlbacoreA said:
I see so if its a data breach or loss, its ok if its gossip.


Irrelevant but the gossip bit reminds me of....
Click to expand...

Almost all contracts of employment have a confidentiality clause in it. Disclosing information to a 3rd party, even idle gossip, can get you fired.
 
You must log in or register to reply here.
Back
Top