At this point in time and looking back on 2020, nobody would have imagined the advance in the digitalisation of organisations and companies due to the irruption of homeworking in this current global pandemic situation. An advance to which employers and workers have had to adapt by implementing distance working methodologies and, given that homeworking has come to stay, some governments have chosen for its regulation, such as Spain, which did so last September with the Royal Decree-Law 28/2020, Argentina last August with the Law 27. Other countries in the region have already regulated homeworking in their legal systems, such as Colombia in 2008 with the Law 1,221, Peru in 2013 with the Law 30,036, and Costa Rica in 2019 with the Law 9,738.
Homeworking Regulation in Spain
The Distance Work Act harmonizes the basic standards that employers must apply to the implementation of homework in their organizations. This modality was already a reality for small and agile companies such as start-ups; however, for larger organizations and administrations, it has been a total improvisation, as it has been seen throughout the lockdown periods that have been taking place since March.
This circumstance evidenced the lack of methodologies and systems for adapting remote work, increasing the surface area of exposure of the organisations’ data and, consequently, aggravating the problems of cyber security, even more so given that the use of personal computer equipment and connections through private networks caused corporate information to leave the security perimeter offered by the organisations’ facilities.
Despite criticism from the business sector during the processing of the draft law on distance work, an agreement was finally reached between the government, employers and trade unions. One of the points of friction was the obligation to cover the costs incurred by workers. The decision is that employers will have to pay in cases where their workers work from home more than 30% of their workday, that is, for five-day workdays and forty hours a week, the rule will apply for those who work from home for more than one and a half days a week, counted in quarterly periods. This could affect the boom in homeworking, as it means that the employer must pay twice as much for office maintenance and for the worker’s expenses.
The most interesting part of the norm, which combines the technical and legal binomial, is found in section h) of article 7, which deals with the need to regulate the means of business control, which must be stated in writing in the homeworking agreement. In this sense, there is an interesting legal field that requires the study of the jurisprudence of the high courts, case by case, and checking how the judges understand that the lawful access to information from computer equipment and/or corporate emails of the employees is achieved. The basis for a successful agreement is trust and the balance of the employer’s power of control and the employee’s right to privacy.
Security and Privacy in Homeworking
Within this new paradigm in the way of working it is evident that, after people, information continues to be the main asset of companies and that its security, now more than ever, can be compromised due to the use of personal equipment that is outside the control of the company.
The lack of a policy on the proper use of information systems in most companies is one of the main reasons why these resources are not being properly managed, which in many cases can seriously affect the business continuity.
As an information security auditor, technology expert and businessman, I am responsible for implementing the necessary measures to mitigate or reduce the risks associated with information security but, if the incident occurs, also to investigate it by collecting and analysing evidence to help identify the origin of the problem.
The objective of the ISO/IEC 27001:2013 standard is to protect the confidentiality, integrity and availability of information in companies. Among others, it includes aspects related to Homeworking and the Acceptable Use of Company Assets. Point 8.1.3 aims to document the appropriate use of information by describing the security requirements of assets made available to the employee, such as the computer or laptop, mobile phone, mail account… always communicating in an appropriate manner to avoid misuse such as unauthorized information extraction (confidentiality), information manipulation (integrity), impersonation or ransomware (availability), among others.
This acceptable use policy can be adopted by the company outside of certification. The question is, if we sign a confidentiality agreement or NDA with our employees, why don’t we document a policy and sign an asset use document? This would avoid many technical and legal problems in the face of possible incidents related to security and privacy in homeworking. Firstly, because the employee is duly informed and explained what he/she can or cannot do with the company’s resources, secondly, he/she signs a document that proves this and if the incident finally occurs, he/she cannot claim ignorance of the rules and policies related to the company’s information security.
Point 6.2 talks specifically about guaranteeing information security in the use of resources for mobility and homeworking, also a very extensive objective that we cannot deal with in depth, but which we summarise in the following point, which applies to the risks associated with this practice, to the controls that must be implemented to reduce or mitigate them, and to the establishment of metrics that allow adequate monitoring.
This is an example of a document to be signed by the employee, which must include GDPR aspects relating to the processing of their personal data by the company:
In the second part of this post we will continue to deepen our understanding of this issue, emphasizing both the balance between corporate control and privacy and the tools of control. We hope you find it useful.
Second part now available: