The advent of COVID-19 and consequent State required social distancing and Shelter in Place policies have ushered many businesses into "remote" workspaces with employees working from home ("WFH") and/or working from anywhere, as they attempt to balance halting transmission of the virus and providing seamless service to their clients. While technology has facilitated the continuation of job functions outside the physical workplace, providing extensive remote access privileges to employees on multiple tiers within the organizational framework creates challenges with ensuring adequate data security and protection.1
The Problem
Whilst remote access to servers is not uncommon, the pool of persons which (on account of business continuity) have remote access and the breadth of remote access have been enlarged. Additionally, WFH may also require that employees have custody of paper files which may further give rise to negligent and/or deliberate breaches of data protection laws.
The Data Protection Law, 2017 of the Cayman Islands (the "DPL"), defines a Data Controller as a person2 who, alone or jointly with others determines the purposes, conditions and manner in which any Personal Data are, or are to be, processed.3 Data Controllers must ensure that Personal Data is processed fairly and with the consent of the data subject (for e.g. the client or investor). The DPL widely defines processing as obtaining, recording or holding data, or carrying out any operation on personal data.4 "Processing" refers to a wide variety of actions including collation, storage and communication.5
Institutions such as banks, investment funds and accounting firms are legally obligated to obtain Personal Data (including details of personal identification and finances) from their clients and they bear the burden of ensuring that Personal Data is not misused. The task of processing Personal Data is frequently delegated far down the organizational chain, however, the risks associated with delegation are more manageable when employees are confined to a central location where physical access to materials and the network may be controlled.
WFH is particularly challenging as employers cannot control access to the "workplace" when it is an employee's home. The reality is that family members and friends often have free access to the remote workplace and the employer's laptop with sensitive information may be lying open in clear view. The employee has fundamental rights relating to privacy and family life which make it impossible to implement surveillance safeguards in the employee's home.