While remote working affected nearly one in four employees in 2021, companies must remain vigilant about the security of their information system, but also about the tools they make available to their employees and their managerial practices.
Since the health crisis, telework/remote working has become essential in many companies. At the end of 2021, 38% of employees in the private sector practiced remote work, whereas they were only 30% at the end of 2019, according to the latest figures published as part of the Malakoff Humanis Telework and Hybrid Organizations 2022 barometer (baromètre Télétravail et Organisations hybrides 2022). Also, according to this study, teleworking is practiced on average nearly two days a week (compared to 1.6 in 2019) and is once again a choice for 68% of employees (59% during the health crisis).
But remote work is not without certain risks for the protection of personal data. First of all, the company’s information system is more exposed to cyberattacks. Employees may also be subject to inappropriate surveillance measures by their employer. Securing personal data therefore remains a major challenge for all organizations, regardless of their sector of activity and size.
Reinforcing the IT system security
One of the first recommendations that companies can follow is to publish a security charter related to telework. This document must be communicated and explained to employees and may be part of the internal regulations.
All employee workstations must also be equipped with, at a minimum, a firewall, an antivirus and a tool to block access to malicious sites. The presence of a VPN (with two-factor authentication) is a real “plus”, it avoids the direct exposure of services on the Internet.
The use of protocols guaranteeing the confidentiality and authentication of remote servers, for example HTTPS for websites and SFTP (SSH File Transfer Protocol) for file transfer, is also strongly recommended. Similarly, Information Systems Departments (DSI) are invited to apply the latest security patches to their equipment and software.
Provide employees with appropriate tools for remote work
So that employees can carry out their daily tasks without risk to the information system and personal data, the CNIL (the National Commission for Computing and Liberties Commission nationale informatique et libertés) recommends providing employees with a list of communication and collaborative work tools appropriate to remote work, which guarantee the confidentiality of exchanges and shared data.
“Favour tools over which you retain control. And make sure that they provide at least state-of-the-art authentication and encryption of communications and that the data passing through is not reused for other purposes (product improvement, advertising, etc.) “, specifies the CNIL on its site.
Companies are also invited to consult the list of products benefiting from the First Level Security Certification (CSPN) issued by ANSSI, the National Agency for Information Systems Security. The CSPN is carried out by a CESTI (Information Technology Security Evaluation Centre), a laboratory carrying out product security evaluations and acting as a third party independent of developers and sponsors.
Remote working and the employer’s power of control: “Yes, under conditions”
A company can control the activity of teleworking employees if, and only if, this does not infringe their rights and freedoms. “Telework being only a way of organizing work, the employer retains, in the same way as when the work is carried out on site, the power to supervise and control the execution of the tasks entrusted to his employee. Nevertheless, if the employer’s power of control is a normal consideration and inherent in the employment contract, the courts have constantly reminded that this power cannot be exercised excessively,” recalls the CNIL.
The employer must therefore constantly be able to justify that the measures implemented are strictly proportionate to the objective pursued and do not infringe excessively on respect for the rights and freedoms of employees, particularly the right to respect for their private life.
The company is also subject to an obligation of loyalty towards its employees. As such, it must inform them, prior to any implementation, of any systems for controlling their activity. Moreover, the courts have repeatedly recalled that the evidence obtained using such devices cannot, in principle, be invoked to justify a sanction.
Furthermore, a system for monitoring working time or activities, whether carried out remotely or “on site”, must, like any processing of personal data, have a clearly defined objective and not be used for other purposes, be proportionate and adequate for that purpose and require prior information to the persons concerned.
Permanent surveillance tools are prohibited
Permanent monitoring tools are also prohibited, except in exceptional cases duly justified with regard to the nature of the task. For example, employers cannot use video devices – such as a webcam – or audio to ensure that an employee is behind their screen. Likewise, the permanent sharing of the screen and/or the use of “keyloggers” (software which makes it possible to record all the keystrokes made by a person on a computer) are prohibited.
Finally, the CNIL recommends not imposing the activation of their camera on employees who participate in videoconferences. Simply activating the microphone is sufficient. The activation of the video indeed constitutes a processing of personal data, governed by the GDPR, which may lead to revealing intimate information. “The CNIL invites employers to favour videoconferencing solutions that allow users to blur the background, in order to allow participants not to display images of their home in the videoconference (which may reveal private information) or third parties who would pass in the field of vision of the camera”, specifies the CNIL.
The rise of remote working is therefore accompanied by a certain number of obligations on the part of companies, in particular with regard to strengthening the security of their information system, providing employees with tools appropriate to remote work and respect for the rights and freedoms of employees, including their privacy.