SCENARIO 1 : An educational organisation is transitioning to virtual classes and is using an online platform to deliver to the students. Teachers are working hard to digitise the content and subsequent workflow for all involved. During some of the online lessons, a couple of students innocently post images of the classes with all the faces plus full names of their fellow students publicly on social media.
SCENARIO 2 : A small company wants to ensure its employees are staying connected and has started using a messaging system which the teams are asked to download on their devices. This creates the opportunity for work discussions along with more personal communications, just like a work environment. The platform they use gets infiltrated with a spambot and it starts sending phishing messages to all the employees personal contacts in their phones contact book.
SCENARIO 3 : A large governmental department is starting to utilise a new video conferencing platform as everyone is working from home. Its operations and the information shared are highly confidential as they deal with issues of national security. Due to a flaw in the video system, some of the discussions are accessible to other parties who use it for nefarious means.
The question about liability bounced around for about a week until I got the following response via this tweet from John Edwards, Privacy Commissioner of New Zealand:
Employees are obliged to follow any reasonable instruction from an employer. If an employee conveyed reservations about using a particular tool and the employer said please proceed, they would likely be obliged to follow that instruction. The employer assumes the risk.
Agree. I would put it in writing to have a record of the concerns being raised. Employer should record the direction in writing too.
So if you are working from home and you have concerns regarding your privacy please do detail them via email with your employer. You might want to also ask for some risk assessment and scenario planning from the leadership also.
Stay safe and sane out there, plus wash your hands!
Personal data needs to be regarded as a human right, just as access to water is a human right. The ability for people to own and control their data should be considered a central human value. The data itself should be treated like property and people should be fairly compensated for it.