How COVID’s ‘hidden bugs’ can put employee data on the line

20 November 2020 - We’re living in a different world, in which companies have an obligation to look after their staff like never before. But it’s not just cleaning, screening and social distancing that businesses must address to protect their employees’ health. For ironically, there may be risks in some of these protections themselves.

Most of us have, by now, had our temperatures checked while visiting doctors’ surgeries, offices, schools or even restaurants. In the resources and energy sector, where many companies have continued to work through COVID-19, temperature screening has been combined with biometric and facial recognition systems that simultaneously scan your security credentials and your body temperature.

But according to Sean Webb, who heads up Security and Privacy at global tech consulting firm Protiviti, the very solution that aims to protect employees’ and customers’ futures may inadvertently be putting them at risk.

“To enable new ways of working, it makes sense for large companies to simultaneously scan employee temperatures and identification, as a way of saving time and getting people into work efficiently – particularly when they may also need additional cleaning and security staff,” says Webb. “But the danger is what happens to that personal data once it’s captured.”

Cloudy definitions

When data is stored in the cloud, responsibility for its security is shared between the cloud provider and the client company – although the onus ultimately resides with the latter. With a rapid acceleration in Australian companies’ use of smaller, more innovative Software as a Service (SaaS) providers leveraging cloud-based storage, the risks of holding customer and employee data ‘in the cloud’ have increased exponentially.

The question now is whether risk and security managers can keep up with these evolving technologies – particularly with the immediate need to utilise them to protect personnel from COVID-19.

“Before a vaccine is proven and delivered, every large company will have to take some responsibility for their employees’ health, and that will mean more companies embracing automated biometric and scanning systems,” says Webb. “The challenge is that organisations don’t always understand what data they’re collecting, and how much their processes comply with their own internal policies as well as the Australian Privacy Principles.”

Protection in law

Governed by the Office of the Australian Information Commissioner, the Australian Privacy Principles mandate that all Australian companies must explain to their employees and customers what personal information they’re collecting from them and why – and must protect that information from unauthorised access or disclosure.

The real challenge lies when an employee, contractor or customer leaves a business, or when a business switches to another cloud service or third-party software provider – and is then mandated by law to prevent its employees’ data being accessed by other parties.

As well as understanding what data they are capturing, therefore, companies with biometric identification systems must also understand where that data is being stored, who has access to it, whether it is secure, and how they can remove it from their systems. This not only includes data stored by cloud providers offering storage or networking infrastructure (‘Infrastructure as a Service’), but smaller tech companies providing software or apps (SaaS) through the cloud.

“Small, agile software providers are becoming ever more important to help finance, construction, manufacturing, resources and other businesses design innovative apps that solve specific challenges and provide personal customer experiences,” says Webb. “But with that speed and innovation come additional privacy risks.

“Every company using these smaller service providers is going to have to think about protecting their employees’ and customers’ data more carefully in the future, and incorporate these protections into the design of new systems from the outset. This will be a big challenge for businesses in 2021: protecting their employees’ data while protecting them from COVID-19.”