Secure Remote Working

    When working from home, we face different challenges when trying to keep our work and, crucially, sensitive information private and confidential. Below are some guidelines compiled by Caroline Rowland, Patricia Manko (Data Protection Coordinator), and Reiner Dirksmeyer (head of TG).
    This includes:

    1) information from the MPG;

    2) information on how to work securely from home;

    3) specific information about the use of video conferencing systems;

    4) information about using online test providers. 

    Please do not hesitate to contact Reiner or Patricia for more information.

    General information and rules

    The information below comes from the MPG's Data Protection Officer and was adapted for the MPI. 

    The protection of personal and confidential data is very important outside the protected office workplace. For this reason, a number of regulations and measures have to be taken into account when working form home, to ensure the confidentiality, integrity, and availability of this data. Existing regulations, both MPG-wide and local from the MPI, still apply and must be observed. These include:

    • The EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) Germany (AVG in the Netherlands)
    • The IT Security Policy of the MPG
    • The IT Security Guidelines of the MPG
    • The General Works Agreement Security (GBV Sicherheit)
    • The General Works Agreement Email 
    • Local IT (MPI TG) user regulations and works agreements

    As far as possible, technical measures have already been implemented by the TG and central facilities. If further technical measures cannot be implemented by the TG, employees must implement further technical and, in particular, organisational measures themselves. 

    Employees should observe the following measures to ensure the confidentiality, integrity, and availability of personal and confidential data when working from home:

    • Unauthorised persons must be denied access to business equipment and documents. This also includes family members
    • Unattended business equipment in easily accessible or visible locations has to be secured with a Kensington lock or stored in a lockable cupboard
    • Doors and windows have to be locked when absent from home so that business equipment and documents cannot easily be stolen
    • Official documents must not be left unattended and have to be protected from access in the event of absence; in particular personal and confidential documents have to be stored in a lockable container or cupboard or in some other way be made inaccessible (as a general rule, do not take any personal data home without permission of your director/PI)
    • Remote access to official systems and resources should be via MPG workstation computers and, unless otherwise regulated (e.g., access to MAX), by encrypted means, e.g., via the institution's VPN or gateway server infrastructure
    • Access to systems must be protected with usernames and secure passwords, the use of an encrypted password manager is recommended
    • When leaving the workplace, the screen lock must be activated or alternatively the chip card/the cryptotoken must be removed
    • Personal or confidential data must be sent encrypted, e.g., by encrypted email or cryptshare. This applies for HR, applicant data, etc. Research data should never be sent anywhere without the written permission from your director or group leader
    • Telephone calls about confidential content must be made in a protected environment (close your doors and windows, use headphones, etc.)
    • All data have to be stored on MPI network drives. If necessary, data may be stored temporarily on encrypted external personal storage, but ultimately needs to be uploaded to encrypted network drives as soon as possible (this always has to be discussed with your PI, director, and TG/the data protection coordinator first)
    • Data must be protected against loss, e.g., by storing it on network drives (especially personal and confidential data), or other locations that are regularly backed up via a central backup system. Local storage, such as the local hard disk of the computer or external storage media, are not backed up by a central backup system
    • Storage on encrypted external storage media is not permitted
    • Official documents in paper form that are no longer required must be disposed of in accordance with data protection regulations; if necessary, they must be collected in a manner protected against unauthorised access and disposed of in the appropriate containers at a later date (please ask privacy@mpi.nl for help)

    Further information can be obtained from our Data Protection Coordinator or head of TG (both via privacy@mpi.nl), as well as from the data protection officer and the IT security officer of the Max Planck Society, who you can contact directly at datenschutz@mpg.de.

    Give feedback