The Blended Working Policy Framework for Civil Service Organisations was published by my Department in March 2022 as a guide for Civil Service Departments and Offices to develop their own individual blended working policies. Appendix J of the Framework (which is available at www.gov.ie/en/publication/da010-blended-working-policy-framework-for-civil-service-organisations/) addresses employer and employee legal obligations in relation to security, confidentiality, secrecy and standards of behaviour and also data protection obligations.
With regard to my own Department’s implementation of blended working, I can advise the Deputy that all remote workers in my Department have devices that are encrypted, the devices have appropriate security deployed and all traffic securely travels over Virtual Private Network connections to services within Government Datacentres. For reasons of operational and national security, it is not appropriate to disclose specific details of Cyber Security arrangements.
My Department’s internal blended working policy was developed in line with the overall Civil Service Blended Working Framework. All employees must be able to carry out all the responsibilities of their role when availing of blended working. All departmental policies and legislation continues to apply regardless of place of work. This includes, but is not limited to, ICT policies, the Data Protection Act 2018 and the Official Secrets Act 1963. Blended Workers are reminded of this as part of the application process. The blended working application includes a declaration which the applicant must review and sign that states that their designated workstation allows compliance with data security and applicable confidentiality standards.
Furthermore, my Department’s blended working policy reminds employees that they are responsible for both the security of any official devices issued to them and the information stored on these devices, also setting out a protocol which applies to this principle. The policy also details obligations which apply to employees such as health and safety and data protection, and guidance for conducting video calls are provided within our Blended Working Policy document. My Department has also provided employees with a number of webinars relating to remote working since it was introduced such “Thriving in New Working Models”, “Managing Remote Teams”, “Cybersecurity” and “Conducting Remote Meetings”.
The position with regard to the bodies under the aegis of my Department is set out below. I am advised that the Office of the Ombudsman will reply directly to the Deputy.
Office of Public Works
OPW’s blended working policy sets out the criteria related to designated workstation requirements, which include a secure working environment that complies with data protection, security and confidentiality standards. The policy places an obligation on blended workers to adhere to all OPW policies when working remotely as if they were in the OPW work premises. This includes ensuring that appropriate record keeping and file management is maintained while remote working. Specific requirements are set out in the blended working policy in relation to information security including printing, file management, confidential information and software. Cyber security relating to all OPW personnel, including remote users, is subject to ongoing review. The requirements of the Cyber Security Baseline Standards are adhered to.
National Shared Services Office
NSSO staff are required to complete mandatory Data Protection and Cyber Protection Training on an annual basis. The NSSO expects all staff working remotely to adhere to the security protocols outlined in its Blended Working policy and complete the mandatory Blended Working eLearning Module to ensure their familiarity of the policy before applying to work remotely. The NSSO’s Blended Working Policy outlines the security protocols for staff who are working remotely and is available to the public on its website. The NSSO also expects all staff working remotely to exercise appropriate discretion in their use of official devices. This in line with the Civil Service Code of Conduct, which applies for all staff when working in the office or working remotely.
Public Appointments Service
PAS staff have been provided with specific, detailed policies and procedures outlining the importance of safeguarding personal information while working remotely. This includes explicit instruction not to work where their laptops may be visible/accessible to any third parties. A five-part data protection training course is delivered to staff annually to remind them of their obligations under data protection legislation, and this course includes specific guidance on avoiding data breaches while working remotely. Similar guidance is also provided to Board Members who assess candidates remotely. Confidentiality Agreements are in place which specifically outline Board Member responsibilities in this regard.
For reasons of national and operational security, it is not appropriate for PAS to disclose the specifics of its security arrangements for remote workers. The security protections for remote workers are in line with the guidance provided by the National Cyber Security Centre. PAS expects all users of official devices to adhere to its Information Security Policy, the Civil Service Code of Conduct and to exercise appropriate discretion in their use whether working in the office or working remotely. PAS IT have also implemented a number of different technologies to protect its networks, devices and the data it stores. PAS have also focused heavily on the role of cyber security end user awareness training, and provide staff with access to rolling training programmes in this area.
State Laboratory
Blended working is facilitated for eligible staff on a case by case basis. Training, managerial approval and policy acceptance is required for each staff member. All laptops are encrypted and managed by the State Laboratory. Staff are instructed that all confidential and personal data is to be kept within the State Laboratory core infrastructure and not on any portable devices. The State Labotatory adheres to the Blended Working Policy Framework for Civil Service Organisations 2022. The State Laboratory employs industry best practices around remote working and remote access to State Lab ICT systems and data. All reasonable safeguards are in place to protect confidential and personal data.
Office of the Regulator of the National Lottery
The ORNL does not provide services to the public and therefore holds a very limited amount of personal information of members of the public in any format. Calls to the office are not recorded, therefore there are no audio recordings retained, other than voicemail messages. To protect any personal information submitted to the office, a range of ICT security measures are in place. Staff of the ORNL are required to abide by the information security and confidentiality requirements of the Office’s Remote Working Policy. Staff are given annual training on maintaining the security and confidentiality of Office information and data.
