Security Standards for E-meetings: Identification & Data Protection
Written by Dhiraphol Suwanprateep (Partner), Nont Horayangura (Partner), Kritiyanee Buranatrevedhya (Legal Professional) and Chayapisa Kositbenjapol (Legal Professional) of Baker McKenzie.
Following our previous client alert regarding the ETDA Notifications on Information Security Standards and the Certification of the Meeting Control System, we have seen trends where e-meetings have become an integral part of the “new normal” during the COVID-19 pandemic. In this alert, we would like to point out two additional considerations: (i) security standards for identification; and (ii) data protection, which helps businesses explore practical steps for e-meeting arrangements.
Methods to identify participants
The Emergency Decree on Electronic Meetings, B.E. 2563 (2020) (the “Emergency Decree“), prescribes that, prior to joining the e-meeting, the meeting coordinator is required to make arrangements for participants to identify themselves in order to join the meeting. As such, companies should find an appropriate method for identification requirements. This could be supported by methods prescribed in the ETDA Standard for Maintaining Security for Information Technology of the Meeting Control System (the “ETDA Standard“). It recommends that, (1) for general e-meetings, the meeting control system should consist of a single-factor authentication method (e.g. password) to authenticate the identity of the participants, whereas (2) e-meetings for confidential matters should use a multi-factor authentication method (e.g. the use of a password and OTP).
This is consistent with examples of secure identification methods mentioned in the Notification of the Ministry of Digital Economy and Society re: Standards for Maintaining Security of Meetings via Electronic Means, B.E. 2563 (2020) (the “MDES Notification“) which mentions the use of a username and password or One-Time Password (OTP).
The use of a password or OTP does not have to be the only method implemented. Companies can also consider implementing other authenticators provided in the ETDA Recommendation on ICT Standard for Electronic Transactions re: Digital Identity Guideline for Thailand – Authentication (the “ETDA Recommendation“). The ETDA Recommendation provides examples of single-factor authentication methods, such as the use of a memorized secret (password) single-factor OTP device, single-factor cryptographic software or a single-factor cryptographic device. ETDA also gives examples of multi-factor authentication methods in the ETDA Recommendation, including the use of a multi-factor OTP device, multi-factor cryptographic software or combinations of memorized secret and other single-factor authentication methods. These examples provide guidelines and pave the way for companies to consider whether to use single-factor or multi-factor authentication methods to suit each type of meeting that businesses plan to hold, whether it would be a general meeting or a meeting with confidential matters.
Are there any concerns related to personal data protection requirements?
Although companies are currently exempt from complying with certain data controller obligations under Thailand’s Personal Data Protection Act B.E. 2562 (2019) (the “PDPA“) until 31 May 2021, they should note that there are still personal data-related requirements in organizing e-meetings, apart from the PDPA. According to the MDES Notification, there should be standards for maintaining security for information technology including maintenance of privacy and protection of personal data. For the meeting control system, the ETDA Standard clarifies more details on security maintenance for information technology concerning personal data. For example, there should be: an asset register including a list of personal data relevant to the meeting, together with information classification and control measures; prepared procedures for deletion or destruction of information (including personal data) of the e-meeting and; an operational plan to backup and recover personal data, including, amongst others, selecting a person responsible for backup and recovery. Therefore, companies must ensure that these privacy related requirements in regard to e-meetings are complied with, even though the PDPA has been suspended for its enforcement.
About Baker McKenzie
Market disruption is an accepted reality for business, as new competition and technologies drive the pace of change faster than ever before. Our clients want lawyers who are prepared to lead, differentiate and adapt in a constantly changing world. They want advisers who are curious about the world, and embrace collaboration and candour.
As the original global law firm, we bring the right talent to every client issue, regardless of where the client is. We partner with our clients to deliver solutions in the world’s largest economies as well as newly opening markets.
We are global citizens, industry savvy, diverse and have a thirst for innovation. Our strength is our ability to adopt a new type of thinking and use cutting-edge legal technologies to help clients overcome the challenges of competing in today’s new world economic order.
We are The New Lawyers.
We are Baker McKenzie.