Key considerations for data protection outside the office environment
With homeworking/agile working now becoming a regular occurrence the ICO have issued warnings to companies to be mindful of how they are protecting data – this is what companies need to be aware of:
Policies and procedures
Detailed agile working policies should be implemented to demonstrate compliance considerations and ensure employees are fully aware of what is expected of them when working outside the office. These policies should themselves be agile; they should be regularly reviewed and updated as things develop to ensure they remain fit for purpose. If employees are allowed to use their own devices when working from home (mobile phones or laptops for example) then a standalone Bring Your Own Device policy may also be appropriate if one is not already in place.
Computer security measures
Setting up the IT infrastructure for your company involved careful considerations relating to security and continuity.
However, the same detailed thought process is unlikely to have been undertaken by your employees when setting up their home systems. Where staff are working remotely, access to servers via a secure virtual private network (VPN) and ensuring that appropriate anti-virus and security software is installed on all devices will mitigate some security risks. Further considerations will be needed depending on the level of risk that home working poses in the context of your business to ensure that your approach is appropriate to the nature, scope, context, and purposes of your data processing activities.
Keeping hard copy and other information at home
Any personal data processed by an employee at home, or anywhere else, will constitute a processing activity undertaken by the company (the storing of personal data is in itself a processing activity). The same data protection principles therefore apply, and any personal data must be kept as securely as it would be in the office. Data stored at home will also be subject to the ordinary principle of storage limitation and must be securely destroyed or deleted in line with your retention policy. Secure destruction will involve more than just throwing the documents into the bin – where employees don’t have the capability to securely destroy documents, then such documents should be kept safe until they can be taken back to the office for shredding.
Transporting data
Care must also be taken when transporting personal data to or from remote working locations. We have heard the horror stories of people leaving sensitive documents on trains and buses and although this may not be an immediate problem with people travelling less frequently on public transport, risks will increase now lockdown has ceased. Where personal data is being transported using removable storage devices such as USB sticks then these devices must be suitably encrypted to ensure the security of the data they hold. Organisations should also be careful when making data accessible online and due diligence should be undertaken on any file sharing sites used, as well as prohibiting staff from forwarding work emails to personal email addresses.
Collaborative working software
With the sudden increase in people working from home, the popularity of collaborative working software has increased. However, care must always be taken whenever new software is rolled out across the company. Ordinary due diligence processes should be followed to ensure that the proposed software affords adequate levels of protection to any personal data involved and a Data Protection Impact Assessment must be completed in advance. Where cloud-based collaborative working software is involved, the software provider is likely to be acting as a processor on behalf of your company. The terms and conditions will therefore need to contain the mandatory provisions in article 28 GDPR and transfers outside of the EEA (to servers in the USA for example) will need to be reviewed to ensure adequate protection is in place.
Privacy
Employees must ensure that their agile working environment allows for a sufficient level of privacy to avoid any unauthorised disclosures or data breaches. Confidentiality must be maintained when discussing personal data over the phone or on video calls, and laptop screens should be locked when not in use to avoid any inadvertent third-party access. Privacy screens should also be used when working with personal data in shared areas or in close proximity to others (even family members). Regardless of where employees are working, any data breaches will need to be reported in the ordinary way.
Maintaining reporting lines
As part of your company’s data protection compliance framework, clear reporting lines should be in place for the escalation of any data protection matters (such as data breaches or requests by data subjects to exercise their rights in respect of the processing of their personal data). These escalation processes must be maintained wherever staff are located. Where a breach is reportable, the ICO must be informed within 72 hours. For this strict timeframe to be met, breaches must be promptly escalated internally for assessment. Similarly, to avoid any failures to comply with requests by data subjects, employees need to be able to independently recognise these and forward them on as appropriate, even when working away from the office.
During the coronavirus pandemic, the ICO has confirmed it will take an empathetic and proportionate approach to regulation and consider the impact the pandemic may have on organisations’ compliance resources when considering what action to take. As we start to move back towards a semblance of normality, the potential for any leniency is removed and expectations will return to their usual high standards. As agile working is normalised, care must be taken to ensure that data protection obligations continue to be met.