Tips to reduce data protection risks when staff working from home
As most of us find ourselves working remotely due to the COVID-19 pandemic and we adapt to new working arrangements by engaging with unfamiliar technology, attending online meetings, communicating via apps and using new ways to access and share information, it’s more important than ever that organisations don’t overlook obligations to protect personal data.
Indeed, it is vital to ensure the technologies relied upon so much to continue operations during this unprecedented time are secure, adhere to appropriate standards of data protection and utilised in a manner which is acceptable and mitigates the risk of unauthorised access or leakage of personal data. This article sets out some tips for organisations to consider when operating under a home working model.
1. Use of video conferencing and chat applications
When deciding which video-conferencing or chat software to use, choose a supplier you can trust as well as considering cost and ease of use. Conduct a due diligence exercise on new suppliers and complete a DPIA to ensure that you have considered any data protection risks. Consider the following:
- Will any personal data collected be transferred outside the EU/EEA?
- Does the supplier comply with GDPR? Take a close look at the supplier’s privacy information.
- How long will any personal data collected be retained for?
- Review security measures. Will data be encrypted?
- Are the contractual terms and conditions fair and comply with GDPR/DPA? Who is responsible in the event of a personal data breach?
2. Keeping devices and accounts secure
It’s important to make sure that access to your employees’ devices and accounts is secure, even when home working under lockdown conditions:
- Ensure that software and antivirus updates (including ios/android updates) are installed on electronic devices used for work.
- Avoid allowing staff to use personal phone numbers and email accounts for work purposes. If this is unavoidable, inform employees that should they must use a personal email account for work purposes, to do so with caution, particularly if used to share personal data.
- Remind staff to lock their screens when devices are unattended.
3. Issue clear home-working guidelines to staff
Once you have chosen your supplier(s) and have identified appropriate standards you wish your staff to comply with to ensure the security of your data, communicate these expectations to your workforce in the form of a Working from Home Policy. Ensure any expectations are reasonable taking into consideration sensitivity of the data and also the resources employees will have at home e.g. not everyone will have a shredder to dispose of information. Such expectations may include:
- Employees should only use approved suppliers for work purposes.
- Avoid discussing sensitive matters or sharing personal data during a video conference where it is not completely necessary, albeit this may be difficult in the current climate.
- Advise against recording video meetings, unless necessary.
- Ask employees to consider the location of the device in the home and whether it can be accessed from others in the property? Can their flat mate hear their discussion or see the screen? When on camera think about what is in the background i.e. confidential documents or other screens.
- If sharing their screen think about what may be visible. Email previews or instant messenger chat contain personal data. Close these down, and reopen after the meeting.
- Advise how they can keep papers secure if they have no means to dispose of it in the normal way e.g. shredders.
- Remind employees to keep passwords safe so other members of their household cannot access them.
- Discourage sharing of confidential documents or personal data via online chat. Anything shared could be subject to processing by the supplier.
- Ensure measures are in place to ensure that any documents containing personal data are encrypted before sharing and double check the recipient email address.
4. Protecting physical copies of personal data
It may be necessary for your staff to take copies of personal data home. This should be limited wherever possible. However, if this is necessary, we recommend that your organisation keeps a record of the documents your staff remove from the office to track all data and ensure nothing is misplaced. Remind employees to keep physical records out of view of other members of the household and secure them in a drawer or cupboard when not using them.
The Information Commissioner has also issued guidance on Data Protection during the COVID-19 pandemic.
Morgan O’Neill is Director of Data Protection Services and Loretta Maxfield is a Partner in our specialist Data Protection team. If you have any further queries, please contact Loretta or Morgan on 03330 430350, or by emailing lmaxfield@thorntons-law.co.uk or moneill@thorntons-law.co.uk.
