Managing data protection, technology & working from home
03-04-2020
It is highly likely that the way businesses are now working will have changed following the coronavirus pandemic, in light of the government announcement of social distancing and working from home measures. Businesses should consider the potential data protection challenges they may face and how they can address this with their current workforce, customers and suppliers.
Here are some key points to help you address the way you tackle personal data whilst dealing with business continuity during the pandemic.
Data protection, confidentiality and security
Those employers entering into homeworking arrangements will need to address a range of practical issues, including:
- Assess the risk exposure in your business operations resulting from the coronavirus including any overseas workplaces.
- Update your business contingency plans. Share contingency plans and all relevant policies on data protection, IT and confidentiality with your employees.
- If not already so designated, appoint suitable personnel to be responsible for compliance matters: for example a data protection manager, an IT manager, a HR manager. For small companies combine this role: for example, general compliance manager. As policies evolve, update employees through these managers and encourage employees to feedback any issues so that these are monitored consistently and effectively.
- Take appropriate measures to ensure you have the right systems in place to protect personal data both at, and in transit to, the employee’s home.
- Employees working on their own personal devices rather than the company’s should take into account confidentiality obligations and include extra security measures so that personal data is protected.
- Consider carefully how you should monitor your employees. Even home IP addresses can be personal data and it can be difficult to monitor employees on a truly anonymised basis.
- Caution must be exercised if sharing information on employees who are exhibiting symptoms as health data is a special category of data and subject to a necessity test. The ICO state you can keep staff informed of cases within the organisation but without naming the sick employee.
- Ensure you continue communicating with customers based on what they have consented to, such as marketing messages being included in virus-related communications when customers have opted out to marketing information.
- Identify where systems and processes may be vulnerable to cyber-attacks and new threats of fraud. The National Fraud Intelligence Bureau has recorded a 400% increase in reported cases of fraud related to the Coronavirus, and employees at home might be especially vulnerable to cyberattacks and phishing scams. Alert and train your employees on these risks.
- If you need to urgently use third party suppliers to manage some parts of your business during these uncertain times, ensure you undertake sufficient due diligence on the third party and inform them of your key policies on data protection, health and safety etc.
What can employers do to minimise risks?
- Ensures employees are mindful whilst working from home about how they treat and process personal data. In 2017, a lawyer was fined after a software update made client files stored on her home computer publically accessible online. It is vital to ensure that all sensitive information is kept secure regardless of whether it is on a personal or work device. The National Cyber Security Centre recommends companies consider encryption and the possibility of remotely wiping devices to keep information secure.
- Encourage the use of paper-less working to avoid physical documents containing confidential information and personal data being left in an unsecured environment.
- Where paperless working is not possible, ensure staff are adequately trained in how to manage hard copies outside the work environment. You may wish to consider keeping a record of all physical documents removed from and returned to the office.
- Highlight to your employees the importance of only processing personal data that the business needs. Ensure that your IT systems and processing support this business need as you may need to justify it to your customers/suppliers or the ICO.
- Encourage your employees, where possible, to set up a separate workspace at home so that they can conduct calls without being overheard as well as having a central space (preferably stored securely online) for documents.
- Undertake a Data Protection Impact Assessment (DPIA) on the changes that are being implemented to your business and working practices as a result of the government “lockdown”. ICO: Data protection impact assessments
- Consider circulating a ‘top tip’ sheet to the workforce tailored to your business on how to deal with personal data and confidentiality issues to convey the message quickly and effectively. You could create a ‘Home Working Data Protection Policy’ or seek some support on how to do this.
- If your organisation needs assistance from third party suppliers, make sure you still carrying out your usual supplier due diligence and are entering into an appropriate written agreement to meet your obligations under Data Protection laws.
Useful links
Their helpline is available on 0303 123 1113.
- The National Cyber Security Centre has some practical advice on what to consider when setting up for homeworking, this includes ensuring:
- All user accounts have strong passwords, and if possible a two-factor authentication set up.
- Employees are adequately trained in all aspects of the work there are undertaking.
- Devices, operating systems and programs are kept up to date and are protected/encrypted and backed-up.
- Employees are able to report any security issues, even if the IT team are unavailable due to the necessity to set up remote workers.
With so much information available online, this can be a useful starting point for training your staff.
- Action Fraud has simple and practical advice on how you and your employees can protect themselves online:
- Watch out for scam messages. Do not reply to any unsolicited messages that ask for personal or financial details, no matter how they are disguised.
- When placing orders online, make sure you know and trust any company from whom you intend to make a purchase.
- To protect your devices, make sure your operating system and programs are kept up to date. The National Cyber Security Centre has some further guidance on how to do this.
Who do I contact for support and advice?
For more information on how we can support you during this time please contact one of our Corporate & Commercial law specialists.
