Safeguarding company data in the era of WFH
This may prompt a sense of deja vu for many – indeed Government guidance was already in place prior to this second lockdown indicating that office workers who can work “effectively” from home should do so over the winter.
Many companies have therefore already facilitated homeworking for their employees. Initially, this was often arranged on an emergency basis during the first lockdown. For most businesses, this was an unprecedented scale of homeworking and a significant logistical challenge – ensuring employees had access to laptops and mobile phones, that printing and post would be attended to, and learning how to set up Zoom or Teams calls. These changes were implemented at a time when businesses were having to battle on many different fronts because of the pandemic. Realistically therefore, there was limited opportunity for employers to undertake detailed reviews of the potential data protection issues.
As it seems that homeworking is here to stay – for some months at least – now is a good time for employers to review their homeworking arrangements to ensure they are safe and legally compliant from a data protection perspective.
Unfortunately, it is easy to see how data breaches may be more likely to happen with more employees working from home. For example, employees printing out personal data at home may not have the facility to dispose of it securely, such as via a confidential waste bin. Employees who share laptops or mobile phones with family members or who use personal devices are at a particular risk of inadvertently sharing personal data. If other members of the household are sharing a working space, they can very easily overhear Zoom or Teams calls in which personal data is being discussed.
The law on data protection has not changed and employers’ obligations remain the same as they were before COVID. Whilst the Information Commissioner’s Office (ICO) helpfully suggested in March 2020 that it will take a pragmatic approach to enforcement of data breaches in light of the pandemic, employers are still bound by the General Data Protection Regulations and the Data Protection Act 2018. Indeed, it is likely that the ICO will consider that homeworking has now been the “new normal” for some months and may increasingly expect that businesses will have adapted accordingly.
Under the GDPR, employers must have appropriate measures in place – including policies and procedures – to prevent unauthorised or unlawful processing of personal data and accidental loss, damage or destruction of personal data.
The ICO has the power directly to impose significant fines on data controllers – including employers – for serious data protection breaches. Additionally, businesses can suffer significant reputational and economic damage if data is not protected.
An ideal starting point will be for businesses to undertake a data privacy impact assessment. This would consider the data protection implications arising from employees working from home. The assessment could for example include:
- Who else has access to the employee’s computer or mobile phone? Specific security measures should be in place to ensure that other members of the household do not have access to personal data held on devices.
- Are employees instructed to change their passwords at regular intervals? Cyber hacking is always a significant risk.
- How is information moved between home and office, both in terms of physical transfer by post or courier and data transfer electronically e.g. via email or Dropbox? Is data encrypted or password protected?
- Where paper files are kept, are there suitable systems for storage such as secure filing cabinets?
- Are there rules concerning the disposal of paper-based records (for example, via confidential waste or shredding) or the storage and deletion of computerised personal data?
- Have staff been given updated training and guidance and are regular reminders sent to staff about their obligations to safeguard personal data?
Employers should then consider what steps can be taken to mitigate the risks identified in the risk assessment. Action points may include:
- Training – Homeworkers may need specific training on their obligations and those of the employer in relation to data protection and confidentiality, concerning the procedures which they must follow, and what is, and is not, an authorised use of data. Where employees are working from home, there is an increased onus on them individually to ensure data is protected, so they need to understand these obligations.
- Employee contracts – Employees’ contracts should be amended where necessary to cover their data protection obligations and should ideally specifically state that breaches may lead to disciplinary action. When issuing new or amended contracts, it is always best practice to ensure employees sign and return the contract and to keep a copy for your records.
- Home Working & Data Protection Policies – Homeworking and / or data protection policies may need revising to deal appropriately with the risks identified in the risk assessment. We would recommend asking employees to sign to confirm they have seen and understood the relevant policies. Employees should know where to access policies – ideally on an intranet if your business has one or otherwise policies might be available on request from a named member of staff.
- Disciplinary action – Disciplinary action should be taken where appropriate if data breaches are identified as resulting from breaches of company policies. Such action will emphasise the seriousness of this issue and the potential damage which could be caused to the business. We would recommend seeking legal advice before taking disciplinary action.
Please note that this advice is correct as at 12 November 2020. Please contact any member of the employment team or firstname.lastname@example.org if you require any further assistance and guidance.