Data protection risks while working at home

The increase in working at home due to the coronavirus pandemic has highlighted the need for businesses to have their data protection polices up to date.

On 23 March 2020 the Government announced that any workers who were able to should start working from home for the foreseeable future. Many of these employees may not be used to working from home, may be working from their own computers, or are using older systems or systems that have not previously been used for remote working.

Combined with this, with many using unfamiliar work practices, while also bearing more stress than they usually would, means that instances of human error – the common cause of security breaches – are increasingly occurring.

There are also added risks in the home from smart devices such as Alexa which rely on partial voice recording to operate. Some staff are even being advised to turn off these devices when carrying out confidential phone calls from home.

During this period businesses should remain aware of their ongoing obligations in relation to personal data and of the potentially heightened risks while working at home.

We have set out some suggestions for employers to put into practice to uphold and maintain data protection levels while their employees are working at home.

Update and secure devices

• Check with employees whether they are using company devices or personal devices to work at home. If working on a personal device, an employer should provide their employee with the appropriate security software in order to protect their information as well as the data they are working on and ask them to encrypt the device.
• Send employees regular reminders to update their software.
• Ask employees to lock away or secure their devices out of reach from others when left unattended.
• Ask employees to take precautions when considering where they work and who might be able to listen in on confidential conversations or view confidential information on screens.

Review policies 

• We recommend that employers review their existing data protection policy and working from home policy and consider whether they are fit for purpose. They may need to be amended to accommodate their new working arrangements.
• Once they have been verified as being fit for purpose, circulate pre-existing policies i.e. IT policy so that employees are reminded and are aware of the expectation the company has of them.
• Policies should also be mindful of the requirements of the Information Commissioner’s Office (ICO) and data protection regulations. It’s important to remember that in the event of a data breach the business is still required to report this to the ICO within the usual 72-hour window and for data subject access requests to be responded to within one month.
• Once your policies and procedures are up-to-date, share them with employees, with regular reminders highlighting key aspects for them to focus on and be aware of.

Carry out further training

• Employers should take the opportunity to provide (and update) training for their employees, including those on furlough leave, during quieter periods. This can include training on data protection and cybersecurity matters.
• Employers should make their employees aware of the heightened risk of phishing attacks now that the majority of employees are remote working, training should be organised to identify these types of attacks to ensure the protection of confidential data.

If you require further guidance or advice on the above or any data protection or GDPR-related issues, please do not hesitate to get in touch.

This content is correct at time of publication