Personal data implications of working from home during COVID (and beyond…)

Since the first national lockdown in the UK in March 2020, millions of people around the country have been working from home. Currently the government asks that we work from home unless it is impossible to do so. This has been a big change for many companies and employers have had to adapt their practices in order to accommodate this.

The risks
One key area that employers must consider when dealing with their employees working from home is data privacy. When employees work on documents and access emails etc. from home, the safety of personal data may be compromised. Employees may use their own personal devices to remotely access company networks or bring hard copy documents home from work. They may use unsecured networks, if for example using public Wi-Fi, or use personal email accounts to transmit documents and data. The foregoing all poses great risks to the safety of personal data.

Personal data is information that relates to an identified or identifiable individual. Examples include an individual’s name, contact telephone number, email address, or IP address.

The law
The UK General Data Protection Regulations (GDPR) set out seven key data protection principles to protect the personal data of individuals. One of these principles relates to data security, namely that data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”.

How to deal with the risks
Companies should implement appropriate technical and organisational measures (TOMs) to ensure this security principle is upheld. This is particularly essential to consider when dealing with employees processing personal data when working from home.

Examples of TOMs that should be considered by employers are as follows:

• Carry out and document an information risk assessment – consider where data is being processed and by whom, the reasons why this data is being processed in this way and the kind of harm that could be caused in the event of a breach;
• Set out protective procedures in internal company policies and make sure employees are trained on this and kept up to date with any changes;
• Ensure only secure platforms are used by employees when remotely accessing company networks (including VPNs);
• Remind employees to use complex and unique passwords;
• Implement end-to-end encryption, passwords to be used as much as possible as well as multi-factor authentication;
• Ensure only company email systems are used to transmit emails and other communications (rather than personal platforms such as WhatsApp and private email servers);
• Utilise remote application solutions to provide access to employees to corporate applications that they need;
• Use company-owned cloud storage instead of employees using personal alternatives;
• Provide company electronic devices to employees with suitable security systems implemented, including anti-virus software;
• Implement stringent access controls to company folders that are to be accessed from employees working from home;
• Restrict access to video-conferencing facilities through implementing passwords and carefully consider who you share meeting login details with;
• Ask employees to be mindful of confidentiality when having work related calls or video-conferences and use screen-protectors where required;
• Ensure employees keep hardcopy documents confidential by storing them safely (locked away where possible) and disposing of them securely;
• Keep anti-virus software and other remote access platforms up to date
• Keep abreast of cybersecurity issues and trends;
• Ensure procedures are in place to deal efficiently with any incidences of data breaches and train employees on this.

Returning to work
The UK government has detailed its “roadmap” for coming out of lockdown but rules remain unclear as to when the UK workforce will be actively encouraged to return to work. The primary barrier to this is of course social distancing and whether this is possible in office spaces. The government is currently undertaking a review to decide whether and when rules around this can be relaxed. As shops, pubs and restaurants start to reopen, employers may be keen to reopen offices too. We hope that this will be possible by 21 June at the latest, the date when many other COVID restrictions are due to be relaxed. The encouraging news regarding vaccinations in the UK should also be a step in the right direction in this regard.

Where employers are asking their staff to return to work, they must ensure appropriate safeguards are in place and carry out risk assessments to keep their workforce safe and well.

Of course, it remains to be seen how many people will want to continue working from home on a more permanent basis going forwards.

Madeleine Rhodes      mrhodes@redfernlegal.com