Bethany Paliga, an Accredited Data Protection Practitioner and solicitor at Forbes Solicitors, looks at what companies need to consider to keep information secure as people work from home during the coronavirus outbreak.
With the unprecedented measures being put in place by the government to reduce the spread of the coronavirus pandemic, Covid-19 is making significant changes to the way in which we work and conduct our business.
Many organisations will have a significant proportion of their workforce working remotely. Whilst staff work remotely, organisations still have legal obligations to ensure technical and organisational measures are in place to keep personal information secure. Public health concerns or the urgency in which decisions need to be made do not exempt organisations from keeping personal information secure.
There are two main elements to getting remote working right from a data protection perspective: using appropriate equipment and good working methods.
Use of Personal Devices
Remote working is not new, but it is happening on a far greater scale in the current situation. Given the large numbers of remote workers, many organisations are permitting staff to work remotely on their own personal devices (commonly known as ‘Bring Your Own Device’ or BYOD). Some of these members of staff will never have worked remotely before. Therefore, now is a good time to implement a BYOD policy or conduct a review of your existing BYOD policy.
When looking at your BYOD policy you will need to consider the suitability of a member of staff’s device. Not only should the device be able to cope with the practical demands of the work required but the security capacities should meet your organisation’s minimum standard. Staff should be required to confirm that their device’s operating system is up to date and that relevant patches have been downloaded. Additionally, staff should be warned of the risks of downloading unverified apps to their device as these may increase the risk of malicious software being introduced to the organisation’s network if the devices are being used to log in remotely.
Organisations should also consider how staff are to access the organisation’s network while working remotely and consider whether access to data should be restricted via a specific app or the use of encrypted email protocols. Also, access via an unsecure “coffee house” network could increase the risk of data being lost so use of a secure VPN when not connected to the organisation’s network should be a fundamental requirement. Additionally, organisations should explore how to store data remotely and allow access to a BYOD device. The use of “public” cloud storage services may increase the likelihood of data being lost and should not be unplanned.
From a practical perspective, where copies of data (such as PDFs) are stored on many different devices, there is an increased risk that the data will become out-of-date or inaccurate over time and retained for longer than is necessary, and organisations may face difficulties keeping track of copies. That may impede responding on time to a subject access requests, as having to identify and search multiple devices will only slow the process.
The use of personal devices might also raise the risk that personal information is processed for different purposes from which it was originally collected. To counter this, organisations may wish to audit the data potentially being held on personal devices to establish whether the data being held is appropriate or should be held in a more restricted environment with restricted access for BYOD users.
Organisations must also ensure that within their BYDO policy there is provision to deal with the loss, theft or failure of an employee’s device. A device’s geo-locations should be switched on and a capability to remotely wiped data if it is lost or stolen should be installed if possible.
Finally, organisations must also consider how to deal with BYOD users leaving their employment. Provision to retrieve stored documents and delete relevant information from the device should be incorporated into the BYOD policy making it a reasonable request of the employer to have the device made available.
Remote Working Considerations
In addition to looking at the BYOD policy, now is a good time to review all remote working policies (for electronic and paper working) and consider what training staff need to enable business continuity whilst ensuring personal information remains secure.
- Review your remote working policy, IT Acceptable Use and Security Policies, Bring Your Own Device (BYOD) policy, and your data breach procedure.
- Consider whether any changes need to be made to these policies and communicate these policies to your staff clearly.
- Provide training on your remote working and BYOD policies to those members of staff who do not usually work remotely.
- Raise awareness of the importance of data protection – in particular of the risk of handling paper documents outside the office, the risk of theft of personal devices and the importance of encrypting emails containing confidential or sensitive information.
- Remind staff of your data breach procedure and the importance of reporting breaches and near misses.
It is currently unclear how long government instructions to work from home wherever possible will last. However, organisations will now have tested their capacity to work remotely and it is likely that the increase in remote working will continue beyond the Covid-19 crisis making time spent making home working secure and effective a good investment.