Legal Articles

Coronavirus: Data protection and working from home

Home / Knowledge base / Coronavirus: Data protection and working from home

Posted by Claire Halle-Smith on 06 April 2020

Claire Halle-Smith Senior Associate

We are all aware that the unexpected and immense move towards home working undertaken as a result of the Covid-19 pandemic has presented a variety of challenges to organisations across every sector. Some of these can be relatively easily managed by the implementation of business continuity plans, such as establishing regular contact with staff and customers, whilst others will require new procedures, evolving as organisations encounter new and unexpected complications, and all whilst bearing in mind that this cannot simply be a temporary fix given the government’s view that it could be up to six months before ‘normal’ life resumes.

Whilst there is plenty of advice as to the management of employees working remotely and how they can manage the practicalities of working from home, stress levels experienced by employees and managers alike will be significantly higher than usual, each dealing with personal as well as professional challenges, perhaps resulting in the potential for decrease in workload but also, importantly, substantially increasing the risk to the security of personal data and confidential information now processed outside of the secure office environment.

Risks to data security emanate from a variety of sources, most commonly human error, however scams and cyber attacks have significantly increased over recent weeks, becoming ever more convincing to their targeted recipients. It is conceivable that this increase, combined with the likely decrease in supervision and potential reduction in contact between colleagues, could result in an increase in data breaches or hacking of an organisation’s confidential information, as well as significant financial risk where funds are regularly transferred.

So how can you assist your employees and ensure appropriate security methods are adopted at home?

  • If not using the organisation’s equipment, ask employees to specify what devices they are using.
  • If necessary, require employees to encrypt personal data and confidential information before sending, and to confirm the intended method of encryption beforehand.
  • Issue reminders to update usernames and / or passwords.
  • Require employees to safely store sensitive manual files and paper documents until they can be returned to the office for shredding.
  • Advise all employees not to use a speakerphone or conduct work-related conversations in the presence of smart speakers or home surveillance (e.g. Alexa Echo, Google Home, Siri, Ring) and to be mindful of others who may have access to their screens.
  • Where possible, require opt-out of cookies each time an employee uses video-conference applications.
  • Update internal policies for remote working and data privacy, ensure these are circulated to all employees and referenced in online team meetings.

As for the organisation, it goes without saying that, if it hasn’t been completed already, ensure the organisation is properly equipped by consulting with an information security professional to maintain good cybersecurity. Such consultation is likely to include reference to the following:

  • Include warning labels on incoming emails that originate from outside of the organisation.
  • Where possible, equip employee devices with remote access capability, relevant software, and up to date manufacturer software updates, via a virtual private network (VPN).
  • Ensure multifactor, two-step authentication is required for employee remote access.
  • Clarify with employees the acceptable systems and devices that are permitted and identify and specify particular information and documents that require careful handling.

The recent statement published by the Information Commissioner’s Office confirms its understanding that the processing of personal data may be affected by the needs of an organisation when addressing the impact and attempting to limit the spread of Covid-19, and although this gives some comfort to organisations, maintaining adequate security measures remains imperative. Save for certain understandable delays, for example in the response to individual requests, the processing of personal data carried out by organisations on a daily basis must continue to be undertaken within the confines of the GDPR.  

In conclusion, although the sudden move to remote working comes with a new set of challenges for many organisations, a careful and thoughtful approach in responding to issues as they arise will allow these organisations to continue to adequately limit risks to the data processed by employees, with the added benefit of future proofing those business continuity plans for any future similar event.

About the author

Claire Halle-Smith

Senior Associate

Claire is a senior associate with extensive in-house commercial experience within the social care sector. Claire acts for a wide range of clients, from individuals and small businesses to larger, multi-national organisations.

Claire Halle-Smith

Claire is a senior associate with extensive in-house commercial experience within the social care sector. Claire acts for a wide range of clients, from individuals and small businesses to larger, multi-national organisations.

Recent articles

01 June 2020 Medical Negligence and breast cancer – is your treatment up to date?

Headlines in today’s Daily Mail stated that “2.4M Caught in Covid Cancer Backlog”. It claimed that ‘screening checks, hospital appointments and vital treatment lost during the pandemic’ and was based on figures from Cancer Research UK. The article also quoted figures from the Office for National Statistics that 13,000 more people had died than expected from causes other than Covid.

Read article
29 May 2020 Return to the workplace risk assessments

Following recent Government announcements, the time has come to consider a phased return to places of work. Obviously, given the unprecedented nature of Covid-19, such a process will be riddled with confusion for both employers and employees – how will the return to work operate?

Read article
28 May 2020 Guide to restrictive covenants

Employment and consultancy contracts often contain clauses restricting an individual’s working activity when they leave a business. These clauses, ‘post termination restrictive covenants’, typically restrict the ex-staff member’s ability to work in competing businesses, to deal with clients, to try to win business from them, or to poach other staff members.

Read article
How can we help?
01926 732512