Legal Articles

Coronavirus: Data protection and working from home

Home / Knowledge base / Coronavirus: Data protection and working from home

Posted by Claire Halle-Smith on 06 April 2020

Claire Halle Smith - Data Protection Lawyer
Claire Halle-Smith Senior Associate

We are all aware that the unexpected and immense move towards home working undertaken as a result of the Covid-19 pandemic has presented a variety of challenges to organisations across every sector. Some of these can be relatively easily managed by the implementation of business continuity plans, such as establishing regular contact with staff and customers, whilst others will require new procedures, evolving as organisations encounter new and unexpected complications, and all whilst bearing in mind that this cannot simply be a temporary fix given the government’s view that it could be up to six months before ‘normal’ life resumes.

Whilst there is plenty of advice as to the management of employees working remotely and how they can manage the practicalities of working from home, stress levels experienced by employees and managers alike will be significantly higher than usual, each dealing with personal as well as professional challenges, perhaps resulting in the potential for decrease in workload but also, importantly, substantially increasing the risk to the security of personal data and confidential information now processed outside of the secure office environment.

Risks to data security emanate from a variety of sources, most commonly human error, however scams and cyber attacks have significantly increased over recent weeks, becoming ever more convincing to their targeted recipients. It is conceivable that this increase, combined with the likely decrease in supervision and potential reduction in contact between colleagues, could result in an increase in data breaches or hacking of an organisation’s confidential information, as well as significant financial risk where funds are regularly transferred.

So how can you assist your employees and ensure appropriate security methods are adopted at home?

  • If not using the organisation’s equipment, ask employees to specify what devices they are using.
  • If necessary, require employees to encrypt personal data and confidential information before sending, and to confirm the intended method of encryption beforehand.
  • Issue reminders to update usernames and / or passwords.
  • Require employees to safely store sensitive manual files and paper documents until they can be returned to the office for shredding.
  • Advise all employees not to use a speakerphone or conduct work-related conversations in the presence of smart speakers or home surveillance (e.g. Alexa Echo, Google Home, Siri, Ring) and to be mindful of others who may have access to their screens.
  • Where possible, require opt-out of cookies each time an employee uses video-conference applications.
  • Update internal policies for remote working and data privacy, ensure these are circulated to all employees and referenced in online team meetings.

As for the organisation, it goes without saying that, if it hasn’t been completed already, ensure the organisation is properly equipped by consulting with an information security professional to maintain good cybersecurity. Such consultation is likely to include reference to the following:

  • Include warning labels on incoming emails that originate from outside of the organisation.
  • Where possible, equip employee devices with remote access capability, relevant software, and up to date manufacturer software updates, via a virtual private network (VPN).
  • Ensure multifactor, two-step authentication is required for employee remote access.
  • Clarify with employees the acceptable systems and devices that are permitted and identify and specify particular information and documents that require careful handling.

The recent statement published by the Information Commissioner’s Office confirms its understanding that the processing of personal data may be affected by the needs of an organisation when addressing the impact and attempting to limit the spread of Covid-19, and although this gives some comfort to organisations, maintaining adequate security measures remains imperative. Save for certain understandable delays, for example in the response to individual requests, the processing of personal data carried out by organisations on a daily basis must continue to be undertaken within the confines of the GDPR.  

In conclusion, although the sudden move to remote working comes with a new set of challenges for many organisations, a careful and thoughtful approach in responding to issues as they arise will allow these organisations to continue to adequately limit risks to the data processed by employees, with the added benefit of future proofing those business continuity plans for any future similar event.

About the author

Claire Halle-Smith

Senior Associate

Claire’s experience in-house coupled with her ten plus years’ advising on data privacy matters enables her to identify those key issues facing an organisation and to provide practical, solutions-based advice.

Claire Halle-Smith

Claire’s experience in-house coupled with her ten plus years’ advising on data privacy matters enables her to identify those key issues facing an organisation and to provide practical, solutions-based advice.

Recent articles

30 July 2020 Rethinking the landlord / tenant relationship

We have been following the travails of the high street for over 12 months where changing shopping habits, business rates and rent increases have been contributing to a growing strain on many landlord / tenant relationships.

Read article
30 July 2020 Bankrupts fail in claim to have interests in land revested in them

The claim by Mr and Mrs Brake (Brake v Swift), heard in the High Court in May, to have a cottage and adjacent land revested in them under Section 283A of the Insolvency Act 1986, was set against a background of convoluted litigation extending over a number of years, described by Matthews HHJ as ‘complex’.

Read article
29 July 2020 Remote witnessing of wills – a sign of the times

The law governing how a will is witnessed dates back to 1837 and for good reason. The requirement for two people (neither of whom can inherit from the will they are witnessing) to be physically present at the signing of a will is designed to, among other things, prevent fraud and the exercise of undue influence. That is, until the Covid-19 pandemic struck.

Read article
How can we help?
01926 732512