Hello, I’m Claire Halle-Smith, and I’m a senior associate at Wright Hassall. I work in the outsourcing technology and commercial Team, where a lot of my time is spent supporting clients who encounter data privacy issues. And that could be anything from day to day compliance issues, through to breach management, or assistance with ICO investigations.
We’re all aware that the unexpected move towards home working undertaken as a result of COVID-19 has presented a variety of challenges to organisations across every sector. Some of these can be relatively easily managed by the implementation of business continuity plans, that could be establishing regular contact with staff and customers, whilst others will require new procedures, evolving as they encounter new and unexpected complications, and all whilst bearing in mind that this cannot simply be a temporary fix given the government’s recent view that it could be up to six months before any sense of normality returns to our working lives.
And so we wanted to briefly talk today about the issue of maintaining adequate data security given that the number of us working from home on a regular basis has increased so significantly within such a short time. For many businesses of course this is already the norm, and others will already have had sound and tested business continuity plans in place which have enabled them to make the transition relatively painlessly. But that still leaves many, often smaller business, charities and other organisations, that are not as well equipped, and they have requested support from us. That support has included identifying risks to the organisation during this period of remote working. One of which, of course, is the security of personal data and confidential commercial information and how this can be maintained when their employees, or other workers, are potentially located across the country or even in other jurisdictions.
Given the government’s forecast that it could still be several months before things return to normal, what should businesses be considering?
Well, while there’s plenty of advice on managing employees working remotely and how they can deal with the practicalities of working from home. The stress levels experienced by employees and managers will be significantly higher than usual, as each will be dealing with personal as well as professional challenges. Although this can result in a potential decrease in workload, there may also be a much greater risk to the security of personal data and confidential information being processed outside of the secure office environment.
Where are these risks coming from?
Risks to data security can emanate from a whole range of sources, most commonly human error. Added to that, scams and cyber-attacks have significantly increased over recent weeks, becoming ever more convincing to their targeted recipients. It is conceivable that this increase, combined with the likely decrease in supervision and potential reduction in contact between colleagues, could result in an increase in data breaches or even the hacking of an organisation’s confidential information. There is also a significant financial risk where funds are regularly transferred.
How can you help your employees adopt appropriate security methods at home?
There are a range of measures that can assist here:
- If employees are not using the organisation’s equipment, you can ask them to specify what devices they are using.
- You can also require employees to encrypt personal data and confidential information before sending it anywhere, and to confirm to you beforehand as to what method of encryption they intend to use.
- Regularly issue reminders to employees to update their usernames and / or passwords.
- Update internal policies to insist that employees are to store sensitive manual files and paper documents safely until they can be returned to the office for shredding, and for remote working and data privacy, ensuring these are circulated to all staff and referenced in online meetings.
- Advise all employees not to use a speakerphone or conduct work-related conversations in the presence of smart speakers or home surveillance (these could include systems like Alexa Echo, Google Home, Siri and Ring). Reminders can also be issued to employees that they must be mindful of others who may have access to their screens. And
- If possible, require that employees opt-out of cookies each time they use video-conference applications.
What should organisations be doing?
As for the organisation, it goes without saying that, if it hasn’t been completed already, it can ensure the organisation is properly equipped by consulting with an information security professional to maintain good cybersecurity. This consultation is likely to include reference to:
- warning labels to be included on incoming emails that originate from outside the organisation.
- employee devices to be equipped with remote access capability, relevant software, and up to date manufacturer software updates, via a virtual private network (VPN).
- multifactor, two-step authentication required for employee remote access. And
- that organisations should clarify with employees the acceptable systems and devices that are permitted and identify and specify particular information and documents that require careful handling.
What are the potential consequences for those organisations who may find it difficult to comply with all their obligations under the data privacy legislation during this time of lockdown?
The recent statement published by the Information Commissioner’s Office (known as the ICO) confirms its understanding that the processing of personal data may be affected by the needs of an organisation when addressing the impact of COVID-19 while attempting to limit its spread. So this should certainly give some comfort to organisations, however, maintaining adequate security measures remains vital. Save for certain understandable delays, for example in the response to individual requests, the processing of personal data carried out by organisations on a daily basis should continue to be undertaken within the confines of the Data Protection Act 2018.
This is useful information for those organisations who may need to share information quickly, where, for example, employers need to share information with healthcare authorities or to enable remote working, or within the healthcare sector where the timely sharing of information is required to administer treatment and to maintain open communications during this challenging time. It is also reasonable for organisations to request information as to a country a person has visited, or if a person is displaying any Covid-19 symptoms as health and safety obligations enable an employer to keep staff informed about cases or potential cases of Covid-19 within its organisation, provided it does not disclose employee names or provide more information than is necessary.
In all cases, organisations must be mindful of collecting more information than required and ensuring appropriate security measures are implemented with respect to such processing. Proportionality continues to be the prevalent consideration in any processing activity, the message from the ICO being that ‘if something feels excessive from the public’s point of view, then it probably is’.
As to other processing activity, and as mentioned earlier, a delay in complying with, say, responding to an individual’s rights request, is unlikely to attract any penalties where there is a need for the organisation to prioritise other areas, but it is important to bear in mind that statutory timescales will not be relaxed.
The concluding message from the ICO is that data protection legislation will not prevent an organisation managing the impact of Covid-19 on its business, but it should continue to bear in mind the principles under the legislation and pay particular attention to the security of the data concerned. And so, although the sudden move to remote working comes with a new set of challenges for many organisations, a careful and thoughtful approach in responding to issues as they arise will allow these organisations to continue to adequately limit risks to the data processed by employees, with the added benefit of future proofing those business continuity plans for any future similar event.