Working from home – data protection considerations for evolving working practices

14th May 2020

What do businesses need to bear in mind as working from home becomes more commonplace?

In the not too distant past the phrase ‘working from home’ may have been met with scepticism in some quarters and images of employees lazily checking emails in bed while binge watching boxsets. However, the world has changed beyond recognition in the past few weeks as working from home has become the new norm for many of us. Sales of computer monitors almost doubled[1] in the weeks preceding the government-mandated lockdown as people started moving the ironing board and kitting out the box room as a fully-fledged home office. Now that these initial investments have been made, and more importantly it has been proven that vast numbers of the workforce can work from home for prolonged periods efficiently and productively thanks to reliable technology, it is difficult to imagine working life as we know it will ever be the same again. If there is one thing that can be certain in these ‘uncertain times’ it’s that working from home has demonstrated its value in the landscape of modern working.

For some businesses, working from home (or ‘agile’ working, as it is often known) has long been the norm and the practice has been fully embraced from the boardroom down. For these early adopters, the necessary compliance infrastructure is now tried and tested. For others, agile working is a more recent development, forcibly launched en masse due to the swiftness of the coronavirus pandemic.

Now that the dust is starting to settle, businesses are seeing the value of agile working, and thinking about where it might slot in to the working practices of the future. One key consideration for all organisations is ensuring that data protection compliance standards are maintained irrespective of location. When considering how to develop future agile working practices to maximise efficiency and employee satisfaction, there are some key data protection issues that must be borne in mind.

Key considerations for data protection outside the office environment

1. Policies and procedures – Detailed agile working policies should be implemented to demonstrate your compliance considerations to regulators, and ensure employees are fully aware of what is expected of them when working outside the office. These policies should themselves be agile; they should be regularly reviewed and updated as things develop to ensure they remain fit for purpose. If employees are allowed to use their own devices when working from home (mobile phones or laptops for example) then a standalone Bring Your Own Device (BYOD) policy may also be appropriate if one is not already in place.
2. Computer security measures – Setting up the IT infrastructure for your organisation involved careful considerations relating to security and continuity. However, the same detailed thought process is unlikely to have been undertaken by your employees when setting up their home systems. Where staff are working remotely, access to servers via a secure virtual private network (VPN), and ensuring that appropriate anti-virus and security software is installed on all devices will mitigate some security risks. Further considerations will be needed depending on the level of risk that home working poses in the context of your business to ensure that your approach is appropriate to the nature, scope, context and purposes of your data processing activities.
3. Keeping hard copy and other information at home – Any personal data processed by an employee at home, or anywhere else, will constitute a processing activity undertaken by the organisation (and remember that the storing of personal data is in itself a processing activity). The same data protection principles therefore apply and any personal data must be kept as securely as it would be in the office. Data stored at home will also be subject to the ordinary principle of storage limitation and must be securely destroyed or deleted in line with your organisation’s retention policy. Secure destruction will involve more than just throwing the documents into the general waste bin – where employees don’t have the capability to securely destroy documents, then such documents should be kept safe until they can be taken back to the office for shredding.
4. Transporting data – Care must also be taken when transporting personal data to or from remote working locations. We’ve all heard horror stories of people leaving sensitive documents on trains and buses and whilst this may not be an immediate problem with people travelling less frequently on public transport, risks will increase as the lockdown eases. Where personal data is being transported using removable storage devices such as USB sticks then these devices must be suitably encrypted to ensure the security of the data therein. Organisations should also be careful when making data accessible online and due diligence should be undertaken on any file sharing sites used, as well as prohibiting staff from forwarding work emails to personal email addresses.
5. Collaborative working software – With the sudden increase in people working from home, the popularity of collaborative working software has skyrocketed. However, care must always be taken whenever new software is rolled out across your organisation. Ordinary due diligence processes should be followed to ensure that the proposed software affords adequate levels of protection to any personal data involved and a Data Protection Impact Assessment must be completed in advance. Where cloud based collaborative working software is involved, the software provider is likely to be acting as a processor on behalf of your organisation. The terms and conditions will therefore need to contain the mandatory provisions in article 28 GDPR and transfers outside of the EEA (to servers in the USA for example) will need to be reviewed to ensure adequate protection is in place.
6. Privacy – Employees must ensure that their agile working environment allows for a sufficient level of privacy to avoid any unauthorised disclosures or data breaches. Confidentiality must be maintained when discussing personal data over the phone or on video calls, and laptop screens should be locked when not in use to avoid any inadvertent third party access. Privacy screens should also be used when working with personal data in shared areas or in close proximity to others (even family members). Regardless of where employees are working, any data breaches will need to be reported in the ordinary way.
7. Maintaining reporting lines – As part of your organisation’s data protection compliance framework, clear reporting lines should be in place for the escalation of any data protection matters (such as data breaches or requests by data subjects to exercise their rights in respect of the processing of their personal data). These escalation processes must be maintained wherever staff are located. Where a breach is reportable, the ICO must be informed within 72 hours. For this strict timeframe to be met, breaches must be promptly escalated internally for assessment. Similarly, to avoid any failures to comply with requests by data subjects, employees need to be able to independently recognise these and forward them on as appropriate, even when working away from the office.

During the coronavirus pandemic, the ICO has confirmed it will take an empathetic and proportionate approach to regulation, and consider the impact the pandemic may have on organisations’ compliance resources when considering what action to take. As we start to move back towards a semblance of normality, the potential for any leniency is removed and expectations will return to their usual high standards. As agile working is normalised, care must be taken to ensure that data protection obligations continue to be met.

It’s far easier to implement a robust compliance framework for new working practices by building the two simultaneously. Waiting until employees have developed their own ways of agile working before considering the regulatory requirements may cause friction. Bad habits, once formed, are harder to break.

If you have any queries or require any assistance with developing your approach to agile working in a way that complies with data protection regulations then please do not hesitate to contact us.

[1] https://www.gfk.com/en-gb/insights/press-release/it-monitor-sales-almost-double-in-one-week-as-britain-moves-to-home-working/

Visit our Future World of Work hub here.