At the time of writing this article we are all several weeks into lockdown, and for many of us, we are working from home in circumstances which were never anticipated and without necessarily the right technical and organisational structures to manage the information that we are processing.
Data Protection Authorities around the world have reinforced the fact that whilst they may be reasonable about the challenges that organisations face in managing data protection and information security, the laws still apply.
Businesses need to ensure that they continue to comply with data protection laws, that they put in place and maintain technical and organisational security and that they provide timely and practical guidance to staff as to how to manage information and personal data whilst it is being dealt with remotely from the workplace.
The Information Commissioner’s Office has produced guidance on what sort of security measures should be put in place when working remotely, how to deal with sharing of information about work colleagues that may have contracted coronavirus and how to deal with individuals exercising their data rights during the lockdown.
The European Data Protection Board has also issued guidance on the lawful grounds for processing health data of employees, confirming that consent in the current circumstances is not necessary as the lawful ground is likely to be public interest or legal necessity. The EDPB guidance also reminds organisations to ensure that fair processing statements or privacy notices should be updated to address processing of health data in the current situation.
The National Cyber Security Centre has also produced guidance for businesses on how to prepare the organisation and staff for working from home including the use of two factor authentication for login and the requirement for businesses to produce ‘How To’ guidance and webinars to help staff in issues of remote access and the use of conferencing and video services. The NCSC Guidance also addresses the need to alert staff to email scams and social engineering as more access is made to online services across a number of devices.
It is worth revisiting the use of Data Protection Impact Assessments in respect of the various data processing activities that the business will carry out during this period, whether it be the sharing of health data regarding staff, the collection of health data regarding visitors or requiring staff to use new conferencing facilities or chatroom technology. Under the General Data Protection Regulation, DPIA are mandatory in a number of cases and so your DPIA process needs to be reviewed.
In the COVID-19 period, where we are working from home, whilst some businesses have a home working policy this may have been drafted at a time when working from home was part of the contract of employment for certain staff, but now we have a situation where there is a temporary (we hope) requirement to work from home and therefore perhaps there needs to be a specific home working policy put in place.
The home working policy amongst other things will address:
- The required hours of work;
- The expectation that staff should be maintaining an appropriate work vs life balance in the lockdown;
- The responsibilities for managing office equipment and its return at the end of the home working requirements;
- Procedures for the purchase by staff of office essentials and the expenses claim process;
- Guidance on how to deal with virtual teams meetings and virtual business meetings;
- The requirement for confidentiality in postings and online discussions as well as good data and records management;
- The integration of the home working policy with other compliance policies including bring your own device, information security, acceptable use and social media policies.
With staff spending so much time out of the office environment, there will be an inevitable increase in the use of social media and the internet in general, and that in itself raises risks around the management of confidential information as well as personal data. The business should as much as possible insist that staff use protected devices but to the extent that they have to use their personal devices and tablets, steps should be taken to ensure that data protection rules are adhered to.
There may be a tendency to spend more time engaging in social media chat and staff should be reminded to ensure that professional standards are maintained and that where postings are made from the home environment that there will not be visual items that may cause reputational or brand or confidentiality challenges.
From an information security and cyber security point of view, the increased of social media and internet gives rise to risks surrounding social engineering, phishing, ransomware attacks and alike, and again guidance needs to be given to staff around awareness of these issues.
Finally, the business needs to consider how it can improve physical and technical security at home for its staff as well as the management of confidential information including in particular manual records and print. Whilst in the office environment there will no doubt be a control around the disposal of paper and confidential documents, it may be harder to manage this within the home environment, but the liability still remains.
Another issue that needs to be considered is the risk of the loss of control of data and document conversions where information may be spread across a number of devices and is remote from the usual central server.