Covid-19: Protecting data whilst working from home
06 April 2020
The rise in working from home
With a third of the world's population now effectively on lockdown in response to the coronavirus pandemic, a huge number of people are now working from home across a wide variety of professions and industries. Most of those now remote working have not worked from home before, other than perhaps the occasional call or email out of hours. For many, the focus over the last few weeks has been adapting to new ways of working and daily routines, turning the spare room or a corner of the living room into an office, entertaining children and looking out for vulnerable relatives and neighbours, all whilst carrying on with (or attempting to carry on with) business as usual. Data protection will have been the last thing on many individuals' minds.
However, most of those now working from home are in roles where they are processing personal data in one way or another whereas the vast majority of data protection policies and procedures are largely aimed at protecting data in the workplace, or travelling to and from the workplace, not protecting data spread out on the kitchen table.
Data protection obligations apply at home
Despite these extraordinary times we are now living in, we all need to keep in mind that data protection obligations apply equally whether we are operating in the workplace or at home. We all have a responsibility to ensure any personal data we process, whether it is electronic or paper-based, is secure whilst it is stored in our homes. There are no exceptions and the rules do not vary depending on where we are working from.
Increased risks to data arising from working from home
All organisations need to be aware (and need to ensure that their staff are aware) that remote working may pose an increased risk to personal data. Many people are now working in a home where at least one other person is now also working from home, potentially sharing space and equipment (e.g. the one printer in the house), and possibly with children around. They will be working on a home computer, laptop or tablet (or a combination of all three), over their home network. They do not have all the resources, systems and equipment they had in the office which were set up to ensure data was protected.
Perhaps some of the risks are actually minimal, in that the lockdown rules in most places mean that only members of the household should be entering the home, except in emergency situations. However, some risks will have increased, e.g. risks posed by cybersecurity and fraud where criminals are more likely to take advantage of people working away from their usual environment and to play on concerns over the pandemic.
The data protection principle perhaps most at risk of being overlooked as we adjust to new ways of working is the requirement for data controllers to process personal data in a manner that appropriately ensures its security. This includes protecting it against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
With this in mind, we have set out below some 'top tips' and practical guidance for organisations and individuals to help minimise the risks and to ensure data protection obligations continue to be met. This is based on a combination of our analysis of the legal requirements, our own experience of adjusting to new ways of working, and the guidance issued by the data protection regulators in Guernsey and Jersey (see below for details).
Top tips for organisations
Review and update the organisation's data protection policy and working from home policy
Existing policies are likely to cover occasional working from home, rather than the whole of the organisation working from home for an extended period. Ensure staff are aware of policies and offer training where appropriate (by telephone, through emails and/or presentations given through video conferencing facilities). If you are sharing your screen using these tools, ensure that confidential or personal information is not also shared accidentally.
Circulate guidance to staff on working from home and the associated risks to data security
It may be helpful to circulate the working from home policy as an extract if it forms part of a broader document (such as a staff handbook or a general policies and procedures manual), so that staff can access and review it quickly. Consider circulating it by email and making it available in a prominent place on your organisation's intranet or document management system (if applicable). It may also be helpful to provide a shorter list of 'dos and don'ts' or a visual guide to give staff something to refer to on a regular basis.
Consider performing a Data Protection Impact Assessment ("DPIA")
This may be a legal requirement (e.g. if as a result of remote working, you will be using personal data for a purpose for which it was not previously used or using new technology that might be perceived as being privacy intrusive, such as facial recognition). Even if performing a DPIA is not a legal requirement, it may be helpful in assessing where the risks might be. If you are introducing new systems or products in response to working from home, these should be adequately secured and have DPIAs performed against them.
Ensure staff only use secure network and WiFi connections
Ensure that your staff are using a WiFi network with a strong password and the best encryption level available to them. Be prepared to provide advice and support.
Ensure all devices have appropriate and up to date anti-virus software and security software
Security tools such as privacy tools, add-ons for browsers etc. need to be up to date. Use two-factor authentication and encryption tools where possible. Many capable anti-virus products are now available for home users at no cost.
Encourage staff to operate in a 'paperless' environment as far as possible and adapt processes and procedures to minimise the need for paper documents to be generated
Look for new ways to deal with paper-heavy administrative processes. Avoid creating multiple copies of documents (by printing and scanning) wherever possible.
Invest in new technology and software to improve data protection and minimise risks
Consider supplying staff with an additional computer monitor to reduce the need to print documents. Use a document management system rather than paper-filing. Use document signing software where possible to facilitate paperless transactions click here and here for our briefings on closing transactions electronically in Guernsey and Jersey respectively, which cover the rules on electronic signatures in each jurisdiction).
Ensure adequate support in case of problems
Provide staff with guidance on how to react where problems arise, or if a potential breach occurs, and provide details of who to call and emergency procedures. These procedures should be as straightforward as possible and tested before a real incident occurs.
Top tips for individuals
Review your organisation's data protection policy and working from home policy, and follow instructions and guidance from your managers, IT department and (if applicable) data protection officer
These will be tailored to your organisation and the way in which it processes personal data.
Think carefully about taking physical files and documents containing personal data home from the office, and printing documents
Only take or print what you need. Do not leave documents in an unlocked car. Be extra vigilant if transporting documents by bus or taxi (don't leave them behind!). Make sure you have somewhere safe to store documents at home (e.g. a locked cupboard or room).
Allocate a defined area of the home that is your workspace and ensure it is secure
This could be a study or spare bedroom if you have the space, or even a desk or table in a living room, kitchen or conservatory. Set some 'house rules' that this is your space and no one else in the household is to touch, move or look at anything (papers, laptop, folders etc.) in or on your space. Lock your devices when not in use. Remember that if an unauthorised person is able to access personal data in your paperwork or on your computer, this is a data breach.
Ensure you only use secure network and WiFi connections
Ensure that your WiFi network has a strong password and is using the best encryption level available to you. Ensure your home router has the latest software updated installed.
Turn off smart speaker devices whilst on work calls
There is a risk that voice commands for these devices may be accidentally activated, causing their microphones to pick up your conversation (including any personal data and other confidential information).
Do not leave documents on the home printer
Collect it from the printer as soon as you have printed it. It is easy to forget it is there and for it to get mixed up in other paperwork.
Tidy up your workspace at the end of each day
Put your laptop or tablet and any paperwork in a secure location in your home.
Do not put any documents containing personal data or confidential information in your household rubbish bin or recycling
You should discuss with your organisation how documents should be destroyed, e.g. you could have a 'shredding box' which can be professionally shredded by arrangement with your organisation.
Be extra vigilant to social engineering
Criminals are actively trying to take advantage of the current disruption by impersonating organisations and their staff, suppliers and clients. If you have any doubts about who is contacting you, speak to your manager or follow the instructions in your organisation's policies and procedures. Do not risk inadvertently sharing any data with a fraudster.
Do not open or reply to spam or phishing emails
Criminals are using concerns and uncertainty over the spread of coronavirus as bait to trick you into sharing information or giving money. Do not open emails or links sent to you containing the words "coronavirus" or "Covid-19" in the title or domain name unless you know the sender.
Ask questions and report any problems or potential breaches
Speak to your manager, IT department or data protection officer if you have any questions or concerns about protecting data in your home. Check your organisation's policies and procedures for how to report any issues.
Guernsey and Jersey regulatory guidance
The data protection regulators in Guernsey and Jersey have issued helpful guidance to organisations in their jurisdictions:
Guernsey's Office of the Data Protection Authority (the "ODPA") issued guidance: Protecting personal data in extraordinary circumstances. This also includes a link to the UK's Information Commissioner's Office's guidance: Data protection and coronavirus: what you need to know.
The Jersey Office of the Information Commissioner (the "JOIC") has also published guidance: Working from Home: Practical tips for keeping client, staff, volunteer and all personal information safe.
Organisations based in Guernsey and/or Jersey should review the guidance issued by the ODPA and the JOIC respectively, and any further guidance, notices or statements issued by them.
What happens if there is a breach whilst working from home?
It is still early days so we do not yet know how the regulators will treat a data breach that arises whilst someone is working from home. It seems unlikely that "working from home" will itself be a defence to a data breach but the regulators may take this into account where an organisation (and its staff) has taken steps to minimise the risks.
Helpfully, the ODPA in Guernsey has released a statement confirming that it is taking a 'realistic and pragmatic' approach to its regulatory activities during the Bailiwick's lockdown and that it will not take enforcement action against any organisation that is "trying to do the right thing".
The JOIC has said that it has always operated in "a reasonable, practical and pragmatic way, cognisant of local and global issues that cause public concern among our islanders" and that it will take the relevant circumstances into account when assessing compliance with the data protection legislation. It has also released a response to a FAQ confirming that it will not take action against controllers that have tried to comply with the legislation but are hampered in their efforts by the current situation.
Both regulators appear to be adopting a reasonable and sympathetic approach to data protection in these difficult times. However, organisations will need to take active steps to minimise any risk to personal data they are processing whilst staff are working from home – following the guidance outlined above and on the regulators' websites will help demonstrate that the organisation has done everything it can to protect data.
If you have any questions on any of the above, or you would like any further guidance, please get in touch with us.