Home working, already a desirable option for many, has seen a significant
rise this month as thousands go into isolation as part of a global effort
to limit the spread of the coronavirus (COVID-19). The availability of
technology and software solutions makes it easier than ever before to work
remotely, and many are taking to video meetings clad half in business dress
and half in athleisure wear. However, while it may become the norm (at
least for now) to take a relaxed and homely attitude to certain aspects of
work, data protection is not one of them.
Data protection law imposes a wide range of obligations on organisations,
and these must continue to be taken seriously, but as the Information
Commissioner’s Office points out, “data protection is not a barrier to
increased and different types of homeworking.” Nor, as the ICO also tells
us, should your staff necessarily be prohibited from using their own
devices for their work. Data protection law does not prevent this, but
careful thought should be given to the new security issues that will arise.
Some businesses will be well-prepared and will already issue mobile devices
such as smartphones, tablets, and laptops to many (if not all) employees.
It is also likely that businesses in that position will be similarly geared
up to administer such devices remotely, taking care of all-important
security and software updates. Others, however, may need staff working from
home to use their own equipment and will need to consider how best to
protect personal data being processed on that equipment by employees as
they continue their duties from their dining tables (or, ideally, desks or
Maintaining Awareness and Implementing a Policy
Maintaining control over personal data within a business environment, and
maintaining awareness among your staff of data protection issues within
that environment is inevitably more straightforward than doing so when much
of your workforce is at home. It is, therefore, important to consider ways
to keep knowledge and awareness of the law and of your business’s internal
principles and procedures fresh. Training is important – whether for the
first time or as a refresher – and can be conducted using a variety of
Having a Data Protection Policy in place is also important.
New Home Working Data Protection Policy
In light of the current situation, we have created a new version of our
popular Data Protection Policy designed specifically with home working in
mind. Its scope is not limited to home working and can still be used in
businesses where home working is not the norm; however, it contains a
number of new provisions designed to help maintain your business’s data
protection compliance while your staff works from home.
Key new elements address IT security, with a particular emphasis on VPNs,
network security, software updates, and the use of personally-owned
devices. Other new provisions aim to factor in new compliance challenges
presented by mass home working such as the availability of personal data
when complying with requests by data subjects to exercise their rights
(e.g. subject access requests) and other important issues such as the
disposal of personal data that is no longer required or must be erased.
For our Employment subscribers, this document template is also available at GDPR Within Employment and Flexible and Home Working.
Keep Calm and Carry On Processing
The Information Commissioner has specifically addressed the issue of data
protection practices not meeting the usual standards during the COVID-19
pandemic and reassures organisations that, while the law remains unchanged,
they intend to take a pragmatic approach to enforcement: “We understand
that resources…might be diverted away from usual compliance or information
governance…We won’t penalise organisations that we know need to prioritise
other areas or adapt their usual approach during this extraordinary
Personal data is a vital ingredient in business and just as the wheels of
the world must keep on turning, so too must your business’s use of personal
data. Inevitably, compliance with data protection law will become more
challenging as personal data is increasingly handled on the family laptop
rather than the office workstation, but by maintaining awareness, providing
training, and having instructional policies in place, you can help to keep
things flowing safely and securely within your business.
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific