Home Working and Data Protection
Home working, already a desirable option for many, has seen a significant rise this month as thousands go into isolation as part of a global effort to limit the spread of the coronavirus (COVID-19). The availability of technology and software solutions makes it easier than ever before to work remotely, and many are taking to video meetings clad half in business dress and half in athleisure wear. However, while it may become the norm (at least for now) to take a relaxed and homely attitude to certain aspects of work, data protection is not one of them.
Data protection law imposes a wide range of obligations on organisations, and these must continue to be taken seriously, but as the Information Commissioner’s Office points out, “data protection is not a barrier to increased and different types of homeworking.” Nor, as the ICO also tells us, should your staff necessarily be prohibited from using their own devices for their work. Data protection law does not prevent this, but careful thought should be given to the new security issues that will arise.
Some businesses will be well-prepared and will already issue mobile devices such as smartphones, tablets, and laptops to many (if not all) employees. It is also likely that businesses in that position will be similarly geared up to administer such devices remotely, taking care of all-important security and software updates. Others, however, may need staff working from home to use their own equipment and will need to consider how best to protect personal data being processed on that equipment by employees as they continue their duties from their dining tables (or, ideally, desks or studies).
Maintaining Awareness and Implementing a Policy
Maintaining control over personal data within a business environment, and maintaining awareness among your staff of data protection issues within that environment is inevitably more straightforward than doing so when much of your workforce is at home. It is, therefore, important to consider ways to keep knowledge and awareness of the law and of your business’s internal principles and procedures fresh. Training is important – whether for the first time or as a refresher – and can be conducted using a variety of online tools.
Having a Data Protection Policy in place is also important.
New Home Working Data Protection Policy
In light of the current situation, we have created a new version of our popular Data Protection Policy designed specifically with home working in mind. Its scope is not limited to home working and can still be used in businesses where home working is not the norm; however, it contains a number of new provisions designed to help maintain your business’s data protection compliance while your staff works from home.
Key new elements address IT security, with a particular emphasis on VPNs, network security, software updates, and the use of personally-owned devices. Other new provisions aim to factor in new compliance challenges presented by mass home working such as the availability of personal data when complying with requests by data subjects to exercise their rights (e.g. subject access requests) and other important issues such as the disposal of personal data that is no longer required or must be erased.
For our Employment subscribers, this document template is also available at GDPR Within Employment and Flexible and Home Working.
Keep Calm and Carry On Processing
The Information Commissioner has specifically addressed the issue of data protection practices not meeting the usual standards during the COVID-19 pandemic and reassures organisations that, while the law remains unchanged, they intend to take a pragmatic approach to enforcement: “We understand that resources…might be diverted away from usual compliance or information governance…We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.”
Personal data is a vital ingredient in business and just as the wheels of the world must keep on turning, so too must your business’s use of personal data. Inevitably, compliance with data protection law will become more challenging as personal data is increasingly handled on the family laptop rather than the office workstation, but by maintaining awareness, providing training, and having instructional policies in place, you can help to keep things flowing safely and securely within your business.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.