In light of the current pandemic, many businesses have been required by Government order to shut their doors. As a result the number of people now working remotely from home is at an all-time high.
While for some organisations working from home is already the norm for some employees and staff, for others this is something they have had to implement at very short notice. In either case, the concept of almost an entire workforce working from home is certainly unprecedented for most.
As such, many organisations may now be concerned as to whether their "work from home" practices are compliant from a data protection and data security perspective. This note is intended to address some of these concerns as well as the practical steps businesses can take to ensure that data is being handled securely.
A brief reminder of the security obligations under the GDPR and Data Protection Act 2018…
One of the key underlying principles of the GDPR and Data Protection Act 2018 is that personal data should be processed in a manner that ensures 'appropriate security' of the personal data by using 'appropriate technical or organisational measures,' including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Whilst specific technical and organisational measures would undoubtedly vary business to business, this may include:
- the pseudonymisation and encryption of personal data
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- ensuring a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
Compliance in light of COVID-19
Working remotely has arguably always come with certain limitations as well as a degree of additional risk from a security perspective, such as documents being misplaced. However with the Government's order for people to stay and work from home where possible, the previous and well-known issue of unencrypted USBs, laptops or documents being left on a train or other public place is now not so much of a concern.
Instead, organisations are faced with issues arising from employees and other staff accessing data using their own private devices and the processing of such data through different cloud service providers; the ability for communications, documents and information to be sent and transferred much more freely over the internet compared to what might have been possible in the workplace; as well as the more general risk and vulnerabilities from hacking. It is also more difficult when working remotely for both employer and employee (or other staff member) to not only identify when a data breach has occurred but also how it occurred in the first place.
Whilst the COVID-19 pandemic does not exempt organisations from having to comply with the usual data protection and security obligations under applicable legislation, the Information Commissioner's Office (ICO) has recognised that the pandemic presents unprecedented challenges with businesses having to adapt the way they work and requiring in certain instances the need for them to share information more quickly.
They have also advised that whilst they cannot extend statutory timescales - for instance the timescale for responding to a Subject Access Request by a data subject remains 30 days - they would not penalise organisations who would need to prioritise other areas or adapt to a new way of working during these times.
In order to properly address the vulnerabilities to networks, IT systems, data storage and data communications/transfers, an organisation should conduct an assessment to assess the security and data protection incidents and breaches which may occur.
Only then will it be able to implement the relevant technical and organisational measures, suited to its own business, which ensure 'appropriate security' of the personal data in line with relevant legislation.
Whilst this is not an exhaustive list, such measures may include:
- data encryption
- regularly backing-up data
- using a VPN (virtual private network)
- using pre-approved cloud service providers
- providing data protection training to employees and staff
- using ISO (International Organisation for Standardisation) standards as a guidance, framework and tool for managing information security procedures
- reviewing or adopting (as the case may be) a robust IT Security Policy and Remote Access Policy which provides clear guidance as to which practices are acceptable
- ensuring passwords are complex and documents are password protected
- making staff aware of the risks of video conferencing (some providers may not be fully encrypted)
- requiring employees and staff to run an operating system on any personal devices being used for work purposes which is regularly (and automatically) kept up to date with service patches
- requiring employees and staff to install up to date antivirus and malware protection on any personal devices being used for work purposes
As security threats such as hacking become ever more sophisticated, maintaining security of information and personal data have arguably never been more relevant or important than they are now. To this end, it is crucial that organisations review their existing IT security and other such policies. They should adapt them where necessary to ensure a balance is struck between adopting a more flexible approach to working in these unprecedented times whilst maintaining appropriate security levels when it comes to data.