Staff working from home? How do you keep data secure?
Data protection law requires every business that deals with personal data to ensure that they have “Technical and Organisational Measures ” in place to keep that data secure. Losing that data could seriously damage the company’s reputation and potentially land it with a fine from the ICO and with claims for compensation.
Please note: the information contained in our legal updates are correct as of the original date of publication
Data protection law requires every business that deals with personal data to ensure that they have “Technical and Organisational Measures ” in place to keep that data secure. In addition to personal data, business owners and employees are also likely to be dealing with data that is confidential (either relating to the business itself or to third parties).
Losing that data could seriously damage the company’s reputation and potentially land it with a fine from the ICO and with claims for compensation.
But with everyone working from home right now – how do you ensure that data is kept safe?
Here are a few points to bear in mind:
- If you don’t have a “Working from home” policy now might be the time to put one together.
Why? In the event of a data breach being investigated by the Information Commissioner’s Office (ICO), the ICO are likely to want to see the precautions that your business had in place to avoid and minimise the effects of that breach.
As a business you want to have an answer to the question “What did you do to try to prevent this?” This policy should as a minimum deal with all of the points below and be required reading for all staff.
- Ensure data is regularly (and securely) backed up
Having regular back-ups should be part of any decent IT security policy – to mitigate the risk of a ransomware attack (where access to data is blocked and requires the use of a key (typically in return for payment a ransom) to recover it.
Why? Regularly and securely backing up data means that the risk of an individual device or individual user being compromised is considerably reduced, since data can be recovered up to the point of the last back up.
Where employees are working offline for any length of time it is worth reminding them that personal data needs to be kept secure and that an individual laptop’s own hard drive (or free storage such as Google Drive or Dropbox) is unlikely to have the same level of security.
- Software updates and patches
Of course you’re regularly installing the latest versions of your own business software, making sure that vulnerabilities are dealt with aren’t you? This should be an integral part of any IT security policy – but is something to particularly consider when staff are working from home.
Why? Because unlike workers commuting to work on a regular basis, there is no requirement for someone working from home to switch off their computer at night. As far as you know it may still be whirring away in some back room, meaning the usual installation of updates to software may not be triggered. You need to ensure that these updates are installed.
- Agree communication channels with employees
Hopefully your workers have access to an email server controlled and secured by the business. In times like these however you might want to be clear about the channels employees should use to communicate.
Why? Discussions between employees scattered to their various homes might well carry on across a multiplicity of platforms – from Zoom, Whatsapp, Google hangouts, Skype, Facebook Messenger and on apps like Houseparty or Dropbox. Some of these apps have well- known security flaws and can be easily hacked or discovered by those outside the company.
Communicating in advance the software that is acceptable can help avoid sensitive data from being exposed.
- Have a way of dealing with suspected Phishing emails
Having a policy agreed in advance means that employees are less likely to be susceptible to emails that appear to be from the boss, or which request financial or other information.
Why? Any good policy should give a point of contact to whom suspicious emails can be sent and verified. If your staff receive an email that appears to have a suspicious link then a central point of contact (who has the tools to check the email in a secure, isolated environment) can considerably reduce the cost of having to deal with the consequences.
- Other people in the household
We all remember the BBC News interview where the interviewee’s young children bounded into shot to great comic effect (in stark contrast to the serious nature of the discussion). Children, partners and other people will be around the house and no one can seriously object to their occasional interruption – but what about discussions about particularly sensitive or confidential information? These should also be covered in your policy.
Why? Clients and employees are likely to expect and deserve confidentiality to be maintained, including from other members of a household. Discussions about sensitive or involving confidential information should be afforded the same level of privacy that would be maintained in an office – so if a discussion would typically involve you leaving an open plan environment for a discussion (e.g. performance reviews, confidential new projects, discussion of a client’s personal circumstances) then common sense would suggest leaving the room that you’re sharing with other members of your family.
Ultimately these points might seem like (and are) little more than common sense, however in the imposed informality of working from home some of the normal precautions around security can be missed. It is therefore critical that every business remains vigilant to the risks of a lack of security and takes appropriate measures to keep data secure. Taking the steps above, capturing them in a policy and ensuring that all employees are aware of that policy are sensible steps to (hopefully) avoid a data breach or (at worst) minimise the consequences of a breach.
You may be interested in...
Progress on the Automated Vehicles Bill
Data protection in higher education: what to expect in 2024
The rise of AI in construction
In Person Event
Government foreshadows significant savings for public bodies as part of data protection overhaul
ICO consultation on transparency in health and social care
How to mitigate risk in disputes arising from AI use in technology projects
Monitoring workers – ICO guidance
ICO consultation on fertility tracking apps
UK: Legal issues with deepfakes
New guidance for employers on subject access requests published by the ICO
Ali Round 2 - High Court gives further guidance on causation and quantum for data breaches
Browne Jacobson welcomes former ICO lawyer to support growing UK&I data privacy and tech practice
Update on data protection claims - Austrian Post Case
Browne Jacobson launches specialist Ascensus programme for in house lawyers and business leaders
Mopping up after a leak – how businesses can take steps to protect their confidential information
Cyber security and data breaches
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Protecting children and their data in the online environment
Bruce Willis AI and the problem with deepfakes
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
DSA approved: Targeted Advertising Rules explained
Economic crime and cybercrime
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Are local authority companies subject to the Freedom of Information Act 2000?
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.
Digital Markets Act and Data Platforms - FRANDs for life?
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
Avoiding the pitfalls of WhatsApp
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
ICO consultation on research provisions guidance
The data protection legislation (namely, the UK GDPR and Data Protection Act 2018) contain various provisions that deal with the processing of personal data for research purposes.
More good news for data controllers: High Court finds local authority not vicariously liable for the actions of social worker who went off on a "frolic of her own"
Five top tips for strong data compliance in 2022
This article has five excellent top tips for strong data compliance in 2022, including; embracing near misses, leading from the top, outcomes-focused training, learning walks, consequences.
Stemming the tide of data breach claims: good news for data controllers
The cases summarised give considerable comfort to data controllers seeking to defend themselves against claims that relate to breaches arising as a result of a failure rather than a direct act and/or are based on assertions of damage or distress that are exaggerated, unsubstantiated or bear little relation to the breach itself.
Reaction: Supreme Court rules in favour of Google
What are the requirements of cookie law
Cookies and similar technologies are a useful and often necessary tool for online businesses, but their use is governed by both the Privacy and Electronic Communications Regulations (PECR) and the GDPR.
Steps to take following a data breach: reporting, criminal charges and injunctions
Student and staff files will be full of personal data, much of which may be particularly sensitive such as health information (known under the data protection legislation as “special category” data).
Confidential information and subject access disclosure
In February 2021, the High Court handed down judgment London Borough of Lambeth v AM (No. 2)  EWHC 186 (QB), in which Browne Jacobson LLP acted for the Claimant Council. The judgment is critical reading for public bodies who are required to take action to restrict the use of confidential information in circumstances where that information has been inadvertently disclosed to a third-party.
Lloyd v Google – what next?
The Supreme Court’s pending decision could potentially open the floodgates for data privacy litigation going forward.
Claims club - 16 June 2021
High Court grants local authority injunction to prevent breach of confidence
This judgment is critical reading for public bodies who need to take action to restrain the use of confidential information in circumstances where that information has been inadvertently disclosed to a third party.
Brexit - now what for data protection law?
UK organisations need to comply with the UK GDPR and continue to be subject to the EU GDPR where EU data is being processed, so there may be two versions of the GDPR to comply with for some personal data processing.