One effect of lockdown this year has been to introduce more people to the ease of working from home. Not only is it an easier option than commuting but it is easy to use modern communications to hold virtual meetings and collaborate over a distance. This is something of a breakthrough, even a revolution! Office life will not return to exactly the same as before.
So we need to change our thinking on home offices in particular, as that is where personal data is likely to be processed.
What factors do employers need to take account of when implementing a “Work From Home” strategy? It is the usual list: IT security, physical security, data protection housekeeping basics, policies and procedures and monitoring. All of these areas will require investment by the business, hence “lower cost not no cost”.
The key to secure home working is not to allow employees to save work data to unauthorised devices. The employer should provide IT hardware or approve own devices and set controls to ensure that only authorised devices are used for company business. An extreme, but effective, approach would be to issue dummy terminals for work activity, such as Google chrome books. With no storage capacity these enforce working through a VPN and company policy can dictate that data is stored on company IT systems via a VPN.
Another risk is poor security around the wifi router in the home. A good quality router is required with a change of password from the factory set password being changed on installation and regularly thereafter as the password is likely to be shared with family members and visitors to the household.
Some work tasks carry their own risks, such as making confidential telephone calls. Again, support with appropriate hardware can reduce the risk of confidential telecalls being overheard by other members of the household. Earphones and a microphone will reduce the sound levels but it may also be necessary to provide a soundproof booth as part of the kit for working from home if an employee does not have a separate working space, a designated home office.
The physical security of the home office can only be assessed by a visit to the employee’s home. A home visit is essential for checking the health and safety aspects of home working, the organisation remains responsible for providing an appropriate working environment for its employees. At the same time as checking that appropriate desks, chairs, pcs, monitors etc are available, a check should be made on the security of the home office. Inevitably some work documents or records will be printed, so a lockable cabinet or drawer is essential. It should be empty to start with! Remember that documents in use need to be stored in it and documents that are no longer required also need to be stored until the employee returns to business premises and can bring them in to be disposed of properly and securely.
Data protection housekeeping basics
The Data Protection Principles include some good housekeeping basics, for example data minimisation and limits on data retention. Reducing the amount of data held is a huge contributory factor to data protection compliance and data security. Less data means that it is easier to respond to subject access requests. Less data means less exposure to out of date material. Discipline is needed to keep digital files up to date and relevant which leads us to policies and procedures.
Policies and procedures
As a minimum an employer that facilitates working from home needs the following written policies and procedures:
- Data protection policy: a statement of commitment to data protection compliance and the authority for subordinate policies and procedures required for compliance.
- Remote working policy: instructions on IT and physical security when working from home to reinforce the technical and physical measures put in place. Along the lines of: “you will not save company data or work to own devices unless authorised to do so. All your work will be on work IT systems via the approved VPN”. Also to set company preferences for file sharing and conference communications: “we use Teams” for example.
- Monitoring policy: Line Managers still need to check the work output of their team members for quality control and compliance purposes. This must be done within the bounds of the Human Rights Act and in a way that keeps team members on board rather than alienating them which is harder at a distance than when you are sharing office space.
- Other company procedures will need to be reviewed to ensure that the home working environment is covered, for example the Security Breach Reporting procedure might need adjustment for investigating incidents that occur off work premises.
This is an outline of the considerations for employers who are now considering strengthening their home worker capacity. Although the costs of running a physical office will be reduced and the home worker allows the expansion of the workforce without adding to the costs of office space, there are still some costs linked to setting up an employee to work from home. This article has covered the generic issues but the measures that a particular employer choses to introduce for home workers should relate to the risk presented by the specific job role of the employee. A good first step would be to carry out a Data Protection Impact Assessment to identify the risks associated with the job roles that are being decentralised. Then take action to avoid or mitigate the risks identified.
We, Data Protection Consulting, can help with the DPIA process and suggest options to help build secure home working practices for your organisation. We have more than twenty years experience of fact-finding and solving problems related to data protection. Get in touch for a free discussion and quote.
Mandy P Webster, Data Protection Consultant