Working from home is a reality for many people for the foreseeable future. There is no reprieve from Covid 19 yet. So what are the challenges for compliance when working from home?
There are some common themes:
- Ensuring confidentiality for telecalls in a crowded household, your employee may not be the only one working from home in that household
- Security for paperwork and digital work in an environment that has not been set up by the company’s IT and building management teams
- How to monitor quality of work and legal compliance when colleagues are in their own homes and any oversight could easily be seen as massively intrusive
Risk is the measure of likelihood of breach against the likely significance of the impact of the breach. Whether there is sufficient confidentiality for telecalls and work stations is a matter of fact and is the first part of the risk assessment to determine the likelihood of a security breach. As home working environments will differ from one employee to the next, a factfind is needed to identify those at higher risk, working in shared accommodation with reduced privacy. What issues are colleagues facing?
The significance of the likely impact of the risk of a breach of confidentiality will depend on the type of data being processed, the type of data subject involved and the tasks being undertaken. The marketing team working on a new campaign present less risk to confidentiality of personal data than members of the HR or payroll team for example. Within these functions there will be specific tasks that present a very high potential impact to the business and its data subjects.
The information gathered so far will enable priorities to be set. Higher risk of breach coupled with most significant likely impact of breach should be top priority and first to be addressed.
Consider whether the risk identified can be reduced by providing equipment such as headphones for calls and sound proofing for workstations or by the provision of a locking desk cabinet for paperwork. Other necessary equipment for a home office is a dedicated printer and shredder if colleagues need paper records for work purposes. Access to work IT systems should already be controlled through personalised log-in using user names and passwords to both the network and the individual applications within it. Most employers facilitate access to the network via a VPN which ensures security. Problems caused by employees making a local copy of a record on their home equipment can be overcome by providing a company device (laptop or desk top) or a blank portal device like a Chromebook.
Policies and procedures also have a part to play in risk reduction. Most employers allow some colleagues to work from home on occasion and will already have a Home Working Policy setting out required standards of confidentiality in the home office for example:
- All work should be held on company systems via a VPN to ensure routine back up and appropriate security.
- Records should not be stored on non company devices or printed onto paper.
- Work stations should be positioned to maximise confidentiality of telephone conversations and work on screen.
- Printing off records onto paper should be discouraged but if they are required, ensure that colleagues have a secure, dedicated, work printer and facilities to shred and store unwanted records until these can be returned to the office for secure disposal. Under no circumstances should office waste be put in domestic waste facilities.
- If paper records are to be retained, a secure cabinet will be required.
- Colleagues should be reminded about these do’s and don’ts for ensuring security for personal data in the home office.
Both the physical set up of the home office and the observance of policies and procedures need to be monitored for compliance. Keeping colleagues informed and involved in the process of risk assessment via the factfind and agreeing compliance measures is fundamental to ensuring that the monitoring process is not overly intrusive. Monitoring employees in the home working environment is an ongoing obligation and should be approached as an inclusive task rather than one that is imposed from above. Also there is no monopoly on good ideas. Colleagues are likely to come up with some good suggestions as to how to improve security and confidentiality in their home working environment, after all, they know it best.
Some colleagues will face additional challenges when working from home such as lack of office space, having children in the house part or all of the time, having the builders in next door etc and will need access to the office for the space and time to work comfortably and securely. Similarly there may be some tasks that the business, as a data controller, decides are too sensitive to be carried out in the home office, for example managing payments or payroll, and sensitive HR issues. But with the majority of the staff Working From Home, the office might be safe enough for those few to work in with Covid 19 security measures in place.
The answer to the demands of running a business during these difficult times is to keep the situation under review. Circumstances change and the level of risk will also. Flexibility in work arrangements could make a massive difference, if up to date information about how colleagues are coping in the home office is available to inform and review decisions.
Mandy Webster, Data Protection Consulting
A discussion group for colleagues to share their experiences and views on how issues can be overcome is a good way to check compliance and remind everyone of applicable policies and procedures. Make notes of the discussion as this will evidence your compliance focus and activity.