With so many of us now working remotely, this raises issues about data security and the increasing reliance on technology platforms to keep businesses and organisations running. In the first of two articles exploring these issues, we will focus on data security considerations.
Of course, working from home is nothing new for the vast majority of us. However, issues arise because this is increasingly becoming the day-to-day norm rather than the exception. At the same time, we want to stay connected to colleagues, customers and contacts to keep our businesses going and offer support, but also to avoid the feeling of isolation. There is both a business and social angle to this which is entirely understandable.
It is not the purpose of this article to be unrealistic about this and put too many constraints on these ways of working and interacting. And there has to be a recognition that there will be learning along the way. However, there are a few things to bear in mind that should help to minimise risks.
When we talk about data security we are not just focussing on personal data and the regulatory layer over this provided by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). There are much wider categories of information at risk, for example, confidential information and trade secrets belonging to customers or to our businesses and intellectual property rights underpinning our organisations.
It is at times like these that staff are likely to be most tempted to use their own devices. Policies around “bring your own device” (BYOD) are already common, restricting staff from using their own devices and data storage to transact on behalf of the organisation. You should review your BYOD policy to see if it is still fit for purpose. You should remind staff about what the policy is or how it has been revised to deal with the current situation and try to get a sense of whether there are any issues by finding out what devices they are using. This could be an audit but might not need to be so formal. This may well give you a better idea of whether you need to procure further devices and storage (which will be covered in the second article in this series). Additionally, if staff need help with IT issues it is important to make that as easily available as possible to avoid them attempting their own workarounds which might lead to information and systems being put at risk.
Coupled with this is an increased risk from hackers at this time. This is not just about using devices or systems that are less secure, but also the risk of employees being duped into changing passwords or to download software that contains malware. IT support staff are also likely to be very busy building and maintaining the infrastructure to support remote working and may not be paying as much attention to IT logs and other indicators of suspicious activity. At the same time, it isn’t only the security of information stored electronically which is in issue. Physical documents held away from the office are also important to consider. Whilst the lockdown continues and everyone is at home then this is probably less of an issue, but once the lockdown is lifted and people return to their places of work thought will need to be given either to the return of documents stored away from the office or their secure destruction at home. Also, do not forget that with places of work now largely empty consideration should be given to ensuring that information and equipment located there is secure. If you have a data security breach response plan, take a look at that to see if it needs revision, for example, to take into account that those involved in dealing with a breach may not be able to sit together in a room. And also ensure that everyone who needs to be involved has a paper copy of that plan and an up to date contact sheet with them at home in case systems are unavailable.
In terms of communicating remotely via video conferencing and social media, there are lots of providers out there offering solutions. You need to be cautious about the platforms being used by your staff in terms of how secure they are. To what extent are there known vulnerabilities with these platforms? And equally importantly, to what extent do the platforms reserve the right to use or share the data which is exchanged through them? Again, an “audit” of the platforms that staff are currently using to communicate with one another would be sensible, with a focus on guiding staff to platforms that are designated for business use. It is unrealistic to suppose that your teams will not also communicate socially through other platforms, but guidance should also be issued that work-related matters should not be conducted on any platforms other than those designated. There will be more on contractual issues in this respect in the second of this series of articles.
Turning to personal data and the regulatory regime provided by GDPR and the DPA, regulators have stressed that data security requirements will not be relaxed. The UK Information Commissioner has said this:
“Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.”
And the Chair of the European Data Protection Board has explained that:
“Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects.”
Perhaps the most straightforward way to explain this is by reference to recent decisions made by the ICO relating to failings in data protection compliance which directly impact homeworking. Here are the mains relevant take-aways from those decisions:
- Access remotely to systems should normally be through multi-factor identification rather than use of a single password;
- Staff should be given access only to the data they need to perform their function and for only so long as that access is needed. Privileged access across the network should be limited (note that this might need to be relaxed a little when some staff may not be able to work and so others might need access to step into their role);
- Organisations must keep up to date with widely known vulnerabilities in software and systems (in other words, keep up to date with what is happening more broadly around data security at these heightened times of risk);
- Data security is also concerned with storing paper records securely;
- A common underlying cause of regulatory failings is a lack of guidance and training to staff.
GDPR and the DPA also throw up a range of other issues to consider including: if you are using new platform providers then have you put in place appropriate data sharing arrangements with them?; if the personal data is being shared with a platform in a third country outside the UK or EEA you will need to have a gateway in place allowing that cross-border data transfer; and if you are sharing individuals’ data with additional third parties you should review the privacy notices issued to those individuals to consider whether you need to update them to explain this. These issues will be looked at in more detail in our second article.
We would welcome your feedback, particularly any experiences you might be prepared to share with us regarding remote working.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, April 2020