In order to delay the spread of the COVID-19 virus, it has been possible for certain employers and employees to work remotely. And while a number of those businesses have pre-existing policies in place to manage remote working, given the widespread scale and uncertain duration of remote working in the circumstances, businesses should ensure that measures are taken to maintain data protection compliance when working outside of the four walls of the office.
Security risks posed to organisations when working from home
Given the unprecedented number of employees working from home, organisations will need to adapt to these changes in order to continue to demonstrate compliance with data protection principles. In particular, this applies to processing personal data in a secure manner by:
- Ensuring that the data is treated confidentially
- When working from home, organisations should consider whether it is strictly necessary for staff to access or retain hard copy files. Where it isn’t, staff should be required to take scanned copies of the files which can be accessed from their laptop.
- Where hard copy files are required, the Data Protection Commission (the “DPC”) has advised organisations to keep a record of any files taken home where possible and to ensure that staff are able to confirm that files are stored and disposed of in a confidential and secure manner.
- Employees should be made aware of the importance of accessing the organisation’s data in a secure manner eg logging out of their laptop when it is not in use and ensuring that the laptop is accessed at a confidential location where people other than the employee cannot view the content.
- Reminding staff of the organisation’s existing data protection policies and procedures to ensure that staff are cognisant of their continuing confidentiality obligations while working from home. Where appropriate, staff should also be informed of any amendments made to data protection policies in light of remote working practices.
- Protecting the organisation against cyber-attacks
- Assessing current security procedures to ensure that appropriate organisational measures are being implemented in light of all or the majority of staff working remotely.
- Organisations should ensure that all laptops are encrypted so that the data is not accessible where it is misplaced or stolen. Where this does occur however, the organisation should be in a position to take immediate steps to prevent the data from being accessed by an unauthorised third party eg remotely wiping the data from the laptop.
- Encouraging dialogue between IT and staff members on how to promote cybersecurity within the organisation and alerting staff to different phishing scams. The organisation could also facilitate this through the provision of online training to staff by the employer’s IT providers while the employees are working remotely.
- Significant damage to the organisation's reputation;
- The enforcement by the DPC of the following administrative fines:
- Civil actions for non-material loss;
- Reducing the market value of a company; and
- Diminishing employee morale in circumstances where the data breach relates to employee data.
An organisations culture toward data privacy will play a crucial role in determining its success in overcoming any challenges presented when staff are working from home. As data controller, the employer is responsible for ensuring that its employees, as agents of the organisation, are in a position to demonstrate compliance with its data protection policies, whether they are working within or outside of the office.
- Review existing data protection policies to take account of any additional risks or obstacles that may be presented when employees are working from home. This includes updating GDPR policies to ensure compliance with new policies that have been implemented by the organisation eg the organisation’s COVID-19 policy.
- Implement online staff training to make sure that employees are aware of any policies that have been updated and know how to follow these procedures in practice.
- Encourage the use of alternative communication tools while employees are working from home. For example, when deciding whether to report a data breach to the DPC, the Data Protection Officer (the "DPO") may need to consult with certain staff members. While face-to-face meeting are not possible, this should not hinder the DPO from performing his/her duties and staff should be encouraged to collaborate with one another through alternative communication tools such as video conferences systems or instant messaging services.
Our Employment & Corporate Immigration Department regularly assist and advise organisations in drafting and updating policies and has extensive experience advising on a range of data protection related issues/disputes within the employment context. For further information, please contact Bláthnaid Evans or Sheila Spokes, +353 1 639 3000 or visit www.leman.ie.