In our previous article ‘Coronavirus and Compliance with the Protection of Personal Data’, we focused on likely issues arising from recording additional health information (special category data) as a result of the Coronavirus (COVID-19) outbreak. In this, we respond to requests about the impact of telling staff to work from home instead of coming into the office, and what the likely consequences are for compliance with data protection laws.
It is quite understandable with the contagion COVID-19 raising the risk of employees working in a closed office environment that employers will wish to keep staff working but in a way that mitigates the risk to the organisation such as working from home. However, where organisations have never used this approach before, it is unlikely that they will have the necessary policies, procedures and systems in place to ensure security of information and data, among other issues affecting home and lone working.
One of the first things to consider is ‘how will staff access work systems and files?’ It may be that the organisation has an existing server network and can quickly setup VPN access however, using what devices? Will the organisation be asking staff to use their own devices, or will the organisation be able to provide mobile devices to enable access? Organisations should run a simple rule in that if staff are required to remotely access the organisation’s systems and files, then they should be provided a work controlled mobile device and this device should have a strong level of encryption to provide security in the event of a loss of the device.
A further consideration will be ensuring secure access to the organisation’s systems and files to enable staff to work from home. Providing VPN access to the organisation’s network could pose a challenge on the network bandwidth therefore, an option will be to move the files to a cloud server, which can be done fairly quickly however, assuming that personal data may be involved, this could mean that the organisation has to consider carrying out a Data Protection Impact Assessment (DPIA) first and add the new process to their record of processing activities in order to support proof of their compliance with UK and EU data protection laws.
If the organisation is moving to a cloud server solution, it will need to ensure how the data is secured within that solution and the required retention periods managed. If the organisation currently subscribes to Microsoft Office 365, then it will likely have Microsoft Teams available to it and securities can be controlled through Microsoft’s Admin function. If the organisation elects for using a ‘files store’ such as Drop-Box, it will need to make sure that it knows in which country the server is located and that access to the files and folders can be strictly controlled and limited. In both approaches, the organisation will need to consider data back-up in addition.
In addition, and separately from the data protection compliance implications, the organisation will need to consider the implication to their duties under health and safety legislation, lone working issues, etc. and reach agreement with HR during this process.
None of the above are insurmountable (nor the only likely issues) and these issues can be overcome quickly however, the need to carry out these checks, changes and developments must not be lost or ignored just because the organisation needs a quick fix. Cutting corners at such a time could prove costly.
Need to talk about this? Get in touch through our Contact Form.
 Regulation (EU) 2016/679 (GDPR) art. 35