Many organisations will have looked at data protection and IT security compliance in an office-based environment - so what happens when your home becomes your office? Organisations are liberating their workforces by enabling agile working but does liberating your workforce compromise your ability to comply with data protection laws?
To enable remote working, most employees require an internet enabled device and remote access to applications and databases. They may also need the ability to take files home with them (electronically or in hard copy) and to print information at home. They may use memory sticks to transfer data between work devices and home devices and they may use cloud-based services like dropbox or skydrive to save data.
So, what could go wrong? Well, what if:
- your employee accesses sensitive personal data from their home device (either by accessing e-mails over the internet or transferring data using a memory stick);
- your employee uses a second-hand computer to access the data;
- the computer hasn't been checked by your IT team and contains software/shortcuts which automatically upload documents to the internet (without your employee's knowledge);
- the data uploaded is incredibly sensitive and includes information about alleged criminal offences and children;
- the data is freely available on the internet and is seen by third parties who don't have any right to see the data;
- the breach has to be reported to the regulator;
- the breach is reported to the national press and your organisation's poor data protection practices appear in the national news the following day?
Sound far-fetched? These are the key points from a recent ICO investigation into a breach committed by an employee of Aberdeen City Council.
So what can organisations who are thinking of implementing flexible working arrangements (or who have already done so) do from a data protection perspective (and what can they learn from this case)?
- assess the risks and issues that your flexible working arrangements involve, particularly if employees are entitled to use their own equipment to access corporate information including information about other employees, customers or other individuals;
- don't look at flexible working purely as an employee/HR issue - the evaluation and implementation process probably needs to involve your IT security, risk/compliance, legal and internal audit teams to ensure that all risks are considered and mitigated;
- ensure you have a policy in place which deals specifically with data protection risks and requirements for employees when working away from the office.....
- ....but don't just rely on the policy - it needs to be communicated to staff and made relevant to their role so that it is understood and can be complied with in practice (simple 'do's and don't's' often work best together with an effective training programme). It also needs to be monitored and policed (don't just expect staff to comply with the policy because it's there) and it should be supplemented with technical measures to help ensure compliance e.g. you may want to disable USB ports or only permit data to be saved on to encrypted memory sticks as well as ensuring you have appropriate access controls around data;
- unencrpyted memory sticks, the ability to access e-mails and corporate files from any device over the internet and permitting staff to use generally available cloud-based systems/local drives will cause issues - in addition to the security issues (i.e. not having appropriate technical and organisational measures in place to safeguard personal data, as required by the DPA's 7th principle), you may also create issues with personal data being held on cloud-based servers outside the EEA (the DPA's 8th principle doesn't permit data to be processed outside the European Economic Area);
- the safest option from a security/7th principle perspective will be to require staff to only access your organisation's personal data using approved IT equipment - but in a world which is embracing flexible working and 'bring your own device' policies, this may not be as straightforward as it sounds.
Organisations considering flexible working arrangements (and those who have already implemented such arrangements), should look at the risks and issues in a holistic way and should bear in mind that employee errors can lead to serious organisational risks in terms of fines, consumer trust and reputational damage - ultimately, it is the employer (as the data controller) which is responsible for compliance with the DPA and which will be liable when things go wrong.
So, if you want to let your staff work from home, make sure that they've received the appropriate training and equipment to access and use personal data securely and make sure that you've involved all of your relevant stakeholders in assessing and managing the risks. Just because you let your staff work from home doesn't mean that data protection compliance becomes their issue, it remains the responsibility and liability of the employer organisation.
Organisations should also bear in mind that data protection laws are changing - the ICO can currently issue fines of upto £500k for these types of breaches.....under the proposed new data protection regulations, fines will increase to upto 2% of turnover (plus a mandatory obligation to notify the regulator of the breach together with every person whose data has been compromised by the breach).This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.