Tag: COVID19

Data Protection Challenges of Remote Working

allie-H9LS95WL8tM-unsplash

In March 2020, businesses found themselves having to quickly adapt to managing a remote workforce. The IT department felt the pressure to create the infrastructure to enable this and information security teams looked for ways to effectively monitor the network in the new world. Remote working brings with it a number of data protection and privacy challenges.  

Challenge One – People

The number one cause for personal data breaches is people. It only takes a momentary lack of concentration for a senior manager to send the salaries and sickness leave details of their entire team to external clients by email or a very busy CEO to leave their laptop on a train. 

There will always be an element of risk to handling personal data, but the acknowledgement of this with mitigation and management can drastically reduce the risk of a large-scale reportable data breach. 

Understanding the following can all assist with the risk management strategy of an organisation:

  • How the workforce usually operate in the office versus how people may have to setup their working environment at home
  • How their emotions and mental health may be affected during these difficult times and how this could impact their working 
  • What employees need to retain some form of ‘normality’ for their remote working

Challenge Two – Technology

Many employees now work on laptops and some office workers are used to the occasional day working – from home. When this becomes a full-time arrangement for a large number of staff all at once, the technology supplied to employees is put to the test to withstand the almost instantaneous move to remote working.

Applications

Managing data appropriately and knowing what data is where, makes governance of risk far easier for those working in the field of cyber security as it is often only once something goes wrong that the unknown ways of working come to light!

Whilst working at home, it is far more tempting for employees to use personal devices, removable storage devices or their own personal drives to access data when easy access to what they need is restricted. Remote access to commonly used applications for the workforce, allows for data to be retained in applications already approved by the organisation for visibility and reduces the risk of additional copies of data being generated or used inappropriately by staff. 

Video Conferencing

Lockdown led a number of individuals to download video conferencing applications to keep in touch with family and friends. For some businesses, the use of video conferencing was not an option prior to March, but now most meetings occur across Teams, Skype or Zoom. The use of video conferencing brings with it many additional risks for a business and the security team must be satisfied that the exchanges within the application are protected by the required company standard. 

The press has reported on several cases of “Zoom Bombing” whereby third parties invade organised meetings and cause disruption. The unwelcome guests have been reported to have shared distressing images or displayed inappropriate language to all attendees, some of which have led to police investigations.

Email

Email traffic over the past twelve weeks has inevitably risen for all businesses as workers seek to connect with their colleagues. The amount of data being generated and shared has understandably increased and organisations need to consider this risk over the coming months as business approaches adapt to the new normal. 

Inboxes tend to be the hardest data records to effectively manage. Ultimately the user needs to take ownership of the issue. Phishing emails are also one of the most common methods a hacker uses to hack a system and therefore it is imperative users know what to look out for and how to report potential threats. 

Awareness campaigns and an active push from managers for their staff to review their inboxes and ‘purge’ what they no longer need are good ideas.

Challenge Three – Paper

Some organisations still rely heavily on paper printouts to run their operations.
With individuals now working from home, there needs to be a greater awareness amongst staff around how to appropriately handle paper records and most importantly, how to securely destroy them. 

Where employees need to printout records, they should be advised how to manage these at home whilst the phase return to offices continues.

Challenge Four – Data Sharing

Without the option of walking over to someone’s desk to ask a question, people are using email and other communications platforms to deal with queries and share documents. 

Data sharing can test the principle of data minimisation as human nature often leads people to share far more than is required for the purpose. Engaging with employees and reminding them of how they must take the time to anonymise data where possible, or remove the excess columns from a spreadsheet before sending it, could prove useful in combatting the problem.  

A recent example of where email communications can go horribly wrong, is that of the disclosure of abuse survival victims details whereby the sender of the monthly newsletter failed to anonymise the data of the victims before pressing send.  

One way to manage and control the sharing within an organisation is to ensure the data protection policy has clear guidelines around company approved data sharing platforms. The key to keeping data sharing under control is to make the preferred method easy! If too much effort is required with granting external access to a sharing portal, uploading documents with passwords and then having to send links, people will stray and resort to the easier method of email attachments. 

Handy Tips

So as staff begin to return to work, here are some more practical tips to protect personal data:

  1. Engage with staff to gain an understanding of how their ways of working have changed and what difficulties they are facing with data management.
  2. Ensure that the company policies around remote working, data protection and information security are up-to-date and accessible to all.
  3. Offer a remote IT helpdesk service for employees who are having difficulties operating their hardware or software from home to prevent them using their own devices to work on.
  4. Ensure staff are installing software updates onto their work devices.
  5. Raise awareness of phishing emails and remind staff how to report them safely.
  6. Secure cloud storage solutions should be in place and staff should know how to use them. 
  7. Communicate the data breach or incident management procedure to staff.
  8. Account for any additional processing that has been required to take place over the past few months in the Record of Processing Activities.

Samantha Smith is a Data Protection Manager and qualified Solicitor with experience of data protection compliance projects across both public and private sectors. 

Our GDPR Essentials E learning course is designed to teach frontline staff essential GDPR knowledge in an engaging, fun and interactive way. In just over 30 minutes staff will learn about the key provisions of GDPR and how to keep personal data safe.

The Return to Work and Data Protection

manuel-cosentino-xFkZ9gXVvnc-unsplash

Written by Emma Garland.

Along with pubs, restaurants and places of worship, many businesses have now re-opened after the lockdown and are requiring their staff to return to work. There has been a lot of guidance about how the physical aspect of premises can facilitate a safe return, but it is also important that employers do not forget the need for good data protection practice. Much of the process of leaving the office may have been done hastily, but many of the practices that are now established will be in place for a significant time to come.

In short, the principles are the same as they always have been. Data protection does not prevent employers from using personal data in a new way to ensure both the workplace and employees are safe. However, it is important that  the risks associated with new personal data processing activities are recognised and addressed.

Whether an employer wants to create records of staff who are self-isolating, needs information to understand which staff are vulnerable or share data about staff with the NHS, Data Protection Impact Assessments (DPIAs) are an important tool for planning purposes. They will help to clarify the specified aim, the information flow and the risks associated with the processing. The DPIA will require answers to questions such as what do we want to achieve and what personal data do we need to do it? What systems are we going to use and who is responsible for the data? What are the risks to Data Subjects and how are we going to address them?

Communication is vital. The Information Commissioner’s Office (ICO) states in its blog “Be clear, open and honest with staff about their data”. There might be changes in policy and procedure which have an impact on processing employee personal data. Employers should consider if there is a need to update their privacy notices or even create additional ones

Now is also a good time to think about physical premises and the impact on data security. If employers have implemented a one-way system, does this make is easier for someone to gain access to personal data?

Whatever measures are implemented during and after the pandemic, employees must still be able to exercise their data protection rights. If personal data is not clearly organised across systems, with logical steps in an information flow, then it might not be possible to comply with subject access requests.

Other important steps include amending the organisation’s Record of Processing Activity (RoPA) and the Information Asset Register. Retention periods must also be carefully considered. This is a time of uncertainty  which makes ‘just-in-case’ retention periods tempting; but should be avoided. There is nothing wrong with telling people that information has been destroyed as it had reached the end of the retention period for the specified purpose it was collected for.

The Information Commissioner’s Office has produced some further guidance for organisations as they recover from the Coronavirus period.

Emma Garland is a Data Governance Officer at North Yorkshire County Council and a blogger on information rights. This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online  GDPR Practitioner Certificate course is  fully booked. A few places left  on the course starting on 6th August.

online-gdpr-banner