Briefing: New ways of working – the risk to data privacy

26 Jan 2022

Our home and working lives are increasingly blurred, as the pandemic has led to more flexible working approaches. Engaging with unfamiliar technology, attending online meetings, communicating via apps and using new ways to access and share information, it’s more important than ever that organisations don’t overlook obligations to protect personal data. What’s more, research has found that employees are often an employer’s greatest risk when it comes to data breaches. In line with Data Privacy Day on 28 January, this briefing acts a reminder for the new year to make safeguarding personal information a priority.

Remote working and the knock-on effects on data loss are here to stay – and it’s a concern for IT leaders. According to a report from egress, Insider Data Breach Survey 2021, 56% believe remote working has had a direct impact on human error incidents in the past 12 months, and 54% believe it will make preventing breaches harder in the future. It is vital to ensure the technologies relied upon so much to continue operations are secure, adhere to appropriate standards of data protection and utilised in a manner that is acceptable and mitigates the risk of unauthorised access or leakage of personal data.

Morgan O’Neill, Director of Data Protection Services at Thorntons, has produced an in-depth guide setting out some tips for organisations to consider when operating under a homeworking model. These are summarised below:

1. Use of video conferencing and chat applications
When deciding which video-conferencing or chat software to use, choose a supplier you can trust as well as considering cost and ease of use. Conduct a due diligence exercise on new suppliers and complete a DPIA to ensure that you have considered any data protection risks.

2. Keeping devices and accounts secure
It’s important to make sure that access to your employees’ devices and accounts is secure:

Ensure that software and antivirus updates (including ios/android updates) are installed on electronic devices used for work.
Avoid allowing staff to use personal phone numbers and email accounts for work purposes. If this is unavoidable, inform employees that if they must use a personal email account for work purposes, to do so with caution, particularly if used to share personal data.
Remind staff to lock their screens when devices are unattended.

3. Issue clear homeworking guidelines to staff
Once you have chosen your supplier(s) and have identified appropriate standards you wish your staff to comply with to ensure the security of your data, communicate these expectations to your workforce in the form of a Working from Home Policy. Ensure any expectations are reasonable taking into consideration sensitivity of the data and also the resources employees will have at home, e.g. not everyone will have a shredder to dispose of information.

4. Protecting physical copies of personal data
It may be necessary for your staff to take copies of personal data home. This should be limited wherever possible. However, if this is necessary, we recommend that your organisation keeps a record of the documents your staff remove from the office to track all data and ensure nothing is misplaced. Remind employees to keep physical records out of view of other members of the household and secure them in a drawer or cupboard when not using them.

Read Morgan O’Neill’s full guidance here.

Document security
Sixty-six per cent of homeworkers admit to printing work-related documents since they began working from home, meaning confidential information and data is at higher risk of a breach. There are steps employers can take to improve document security outside the office. Shredding and Records Management company Go Shred offers the following tips:

1. Understanding what is confidential
When it comes to confidential information, it’s important to consider the General Data Protection Regulation (GDPR). The GDPR exists to place legal obligations on the control and processing of personal (and sensitive) data by businesses, organisations and the government. At its core, GDPR concerns the ‘integrity and confidentiality’ of personal and sensitive data. When thinking about how to keep information and documents secure when working from home, it’s worth going back to basics and speaking to employees about the types of data processed within your organisation.

The main types of documents you need to consider improving security on are those that contain personal and sensitive data about customers, the business and each other

For businesses, both online and paper-based data breaches can result in hefty fines – up to 4% of annual turnover by the GDPR. In certain cases, prison sentences can be imposed. A confidential waste disposal policy should form part of a business' records management policy. If employees are clear about how to handle confidential waste, security breaches will be much less likely.

2. To print or not to print
Interestingly, 41% of homeworkers recently stated they are aware of the GDPR rules and regulations around printing confidential documents related to work outside the workplace, but they have no choice other than to print at home. The poll also revealed that homeworkers are printing five documents every week on average.

Businesses need to be aware that printing anything from meeting agendas to expense forms, CVs and internal documents could put them at risk of breaching GDPR regulations. Business leaders should consider how they can work with their existing confidential waste management companies to support the correct disposal of these items.

3. Secure storage
Where the printing of documents containing confidential information is unavoidable, the physical documents need to be secured safely. This means they must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.

With regard to personal data, Article 5. 1.e of the GDPR clearly lays out the principle of ‘storage limitation’, and says personal data should only be kept for as long as is necessary to fulfil the purposes for which the data is being processed.

It’s advised that businesses review their existing GDPR guidelines and refresh these based on the risks faced when working from home. Staff should be encouraged to only store information they have printed in secure locations that cannot be accessed by anyone other than themselves. They should not be left in plain sight or even read in clear view of anyone else outside of the organisation.

4. Confidential waste bins
If sensitive documents need to be disposed of, this also needs to be done securely. They should be shredded or placed in a confidential waste bin. In order to keep this information safe, all confidential waste must be disposed of, collected and then destroyed separately, before it can be recycled.

If businesses have supplied their staff with confidential waste bins for their home offices, they should then be collected and sealed in security bags prior to shredding or collection by a waste contractor.

For more tips on keeping documents safe when working from home, visit Go Shred.