Tips for Maintaining Data Security When Working from Home

Working from home has many advantages, but it also requires vigilance around data and device safety. Employers need to ensure that their clients’ data is protected and resilient outside the security of the workplace. Although work circumstances have changed dramatically for employers and employees the basic premise of GDPR still remains intact when it comes to working and ensuring that your clients’ personal data in safeguarded and securely processed.

As an employer, you must be transparent about how you are using and protecting your clients’ personal data, inside and outside of your company. Now more so than ever, you need to be vigilant and accountable for your data protection and processing activities and be able to show how you meet data protection principles.

Within any GDPR audit, you would already have made an inventory of the personal data that you hold. You should again check it under the following criteria to ensure that you have the required consent and legal basis to process this data:

• Why are you holding it?
• How did you obtain it?
• Why was it originally gathered?
• How long will you retain it?
• How secure is it, both in terms of encryption and accessibility?
• Do you ever share it with third parties and on what basis might you do so?

Please also reference Brokers Ireland GDPR section of the website for full advice, guidance and template policies and procedures for members.

The Data Protection Office have issued practical advice on knowing your obligations and on how employees can maintain appropriate levels of data security when working from home. It relates to the use of devices, email protocol and cloud and network access. The DPC have also reminded organisations that the processing of personal data, including measures to contain the spread and mitigate the effects of COVID-19, must remain necessary and proportionate to the aims of, processing under data protection laws.

It remains a principle under GDPR that if organisations can reasonably achieve the purposes of their processing in other less intrusive ways (or by processing less data), there may not be a lawful basis under GDPR for the processing.

Below are some tips (Data Protection Office) to keep personal data safe when working away from the office (see graphic).  Employees working remotely should be asked to confirm that they have read and understood this guidance and should also be provided with copies of their employers’ data security policies.

DEVICES

• Take extra care that devices, such as USBs, phones, laptops, or tablets, are not lost or misplaced,
• Make sure that any device has the necessary updates, such as operating system updates (like iOS or android) and software/antivirus updates.
• Ensure your computer, laptop, or device, is used in a safe location, for example where you can keep sight of it and minimise who else can view the screen, particularly if working with sensitive personal data.
• Lock your device if you do have to leave it unattended for any reason.
• Make sure your devices are turned off, locked, or stored carefully when not in use.
• Use effective access controls (such as multi-factor authentication and strong passwords) and, where available, encryption to restrict access to the device, and to reduce the risk if a device is stolen or misplaced.
• When a device is lost or stolen, you should take steps immediately to ensure a remote memory wipe, where possible.

EMAILS

• Follow any applicable policies in your organisation around the use of email.
• Use work email accounts rather than personal ones for work-related emails involving personal data. If you have to use personal email make sure contents and attachments are encrypted and avoid using personal or confidential data in subject lines.
• Before sending an email, ensure you’re sending it to the correct recipient, particularly for emails involving large amounts of personal data or sensitive personal data.

CLOUD & NETWORK ACCESS

• Where possible only use your organisation’s trusted networks or cloud services and complying with any organisational rules and procedures about cloud or network access, login and, data sharing.
• If you are working without cloud or network access, ensure any locally stored data is adequately backed up in a secure manner.

ENCRYPTION

• Encryption is the process of encoding information stored on a device and can add a further useful layer of security. It is considered an essential security measure where personal data is stored on a portable device or transmitted over a public network. As with passwords, this measure is pointless unless the key to decrypt the data is kept secure.
• The key should meet the standards of complexity required for passwords. In view of the rapid rate of technological development, it is not possible to be prescriptive about the standard of encryption that would ensure that data is inaccessible to unauthorised individuals. See the DPO’s full recommendations on encryption steps.

PAPER RECORDS

• It’s important to remember that data protection applies to not only electronically stored or processed data, but also personal data in manual form (such as paper records) where it is, or is intended to be, part of filing system.
• Where you are working remotely with paper records, take steps to ensure the security and confidentiality of these records, such as by keeping them locked in a filing cabinet or drawer when not in use, disposing of them securely (e.g. shredding) when no longer needed, and making sure they are not left somewhere where they could be misplaced or stolen.
• If you’re dealing with records that contain special categories of personal data (e.g. health data) you should take extra care to ensure their security and confidentiality, and only remove such records from a secure location where it is strictly necessary carry out your work.
• Where possible, you should keep a written record of which records and files have been taken home, in order to maintain good data access and governance practices.

VIDEO-CONFERENCING

• Concerns have also been raised about how to use these technologies to keep in touch with colleagues in a way that is safe and secure, and ensures an adequate standard of data protection. The attached tips are designed help organisations use these services in a safe manner READ RECOMMENDATIONS

Other reading resources and useful references to help support employers in protecting personal data include:

• Data Protection Commission (DPC) “Protecting personal data when working remotely”
• Byrne Wallace Guidance – Key Data Protection issues for organisations to consider
• Citizens Advice Bureau – Data Protection in the Workplace
• Enterprise Ireland – Covid-19 An Employers Guide
• Irish Times Article – Working from home: How to keep your data safe
• COVID-19: Data Protection Issues in the Employment Context – Mc Cann Fitzgerald
• Coronavirus and Data Protection – Four Points for Employers – Mc Cann Fitzgerald
• Data Protection Guidelines When Working from Home – Leman Solicitors

If you have any further queries in relation to GDPR or data protection guidelines, please see Brokers Ireland Members Section on the website or email us at compliance@brokersireland.ie.

Disclaimer Notice: these articles are provided for convenience and informational purposes only they do not constitute an endorsement or an approval by Brokers Ireland