By Deborah Margolis - 30 Apri 2020
Data security is a hot topic. As always.
Even if working from home becomes the new normal, the same standards of data security apply in employees’ homes as in the traditional office environment. Especially when employees’ homes double as the office space there are a number of potential risks. These may be an unintended (and not deliberate) consequence of the times we find ourselves in, but that doesn’t change the risks you may be exposed to if something goes wrong.
What are employers required to do?
Employers will be required to protect its customers’ and employee’s personal data under data protection laws. Additionally, employers will have contractual obligations of confidentiality to its customers.
Although employees are often bound by contract and policy to look after their employer’s confidential information and employer-controlled personal data, this is unlikely in practice to be enough to ensure that employers are meeting the requirements above. As a quick acid test, ask a random sample of your employee population if they have read your data protection policy and this may return stark results as to how ‘data security literate’ your workforce are.
In practice, to ensure the requirements are met, employers should consider giving more explicit guidance to employees who handle confidential or personal data as to what is expected of them, for example:
- Requiring employees to use headphones, privacy screens and/or a separate workspace for particularly sensitive calls or work streams. Employees will often share their home (and by extension, their office space) with those that do not work for the same company and may possibly even work for competitors. This may give rise to confidential documents or conversations being easily accessible to others who you would not normally allow into your office space.
- Clarifying rules around personal use of their computers, email and video-call facilities to avoid exposing the company to potential security risks. If necessary, impose these restrictions by blocking certain websites via your IT controls.
- Asking employees to ensure adequate disposal of hard copy confidential documents (e.g. shredding), which may involve providing shredders to employees where necessary.
- To reduce risk in the unlikely event of any break in to their home, requiring employees to keep hard copy documents stored securely (ideally in a locked place) and reminding them of any requirements to lock computer screens or power down their computers at night for encryption purposes;
- Providing data security training refreshers to employees;
- Require employees to only use certain platforms for sharing information (the more platforms you use to share information, the greater ‘surface area’ of attack you have for potential scammers).
These are challenging times and as we adapt to the new way of working employers should think about what their expectations are for staff, and communicate these clearly and sensitively to staff during this period.
There has been some good news for employers in this space. First, the Information Commissioners Office has said that they will apply a “flexible and pragmatic approach” to enforcement during the crisis. As reassuring as this sounds, we caution against relying on this to cut corners as this guidance provides no legal guarantee an individual organisation will be treated any more favourably in months to come.
Further, employers breathed a sigh of relief after the Morrisons case a few weeks ago, which upheld that an employer was not liable for a rogue employee’s wrongdoing. In that case, the court found that the wrongdoing was not closely connected to what the employee was authorised to do and could not be regarded as done by him while acting in the ordinary course of his employment. Morrisons was found not be liable for his actions. Again, this good news must be treated with caution. The Morrisons case actually demonstrates the amount of damage that can be caused by an employee’s deliberate (or even accidental) lack of regard for confidentiality or data security. In that case, Morrisons spent over £2 million remedying the issues that were caused by an employee’s action.
In conclusion, employers should take practical steps to enforce good data protection practices with their employee population to manage the risk of a breach (or accidental disclosure) of personal information.
If you would like to read more articles on employment law red flags, opportunities and foreseeable issues during Covid-19, click here.