By Deborah Margolis - 30 Apri 2020
Data security is a hot topic. As always.
Even if working from home becomes the new normal, the same standards of data security apply in employees’ homes as in the traditional office environment. Especially when employees’ homes double as the office space there are a number of potential risks. These may be an unintended (and not deliberate) consequence of the times we find ourselves in, but that doesn’t change the risks you may be exposed to if something goes wrong.
What are employers required to do?
Employers will be required to protect its customers’ and employee’s personal data under data protection laws. Additionally, employers will have contractual obligations of confidentiality to its customers.
Although employees are often bound by contract and policy to look after their employer’s confidential information and employer-controlled personal data, this is unlikely in practice to be enough to ensure that employers are meeting the requirements above. As a quick acid test, ask a random sample of your employee population if they have read your data protection policy and this may return stark results as to how ‘data security literate’ your workforce are.
In practice, to ensure the requirements are met, employers should consider giving more explicit guidance to employees who handle confidential or personal data as to what is expected of them, for example:
These are challenging times and as we adapt to the new way of working employers should think about what their expectations are for staff, and communicate these clearly and sensitively to staff during this period.
There has been some good news for employers in this space. First, the Information Commissioners Office has said that they will apply a “flexible and pragmatic approach” to enforcement during the crisis. As reassuring as this sounds, we caution against relying on this to cut corners as this guidance provides no legal guarantee an individual organisation will be treated any more favourably in months to come.
Further, employers breathed a sigh of relief after the Morrisons case a few weeks ago, which upheld that an employer was not liable for a rogue employee’s wrongdoing. In that case, the court found that the wrongdoing was not closely connected to what the employee was authorised to do and could not be regarded as done by him while acting in the ordinary course of his employment. Morrisons was found not be liable for his actions. Again, this good news must be treated with caution. The Morrisons case actually demonstrates the amount of damage that can be caused by an employee’s deliberate (or even accidental) lack of regard for confidentiality or data security. In that case, Morrisons spent over £2 million remedying the issues that were caused by an employee’s action.
In conclusion, employers should take practical steps to enforce good data protection practices with their employee population to manage the risk of a breach (or accidental disclosure) of personal information.
If you would like to read more articles on employment law red flags, opportunities and foreseeable issues during Covid-19, click here.