Coronavirus has meant an unprecedented number of businesses and organisations have been forced to confront and resolve the issue of facilitating remote/home working for their employees.
Prior to the pandemic, the Office of National Statistics quotes that, from January to December 2019, of the 32.6 million people in employment, around 1.7 million people reported working mainly from home, with around 4.0 million working from home at some point in the week. Unsurprisingly there is no data from the recent few weeks to confirm quite how this figure has changed but it is clear to see that there has been a fundamental change in the way that many former office-based employees are now being required to work from home full time as a temporary measure.
In a response to a question about implementing homeworking during the pandemic period, it was noted by the Information Commissioner’s Office (ICO) that whilst data protection law does not prevent this (even where staff are using their own devices), employers will need to consider the same kinds of security measures for homeworking that are used in normal circumstances.
Alongside the considerable practical infrastructure needed to allow entire workforces to decamp to their homes, there are significant data protection implications when employees (especially in large numbers) work from home rather than at one office base. The employer as data controller will bear the weight of the responsibility for making sure that data that identifies living individuals (personal data) is used and stored appropriately. This responsibility does not diminish when employees are working remotely and in fact, the onerous nature of that burden will increase due to the increased potential for data breaches outside of the employer’s control to occur.
The primary legislation that an employer dealing with homeworking needs to bear in mind includes the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018). In a nutshell, an employer must make sure that it has appropriate technical and organisational measures put in place to guard against the unauthorised or unlawful processing of personal data and against the accidental loss or destruction of, or damage to, personal data.
A traditional office environment inevitably comes with a raft of inbuilt security measures which all help to ensure that personal data is kept secure. This is not necessarily the case where individuals are working in their own homes and more individually responsible for keeping personal data secure. Employers, therefore, need to make sure that they have well-drafted and clear homeworking policies in place which can provide employees working from home with specific information on their obligations(and those of their employer)in relation to data protection and confidentiality. These policies ought to detail the procedures which employees must follow when processing personal data at home and what is (and is not)authorised use of personal data.
Crucially, and given the potential increased risk of data security breaches when many employees are homeworking, any homeworking policy should make it clear what the employees ought to do in the event that a data security breach is suspected. This will involve clear reporting lines so that the correct individual within the organisation (for example the Data Protection Officer) can be informed immediately and (i) take steps to rectify the breach/minimise any damage and (ii) determine whether the breach is one that should be reported to the ICO and/or notified to any data subjects who may be impacted by the breach.
Given that employees working from home will inevitably need to have access to their employer’s internal data management systems, it will be critical for employers to try and ensure that only the employee will have access to the employee’s computer and personal data stored on it. Similarly, any remote working system ought to have robust password protection systems and where possible, allow the employee to encrypt or password-protect personal data. Security breaches are likely to arise where employees are using a shared (home) computer and therefore employers should look to provide the equipment the employee needs which can be strictly limited to use by that employee rather than the household more generally.
Aside from the personal data contained within the computer system, there may also be personal data contained in paper files which is likely to be far less secure stored within a home as opposed to an office block. Employers should certainly discourage paper files moving between office and home as much as possible but where it is essential that employees have access to such files, the employer ought to establish whether the employee has suitable systems for storage such as a locked filing cabinet.
Employers should also carry out a data privacy impact assessment of the data protection implications of employees working from home particularly if this is going to be in large numbers. A comprehensive data privacy impact assessment would cover many of the points raised above in relation to the security of data, access to the employer’s systems, the equipment used and the technology embedded in that equipment to help keep personal data safe.
The ICO has the power to directly impose significant fines on data controllers for serious breaches of the GDPR and the DPA 2018.For example, failing to notify the ICO of a breach when required to do so can result in administrative fines of up to EUR10 million or 2% of annual global turnover. Furthermore, violations of the data protection principles such as the integrity and confidentiality principle(which require organisations to take appropriate security measures against data breaches)are subject to fines up to EUR20 million or 4% of the annual global turnover.
Where there is a security breach which has arisen due to an employer’s failure to take adequate steps to protect the personal data it is responsible for, this is the type of scenario where the ICO may well move to impose a fine. Although the ICO remains responsible for determining what (if any) fine may be appropriate in the event that a data controller breaches the requirements of the GDPR and DPA 2018, if the employer can demonstrate that it has given careful consideration to the ways it will achieve data security (demonstrating data protection by design and default) then this will help to mitigate against the risk of the highest of those fines. Equally, if an employer can show that it has given its homeworking employees adequate (and regular)training and guidance on their obligations to safeguard personal data, this will all assist when “the worst happens” and a data security breach occurs.
For further advice on Coronavirus COVID-19 related employment queries please contact our dedicated Employment and HR Services team.