Clarkslegal Law Bites

Protecting data when working remotely

Clarkslegal

In this podcast Melanie Pimenta and Jacob Montague solicitors in the Data Protection team at Clarkslegal and discuss some of the issues surrounding data protection and hybrid or remote working. Since the pandemic remote and hybrid working have become the new normal and this raises some interesting questions on data protection and how organisations can make sure data is protected whilst employees are working from different locations.

Mel 0:04  
Hi, I'm Melanie Pimenta, and I'm joined by my colleague Jacob Montague. We're members of the Data Protection Team at Clarkslegal. Today we're going to discuss some of the issues surrounding data protection and hybrid or remote working.

Mel 0:21  
Hybrid and work remote working arrangements were unheard of for many organisations prior to March 2020. But since the pandemic these arrangements have become the new normal, and this raises some interesting questions on data protection, and how organisations can make sure personal data is protected when individuals are working from different locations.

Jacob 0:46  
Yes, because the largest cause of data protection breaches is still human error. And it seems likely that the more employees working off site or on personal devices, the greater the risk of there being less regulation and the data breaches occurring.

Jacob 1:02  
Most businesses process personal data, and will have responsibilities as data controllers under data protection legislation. These obligations remain the same irrespective of whether employees work in or outside of the office. So let's look at the kind of data protection issues that could come up here in more detail.

Mel 1:24  
Well, one of the seven data protection principles is integrity and confidentiality. And this essentially means that personal data must be processed in a manner that ensures appropriate security through use of technical organisational measures, including protection against unauthorised or unlawful processing, destruction or damage. This is becoming one of the big issues for home and hybrid working. In the office employees can generally control what is taken off site provide lock cabinets, shredding facilities, and encrypted devices or systems. However, questions are raised as to how employees can ensure security is maintained at an employee's home or on their personal devices if they are using these instead of company property.

Jacob 2:15  
And that's a difficult thing about this area, isn't it? Because it will be harder for employers to ensure that its staff are safeguarding data when they are not working in the office or workplace. So now, what are the practical steps employers can take?

Mel 2:31  
Well, employees can take the following steps to ensure that data is safeguarded. So first of all, you should conduct a data protection impact assessment to assess and minimise the risks. If this risk assessment and identifies a risk, take action to remove this and make sure that any new policies or procedures are communicated to staff. For example, many firms will move away from paper files for remote workers to help protect against data breaches. And if so, staff will need to be updated on this and advice on the correct procedures. Ensure all staff who process personal data are aware of their responsibilities and are trained in data protection, and that this training is refreshed and updated regularly. It would also be helpful for staff to know how to spot and deal with potential risks. For example, phishing attacks, malware and ransomware. And understanding how to report a data breach so that the risk can be minimised. You'd also want to ensure that employees only use devices supplied by the employer possible. And where this is not possible implement any security measures necessary, such as encryption and password protection for devices.

Mel 3:50  
Do not mix an employee's personal information with an employee's data. So if individuals are using their own devices, you may need to have measures in place to clearly distinguish these types of data, such as the secure company app. Also have clear policies on data protection procedures and ensure that these are updated. For example, employees need to know who to notify if there has been a potential breach to comply with mandatory breach notification requirements, and knowing how long to retain certain documents. And then finally, use appropriate technology to keep data safe. For example, management technology to restrict access to data encryption filters, and anti malware software, patch testing, multi factor authentication and regularly updating software.

Jacob 4:47  
Thanks, Mel. I think that's really helpful and I can see the key aspects and aim here is to ensure that a positive data culture is embedded in the business so that protecting personal data is taken seriously by staff.

Mel 5:01  
Yes, I agree. So given that hybrid and remote working may have blurred the parameters of data protection, and this type of working could be here to stay. What other issues do organisations need to be aware of? And what steps would you suggest that employers take in the long term regarding these?

Jacob 5:23  
Well, I think it's important to look at an employer's obligations in order to answer this question. Data protection legislation refers to the following principles, lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage, limitation, integrity, and confidentiality and accountability. Let me go through these more detail. As I take you through some of the issues and practical steps employers can take.

Jacob 5:52  
Data must be processed lawfully, fairly and with transparency. As part of this, employers should have already implemented a data privacy notice that provides data subjects with information about their processing activities. This will need to be updated to reflect any changes to processing activities resulting from hybrid and remote working.

Jacob 6:16  
Furthermore, employers should avoid a blanket access to everything approach, and they should balance the requirement for staff to work remotely with appropriate data access and security, particularly to avoid data breaches. This also helps with compliance with other data protection principles, such as the purpose, limitation, and data minimization principles, which impose duties on organisations to only use personal data for the collected purpose and to limit data processing to only what is necessary.

Jacob 6:50  
Employers should consider storing data centrally and discourage local data storage of data. This has the practical benefit of ensuring others can access this for example, if a team member is on leave. However, once again, organisations need to consider the data minimization principle and ensure data is only shared when necessary, and not to a wider audience that does not require access.

Jacob 7:17  
storing data centrally will also help an organisation to monitor this data and ensure it is accurate and kept up to date as needed. It will also help with another data protection principle storage limitation. This requires organisations to keep data for as long as is necessary. Employers are likely to have more control over this if the data is stored centrally.

Jacob 7:42  
As we have mentioned, employers must ensure that the integrity and confidentiality of data and to assist it, employees should regularly review their security standards, employers should ensure that they have the minimum security standards in place for remote devices, such as disk encryption, strong passwords, and VPN for internet connections, and encourage staff to use privacy screens.

Mel 8:09  
Thanks for that. And I would just add here that I cannot stress enough the importance of ensuring training for staff is regularly updated and rolled out to the workforce. Whether this is in person or virtually, and that staff are aware of such policies and procedures. Even if an organisation goes to a lot of time and efforts implement really good working practices. These won't be enough if its workforce are unaware of the correct procedures to follow. Many employers are implementing hybrid working policies, setting out the procedures expected such as password setting locking screens when away from desks, or locking away confidential paperwork.

Jacob 8:53  
Where there are more difficulties with seeing employees and colleagues in person by working remotely. It is important that the data protection officer and any compliance needs remain visible and approachable to staff. people responsible for data protection and compliance still need to be the go to people for help and support. Regular communication will be key to maintaining such visibility. In addition to training, it will be important to ensure that data management remains at the forefront of employees minds. And this could be done using other internal communications channels, such as an E newsletter or the intranet.

Jacob 9:32  
Finally, accountability is another data protection principle which requires organisations to be able to demonstrate compliance with data protection.

Jacob 9:42  
All of the steps we've discussed will assist organisations with this and records should be kept to evidence any measures that had been taken.

Mel 9:52  
It's an interesting point regarding those with responsibility for data protection, remain invisible to employees.

Mel 10:00  
So Jacob, do you think that by employers taking such measures that we will see the number of data breaches being reduced?

Mel 10:10  
Well, I think that human error is difficult to predict. However, by taking such measures to educate the workforce, and reinforcing the importance of dealing with personal data, it means that the likelihood for data breaches being committed can be reduced. Remaining visible to employees and having clear policies and procedures also means that where there are any data breaches, they are reported to the appropriate person and the business as soon as possible and steps can be taken immediately to mitigate any risks. This would be particularly important to demonstrate if the breach reached the threshold to be reported to the regulator, and data subjects.

Jacob 10:52  
I agree that those are important considerations, particularly where the ICO has previously issued large fines to those businesses who have failed to comply with data protection legislation. I think that hybrid and remote working has shown overall, that despite the difficulties with monitoring your staff, the same standards still apply in regards to compliance with data protection if employees are working on a hybrid or remote basis. It also shows that sometimes employees are having to take further steps to ensure the safeguarding of personal data. But this is critical for ensuring data protection compliance. key aspect is ensuring that those staff with responsibility for data protection maintain their visibility within the workforce to ensure that data management is kept at the forefront of employees minds in order to reinforce best practice and reduce the occurrence of data breaches.

Mel 11:51  
So if your organisation needs any support with anything we have mentioned here today, you can contact our data protection team via email

Mel 12:01  
at contact at clarkslegal.com or find us via website clarkslegal.com.

Jacob 12:08  
Thank you for listening to this podcast.