Many companies have had to allow more employees to work remotely from home in order to control and prevent the spread of COVID-19.
An employer has the responsibility for ensuring that the following measures are implemented and communicated to their team.
• Ensure that you have a Remote Working Policy in place.
• Ensure the policy contains information in relation to Data Security and GDPR, like the following
Data Security and GDPR
The employee is responsible for keeping documents, sensitive business data and other work-related materials confidential and secure in the home-office location. The employee must comply with GDPR guidelines (found in the Employee Handbook) of proper use of information technology. Your home laptop/computer will be assessed for security purposes and relevant anti-virus software may be installed.
• Ensure a remote working risk assessment is completed with each employee.
• Continue to monitor the health and safety impact of the pandemic and any health and safety risks for remote workers.
In line with guidance from the Data Protection Commission, the following should be considered:
• Take extra care that devices, such as USBs, phones, laptops, or tablets, are not lost or misplaced.
• Make sure that any device has the necessary updates, such as operating system updates (like iOS or Android) and software/antivirus updates.
• Ensure your computer, laptop, or device, is used in a safe location, for example where you can keep sight of it and minimise who else can view the screen, particularly if working with sensitive personal data.
• Lock your device if you do have to leave it unattended for any reason.
• Make sure your devices are turned off, locked, or stored carefully when not in use.
• Use effective access controls (such as multi-factor authentication and strong passwords) and, where available, encryption to restrict access to the device, and to reduce the risk if a device is stolen or misplaced.
• When a device is lost or stolen, you should take steps immediately to ensure a remote memory wipe, where possible.
• Follow any applicable policies in your organisation around the use of email.
• Use work email accounts rather than personal ones for work-related emails involving personal data.
• If you have to use personal email make sure contents and attachments are encrypted and avoid using personal or confidential data in subject lines.
• Before sending an email, ensure you are sending it to the correct recipient, particularly for emails involving large amounts of personal data or sensitive personal data.
Cloud and Network Access
• Where possible only use your organisation’s trusted networks or cloud services and comply with any organisational rules and procedures about cloud or network access, log in and data sharing.
• If you are working without cloud or network access, ensure any locally stored data is adequately backed up in a secure manner.
• It’s important to remember that data protection applies to not only electronically stored or processed data, but also personal data in manual form (such as paper records) where it is, or is intended to be, part of filing system.
• Where you are working remotely with paper records, take steps to ensure the security and confidentiality of these records, such as by keeping them locked in a filing cabinet or drawer when not in use, disposing of them securely (e.g. shredding) when no longer needed, and making sure they are not left somewhere where they could be misplaced or stolen.
• If you’re dealing with records that contain special categories of personal data (e.g. health data) you should take extra care to ensure their security and confidentiality, and only remove such records from a secure location where it is strictly necessary to carry out your work.
• Where possible, you should keep a written record of which records and files have been taken home, in order to maintain good data access and governance practices.
More employers are having to use video conferencing as a means to communicate with their employees during the pandemic. It is important that this is done in a safe and secure manner and should also ensure an adequate standard of data protection. Here are some tips for employers on how to use video conferencing in a safe manner from the Data Protection Commission.
Tips for Employers
• Employees should be using your contracted service providers for work-related communications. Ensure you are happy with the privacy and security features of the services you ask them to use. Ad-hoc use of apps or services by individuals should not be encouraged.
• Try to ensure that employees use work accounts, email addresses, phone numbers, etc., where possible, for work-related video-conferencing, to avoid the unnecessary collection of their personal contact or social media details.
• Make sure that clear, understandable, and up-to-date organisational policies and guidelines are provided to those using video-conferencing, so they know what rules to follow and steps to take to minimise data protection risks. This should include information on the controls the services provide and that are available to them to protect their security, data, and communications.
• Implement, and/or advise employees to implement, appropriate security controls such as access controls (such as multi-factor authentication and strong unique passwords) and limit use and data sharing to what is necessary.
• Where video-conferencing services need to be used for organisational reasons, have a consistent policy regarding which services are used and how, and offer through Virtual Private Network (VPN) or remote network access where possible.
• Avoid sharing of company data, document locations or hyperlinks in any shared ‘chat’ facility that may be public as these may be processed by the service or device in unsafe ways.