By Carol Tullo, OBE, Senior Consultant
For those who work remotely all or part of the time already, you or your employer [depending on whether you are self employed/freelancer or an employee] will have safeguards in place that enable you to operate securely when handling commercially sensitive or others’ third party data. The difference, in March 2020, is that at very short notice, organisations are having to move staff to homeworking often with literally hours’ notice as the Government Covid-19 instructions are issued.
There are growing numbers of tips and survival guides online, so I offer the following points from our data privacy perspective.
This is all about your actions being proportionate and following processes that, if there were any issues like a data loss, demonstrate that you had assessed the implications and mitigated them. There is limited guidance on the Information Commissioner’s web site https://ico.org.uk/for-organisations/data-protection-and-coronavirus/ but they understand that resources, might be diverted away from usual compliance or information governance work. They will not penalise organisations during this period. The ICO acknowledges that during the pandemic, staff can use their own device or communications equipment. Data protection law doesn’t prevent that, but they say “you’ll need to consider the same kinds of security measures for home working that you’d use in normal circumstances”.
Consider the following steps:
- Set out what use of data, contact lists, customer documents are being allowed.
- As part of this exceptional response to homeworking keep a full record of where staff are working from and what equipment they are using.
- State that you have assessed the best way of ensuring homeworking efficiency and are proposing that personal devices and mobile phones can be used. That you will review this [weekly seem sensible at present] in line with experience and how staff report it is working.
- Reissue and emphasise your usual security arrangements – Virus and password protection, not leaving data visible to others, having a PIN code, or not sharing their device with others in their family or household.
- Take care to be aware where data is being stored, even if temporary so that the security risk is managed and assessed.
- For the weekly reviews – have your senior team note the numbers of staff using personal devices, any queries or issues they are finding and demonstrate that you are monitoring the situation and are flexible in closing it down if any specific concerns arise.
- Choose your collaboration tool of choice and consider recording online meetings and note actions especially where team members are geographically spread out and where broadband speeds and kit may vary in quality.
- You might also consider having a standard introduction for homeworking staff to explain that they are homeworking and not in the office so callers understand the position.
- This is where a nominated DPO or Data Officer can support the senior team in the messaging to colleagues.
If all this is documented in a log, and notes of the weekly reviews are maintained, then you have evidenced how you are mitigating the risks around this necessary homeworking stage. If there were to be any issues then move fast, escalate to the senior team or your manager.
It is the same work as always just not in the place you usually do it! Your wellbeing, sense of isolation and opportunity to meet your colleagues virtually is very important as we navigate through these changes to our working pattern. Good luck and stay safe.
© Naomi Korn Associates, 2020. Some Rights Reserved. The text is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)