Remote working and data protection: what to consider

During the coronavirus pandemic, many businesses have had to rely on IT solutions to enable them to move to remote working and many will not be moving back to full-time office-based working soon or, perhaps, ever.

Despite this being an unprecedented situation, the legal obligations of a business have not changed, and this includes the obligation to comply with data protection law.

The Data Protection Act 2018 (DPA) requires those processing personal data to implement appropriate technical and organisational measures to ensure the appropriate security of that data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

To ensure compliance, businesses that are operating a remote working model should be thinking carefully about the measures they have implemented for staff, to ensure the security of personal data.

A good way to determine what potential vulnerabilities the business faces would be to conduct a risk assessment.

Below is a non-exhaustive list of checks to perform now to determine whether your IT system/practices are vulnerable to risks that could put you in breach of the DPA:

• Policies: Do you have clear policies, procedures and guidance for staff working remotely, setting out rules on how personal data can be accessed, stored and disposed of?
• Version: Are you using the most up to date version of your remote access solution?
• Passwords: Are your staff using password-protected systems and is there an obligation on them to use complex passwords? Note that there is an increased risk of unauthorised persons (e.g. family members) viewing confidential information when walking past a laptop screen, whilst your employee is working from home.
• Cloud storage: Are you using cloud storage to prevent staff from storing data on their own devices? If yes, is that cloud storage adequately protected? Under the DPA personal data should only be shared on a need to know basis. If all of your staff do not need to have access to the data stored on the cloud storage, you should restrict this so only relevant staff have access.
• Remote desktop: Remote access solutions can be vulnerable to attack and so you should restrict remote access connections for only those members of staff that require it. You should also ensure that account lockouts are in place that disable the account after a certain number of failed logins.
• Emails: Are staff advised to use their business email accounts and not their own personal email or messaging accounts for storing or transmitting personal data? What guidance do you have in place around spotting and avoiding phishing attacks?
• Bring your own device: If staff are allowed to use their own laptops/PCs, you should take action to minimise the risk of personal data being damaged, lost, corrupted or unlawfully accessed. For example, have you checked to see that the staff member is using up-to-date software and has antivirus software installed? Is the data on their laptop encrypted or can it be easily moved to insecure storage facilities (such as USB sticks)?

It is important that you comply with the DPA at all times, not just when your staff are working in the office. As remote working will inevitably increase the risk of a data breach, you should:

• implement mitigation methods to avoid data breaches;
• ensure guidance around how to keep personal data secure when working from home is issued to all relevant staff; and
• make staff aware of how to: (a) identify a personal data breach; and (b) notify you of the data breach.

Please note, the information included in this update is correct at the date of publishing.