Data Protection and Working From Home: Is it Safe?
Working from home is quickly becoming one of the most influential liberties that an employer can offer an employee. The opportunity of flexibility and freedom can be on par with pay and benefits in terms of pull factors to a position of employment. However, working from home lends itself to some industries more easily than others. Companies that work with sensitive data will have some GDPR considerations before offering their staff the opportunity to work from home. With a hybrid work force now being implemented in the UK and around the world on a scale like never before, it begs the questions; Is sensitive and protected data still being protected as it would be in the office? Are there any oversights in terms of data protection and working from home? And what additional contingencies should be in place out to ensure GDPR legislation is being carried out thoroughly and effectively?
The Information Commissioner’s Office publishes up to date guidance on data protection while working from home to aid organisations with remaining compliant with data protection laws, where they outline a useful checklist for the key affected areas:
General Principles
- Have clear policies, procedures and guidance for staff who are remote working. These include topics such as accessing, handling and disposing of personal data.
- Use the most up-to-date version of the remote access solution.
- Staff should be reminded to use unique and complex passwords.
- Where multi-factor authentication is available , ensure it is utilised.
Personal Devices
- Using company issued devices: This is generally the most secure option.
- Using personal devices but accessing company software: This is a more cost-effective option, although comes with some additional security risks.
- Using personal devices and software: This approach has the highest security risk and should be avoided for all work involving protected data ideally.
Cloud Storage
- Cloud storage should not be set to ‘public’ or ‘accessible’ without a username or password (or other type of authentication).
- Only key staff should been given full access to the storage area. All other staff should be given read, write, edit or delete permissions, where appropriate.
- Avoid using any default root or administrative accounts for any day-to-day activities, and ensure they are appropriately secured.
Remote Applications
- Remote application solutions should not allow access to Windows administrative tools such as PowerShell or Command Prompt.
- Remote application solutions should not allow access to shortcut keys or help keys that could be used to open non-authorised applications or features.
- Plain text usernames and passwords should not be included in any files, folders or scripts.
Emails
- Review and implement the NCSC guidance on defending against phishing attacks.
- Block the ability to add forwarding rules to external email addresses or have a method in place to detect forwarding rules.
- Advise staff to use corporate email solutions and not rely on their own email or messaging accounts for the storage or transmission of personal data.
The Risks
It is always important to follow procedures when working with protected data, both at home or in the office. However, as we learn more about where the risks are likely to come from in our own home or out of the office, it is important to protect ourselves proactively.
One of the key areas is the interference that fast-paced social media can have on data security, particularly within the younger WFH workforce. New, but popular, photo sharing app “BeReal”, launched in 2022 but has had more than 27 million downloads since then (as of September 2022). The idea of this social media is that you must share a picture of what you are doing whenever the app notifies you to get a snapshot of your day. The spontaneity of this app has no doubt lead to data protection compromises across the globe. Emma Green, data protection expert and managing partner at Cyber Data Law Solicitors, has expressed the dangers of this; “Firstly, you will more than likely be breaking data protection laws if there’s any personal data on those screens.” This means that any data that is shared on your work screen (even if it is just amongst close friends!) from email addresses to colleagues’ names is technically a breach of the law (‘BeReal: Can my post get me in trouble at work?’ BBC 2022).
It should be noted that young people on social media are not the sole threat on data protection while working from home. These threats can range from the following:
- Not following your organisations GDPR policies
- Using shared or public devices (or even using devices in public areas)
- Not considering confidentiality when holding screen conversations
- Not taking care with handouts
- Mixing your organisations data with your personal data
- Not keeping your device(s) in a secure place
- Not being careful with websites or links
- Having weak passwords
- Communicating outside of communication facilities provided by your organisation
- Out of date software
What do we do here at the Survey Initiative to protect our data?
Here at The Survey Initiative, it is very important that we are up to date and ‘on-the-ball’ with our GDPR procedures. Although we don’t process high-risk data, e.g. credit card information, home addresses etc, we do process protected characteristics. This can include names, job titles, email addresses, ethnicity, gender and other protected and identifiable characteristics. We do facilitate hybrid working here at TSI and so we adhere to data protection guidelines and legislation. We have up-to-date processes and methodologies to be certain of data security and clarity of GDPR compliance. Furthermore, we implement a number of IT practises to ensure data security, ranging from secure password protected servers, 2-factor authenticity and penetration testing.
For all the latest GDPR guidelines and laws it is important to stay up to date with the Information Commissioner’s Office: