With so many issues for businesses to take into account during this ongoing pandemic, it can be easy to forget about matters which sometimes slip down the priority list at the best of times – data protection, confidentiality, and cyber security.
Now that most businesses are moving from relatively safe and secure offices to operate from multiple locations, being the homes of their employees where the business has little control, it is more important than ever for business to ensure that these matters are considered.
Diane Yarrow, Corporate Commercial Partner at Gardner Leader Solicitors has outlined five key considerations for employers below.
- Appoint suitable personnel to be responsible for compliance matters. Now could be a good time to give people responsibility for key compliance areas. If you do not already have a data protection manager, an IT manager, an HR manager, consider whether it would be good to have someone taking the lead on these areas. Smaller companies can combine this role: for example, a general compliance manager. As policies evolve, employers should update employees through these managers and encourage employees to feedback any issues so that these are monitored consistently and effectively.
- Ensure that employees think about how they treat and process personal data. It is vital to ensure that all sensitive information is kept secure regardless of whether it is on a personal or work device. The National Cyber Security Centre recommends companies consider encryption and the possibility of remotely wiping devices to keep information secure.
- Data breaches are not just digital. Employers should ensure that employees continue to take into account confidentiality obligations and take appropriate measures to protect personal data both at, and in transit to, the employee’s home. If possible, encouraging paperless working will avoid physical documents containing confidential information being taken home and, if paperless isn’t possible, remind people not to leave paperwork at home in an unsecured environment. Employers may wish to consider keeping a record of all physical documents removed from and returned to the office.
- Employers have to consider carefully how they are handling their own employees data, especially within the context of monitoring their work. Even home IP addresses can be personal data and it can be difficult to monitor employees on a truly anonymised basis. Caution must be exercised if sharing information on employees who are exhibiting symptoms, as health data is a special category of data and subject to a necessity test. The ICO state that, while you can keep staff informed of cases within the organisation, you cannot name the sick employee while doing so.
- The tremendous sea change which businesses are facing is proving to be prime ground for cyber criminals. The National Fraud Intelligence Bureau has recorded a 400% increase in reported cases of fraud related to the Coronavirus, and employees at home might be especially vulnerable to cyberattacks and phishing scams. Employers should identify where systems and processes may be vulnerable to cyber-attacks and new threats of fraud. Remind your employees to stay alert and look out for emails/communications which are not what they appear to be.
If you would like advice on how to implement effective procedures that mitigate data protection, confidentiality, and cyber security issues, or if you have any other issues which we can help with, please contact me directly.