The publication of this article coincides with the relaxation of Covid-19 restrictions, a gradual return to work and a proposed right to request remote working in certain circumstances. It is widely accepted that hybrid working is part of a new norm in Ireland and beyond.
In this article, we consider the data protection issues that arise when working from home.
As highlighted in a recent article in the Irish Times, the transition to an increased remote working culture, and the security challenges that go with that, has greatly increased the attack surface for cybercriminals.
Where remote working exists, in order to adequately and confidently meet the challenge of cyber-crime and other more routine data breaches, data security both at work and in remote locations must be robust and consistent. This security extends also to contract workers or other atypical workers who may have temporary, authorised access to systems.
The Data Protection Commission (“DPC”) has helpfully identified some of the key security and practical data protection considerations for remote working in recent guidance:
1. Check the Security of Equipment Transfers
Employers may need to send workstation equipment to employees (especially new hires) and as such will need to provide the IT and logistics department (and perhaps third-party delivery service providers) with employees’ addresses. The employee needs to be informed in advance that the department will be sending out the equipment and using their home address (their personal data) to do so, on the basis that the employer has a legitimate business need and therefore a legal basis for data processing.
2. How Secure is Employee Wifi and Systems Access?
Another consideration is that of the security of any employee monitoring in the remote context and activity on employer-owned IT equipment and/or over employer networks. Any such monitoring must firstly be justified on the basis of strict necessity and proportionality. Employers must adhere to the principle of data minimisation. Any monitoring or surveillance must not be excessive and must be flagged in advance to employees, typically in an employee privacy statement. When employees return to the office, any new employee monitoring introduced during the pandemic should be reviewed and ceased where a lawful basis for it no longer exists.
3. Protection of Hard Copy Data in an Employee's Home
If employees are handling physical files and papers containing personal data from their home or remote workspace, ensure they are aware that data protection and confidentiality also applies to these. They must take steps to protect the confidentiality of these papers and store them securely when not being used and destroyed appropriately when no longer needed.
4. Conduct Regular Technology Updates
Ensure all IT devices are routinely secured, encrypted and updated by your IT department and such efforts are recorded.
5. Regular Employee Training on Cyber Crime
Employees also need to be reminded of the applicable policies in your organisation around the use of email. Employee awareness campaigns and training sessions on email etiquette should include reminders on:
- Avoiding using work email for personal matters;
- Ensuring employees are sending an email to the correct recipient, particularly when the email contains a lot of personal or special category (sensitive) data;
- Warning of the dangers of accessing work information over public networks which are not secure and can easily be intercepted; and
- The steps involved in your internal data breach notification procedure, as employees are often the key.
For further assistance in relation to data protection and employment issues that arise in the context of remote working, please contact Deirdre Crowley,
Eimear Boyle or any member of Matheson’s Data Protection, Privacy and Cyber Security Team.