Remote working and data protection: What does the Information Commissioner's Office (ICO) say?

The coronavirus pandemic has necessitated remote working, and organisations have implemented IT solutions to enable their workforce to perform their duties from locations outside the office, e.g., working from home.

As with any IT solution, there are associated risks with remote working. One important risk is personal data breach.

The Data Protection Act 2018 (DPA 2018) and the UK GDPR set out how information about people (otherwise known as “personal data”) is used properly and fairly. Every organisation that uses people’s personal data in the course of their business and for other non-household purposes is required to comply with the requirements of DPA 2018 and UK GDPR. In this regard, it is important for organisations to ensure that they take appropriate measures to mitigate these risks. These measures include not only IT solutions but also ensuring that staff who work remotely understand the potential risks associated with working away from the office.

The Information Commissioner’s Office (ICO) is an independent outfit that was set up to uphold information rights. Among other functions, the outfit provides guidance and advice on best practices when handling personal data.

In an office-based environment, it is easier for an organisation to control how clients’ and customers’ personal data are protected from data breaches, but with staff working remotely the risk of data breaches becomes higher due to the use portable devices and removable media.

To help manage the risks associated with remote working, the ICO recommends that organisations do the following:

• Implement solutions to prevent unauthorised access to the information on mobile or portable devices in case they end up in the wrong hands, e.g., encryption and remote wiping.
• Ensure that all portable equipment taken off-site are properly authorised and logged.
• Discourage the storage of personal data on removable media, but if there is a need to use removable media then software solutions should be implemented to set restrictions.
• Use VPN, multi-factor authentication and up-to-date remove access solutions for access to the organisation’s systems.
• Adopt secure cloud storage solutions. This provides a way for remote workers to store personal data in a cloud repository instead of storing it on their portable devices.
• Ensure that staff are aware of when and how to report any data breaches.

Data protection is not the sole responsibility of organisations. Staff are also required to take measures to prevent or minimise data breaches. For staff to do this effectively, they need to be informed and trained in how to handle and dispose of personal data. To achieve this, the ICO recommends the following:

• Staff should be encouraged to use unique and complex passwords. Changing these passwords on a regular basis is also advised.
• Staff should be educated on how to use corporate email securely, e.g., ensuring that emails received are from legitimate sources before opening, forwarding, or clicking on links within the emails.
• Staff should be advised to only use corporate emails for storing or transmitting personal data.

Prevention is always better than cure and while we recognise that sometimes even the best defences can get breached, a disciplined approach to ‘cyber hygiene’  – where you’re making yourself as awkward and unattractive a target as possible – can help that prevention strategy. We certainly take our own medicine, following the recommendations and guidelines of the ICO to secure our systems and portable devices, with staff undergoing regular training in IT/cyber security awareness. And the lessons we learn we are only too ready to share with our clients.

Reference:
https://ico.org.uk/

‍