We live in unprecedented times and no matter your stance on the appropriateness of lockdown, it is undeniable the COVID-19 pandemic has forever altered the workplace.
The office environment has been impacted by a fluctuating definition of essential work and a risk-based approach to distancing, but defining this era will undoubtedly be the sudden and global shift to working-from-home culture. Historically a privilege, now self-regulating work is afforded to all, raising unprecedented risks to client data protection.
Many data protection policies were traditionally created on the premise that computers, files and documents remain in the office. However now, with working-from-home requirements, data is routinely sorted, accessed and processed at the homes of employees.
Despite best efforts, it is difficult to eliminate all data exposure when documents are in transit or removed indefinitely. According to the relevant law, the measures required to safeguard against data breaches must be proportionate to the nature of the risk. With almost all employees now relocating data, a review of what is proportionate is essential.
Data breaches can now occur in the most unremarkable of circumstances – a shared workspace between domestic partners, private client data left in a communal space by cohabiters, or a laptop unattended and unlocked in the home. Most offices have a safe disposal method for sensitive and personal documentation, which employees don’t have access to while working from home.
Data protection policies silent
Often data protection policies are silent as to the measures to be followed by employees when working from home, even on basic considerations such as the documents that an employee is allowed to take home or print at home, how such documents are to be kept safe and eventually disposed of, or how office equipment such as laptops and computers are to be safeguarded from unintentional data breaches. The safety of data and equipment in transit, particularly where employees are taking laptops with them while travelling, should also be addressed.
Even if an employee’s home is a safe space, the employer must be able to illustrate how it is keeping its clients’ data secure and, should a data breach occur, be satisfied that it is unlikely to have occurred due to its own (or its employees’) negligence.
It appears that with the world continuing to shift further towards distanced working as the norm, considerations of data protection in this context are ripe for review.
Certain fundamental risks should be addressed in the company’s data policy to guide and regulate employees working from home. However, every company policy is different and each employer will discover its own challenges with more employees working from home. Each data policy should therefore be fluid and regularly reviewed to sufficiently address these evolving challenges.
If you would like advice regarding your data protection policy, please contact us.