In the past few weeks, more employees than ever before have been forced to work remotely, whether from the comfort of their beds or at their (hastily de-cluttered) dining room tables. Working patterns have become more flexible as connectivity, home schooling and adjusting to a different way of life are incorporated into our working days.
There are plenty of articles on the importance of ensuring that when working from home, we try to maintain some form of routine. Despite this, it is a different environment and we have to accept that productivity will not be the same. However, it is still important to be as vigilant as ever in relation to data security and making sure that data isn’t misused, misplaced or even lost – Marriott Hotels recently announced it has been hit once more with a significant breach, this time affecting around 5.2m of its guests.
In many instances, organisations in Guernsey and Jersey will make use of secure connections enabling employees to have immediate access to the data necessary to fulfil their duties. However, there are also entities which have had to completely overhaul systems and procedures to allow their employees to work remotely. Whichever category your organisation falls into, working remotely puts a business’ data (including personal data) at greater risk.
In particular it may be harder for the employee or the organisation to know when security is breached, and even harder to identify how it happened. IT departments are already under significant pressure maintaining connectivity, let alone checking for rogue emails, inadvertent disclosure to the “wrong” email address, or monitoring activity logs. Criminals are looking to exploit the Coronavirus situation by sending emails masquerading as government guidance, or as banks pretending to check on their customers. It is therefore more important than ever to be security conscious and reflect on your organisation’s data management policies.
Both the Office of the Data Protection Authority in Guernsey (ODPA) and the Office of the Information Commissioner in Jersey (JOIC) have published guidance reminding controllers and processors of the increased risks associated with working from home. Both list various “common-sense” steps to ensure controllers and processors monitor the risks associated with personal data during these unprecedented times.
Three of the fundamental steps controllers and processors should keep in mind when operating remotely, taking into account the data protection legislation on both islands (DP Law) are:
1.“Make sure staff are aware of, and able to, implement your existing policies surrounding remote-working”.
Since remote working increases the risks associated with personal data, it will be paramount for organisations to show the regulators that they have complied with the DP Law. Follow up with staff reminds them of the core principles and practical examples of good data security. Be tolerant if tasks take longer to complete and enable staff to have access to others within the business to sense-check their decisions.
2. “Depending on what your staff are doing with personal data whilst they’re working remotely, consider whether it may be helpful (or legally required) for your organisation to perform a Data Protection Impact Assessment.”
These are usually required where high-risk processing is to be carried out, but they are generally advisable when implementing new technology, services or products. In the current environment, if remote working is new to your organisation, work through a risk assessment and prioritise the higher risk situations. For example, encouraging staff to check addressees before sending emails and/or password protecting attachments.
3. “Ensure staff only use secure network connections, and that all devices have appropriate and up-to-date anti-virus software and other security measures”.
Under the DP Law, it is important for personal data to be processed in a manner that ensures its security appropriately, which includes protecting it against unlawful or unauthorised processing and against accidental loss, damage or destruction. These measures may include organisational or technical measures such as adopting processes to ensure ongoing confidentiality. Controllers are also expected to regularly test, assess and evaluate the effectiveness of their security measures. Discourage staff from using personal devices where possible, and not to simply forward work to their personal email addresses, for example.
In the event that a breach occurs (for example by data being lost, stolen or an organisation being hacked, it is still very important to notify the ODPA/JOIC of a breach as soon as practicable and to take steps to implement your incident response plan. Whilst the ODPA/JOIC may give you a degree of leeway in the current environment, the criminals will not, so act quickly.
One thing that is clear from the ODPA/JOIC statements is that whilst reassuring local organisations that they are taking a realistic and pragmatic approach to regulation during the Bailiwicks’ ‘lockdowns’, the ODPA/JOIC will still take non-compliance and data breaches seriously. Responding to an incident in these times will be more difficult than usual, so avoidance is still the best defence mechanism.