The Information Commissioner's Office has issued guidance for data controllers on their data protection compliance obligations during the coronavirus outbreak. Euros Jones, Alexander Gorst and Natasha Jordan look at the key points.
As we continue to acclimatise to our new working environments, the Information Commissioner's Office (ICO) has issued guidance for data controllers on their data protection compliance obligations during the coronavirus pandemic.
The guidance stresses that data protection is not a barrier to increased and different types of homeworking. Data protection law does not prevent staff from working from home more frequently than usual or using their own computer device or communications equipment.
However, the guidance also states that you will need to consider the same kinds of security measures for homeworking that would be used in normal circumstances. Most employers will already have data protection and flexible working policies in place and it is critical that employers communicate the importance of such practices. This should include policies about confidentiality, information management and having IT facilities at home.
In practice, whilst keeping data safe and secure inside an office is one thing, keeping it safe outside the office can be more challenging. Here are some useful tips on how to keep yourself and your organisation safe from a data protection and cyber security perspective when working from home:
Use an encrypted, password-protected laptop
When working out of the office, the best practice, whenever possible, is to use your work laptop. Make sure it is encrypted with a strong password in case it gets lost or stolen. Avoid sending any sensitive data to your own personal email address, where it is more vulnerable to data breaches
Make sure you are protected
Whether using a work or personal laptop, ensure that they are protected with the latest anti-virus and anti-malware software. Doing so will protect you from the latest threats and ever-changing array of viruses and malware that can attack your computer.
Use strong passwords
Make sure your computer and all accounts are protected with strong passwords and/or a two-step authentication process.
Avoid downloads use intranet instead
Avoid downloading sensitive data to your laptop, in case the laptop gets lost or stolen. Accessing data by securely logging into the organisation’s intranet is the best option.
Keep your work hidden
Never leave a screen on when there is a risk that sensitive data could be seen by others. Printing out personal data is also not a good idea, as papers can go missing or fall into the wrong hands.
Remember to report
Always report potential data breaches as soon as they happen. Data protection law requires you to notify the ICO of a breach within 72 hours from when it happened.
Reasonable and pragmatic approach
The take-away point from the guidance is that the ICO will take into account “the compelling public interest in the current public health emergency” and will take a “reasonable and pragmatic” approach to enforcing data protection obligations.
Most importantly, although the guidance states that the ICO cannot modify statutory timescales, such as the duty to report a breach within 72 hours, it will not take regulatory action by penalising organisations that it knows need to prioritise other areas or adapt their usual approach.