Many businesses and employees alike will have been hoping that 2021 would see a return (at least partially) to office-based working, but that is unlikely to happen just yet. With the country placed into a 3rd lockdown, people may only leave their home for work if they “cannot reasonably work from home”.
In a recent article, we considered the pros and cons of working at home, in particular, its impact on mental health and wellbeing.
Another critically important factor which employers must bear in mind is the confidentiality and data protection implication of homeworking.
As a result of Covid-19 and the almost immediate move to mass homeworking, there has been a spike in the number of cyber-attacks as a result of hackers exploiting the uncertainty of the pandemic, along with the decreased security which is usually present on home devices. This presents a real risk for organisations whose employees work from home.
Technology and devices
Whilst corporate devices are usually supported by firewalls and IT monitoring to prevent common attacks, individuals working from home and/or from personal computer devices are subject to an increased risk of phishing attacks. Many personal devices do not benefit from the same sophisticated cyber-security protections present on work computers. Furthermore, as more work is conducted online (using online applications to carry out video calls or file sharing), hackers have found an increased opportunity to gain unauthorised access which can lead to data breaches and the exposure of confidential information.
Out of sight, out of mind?
In the workplace, many businesses will have policies requiring employees, for example, to lock their computers when unattended, not to leave paperwork on their desk overnight and to dispose of all confidential documents in a shredder. Working at home, employees may forget these principles or be lulled into a false sense of security, meaning that they may inadvertently cause data breaches or the loss of confidential business/client information.
Whether caused by cyber-attacks or human error, the actions of employees and external third parties can expose employers to personal data breaches which can have significant repercussions, both reputational and financial.
Employees who are working from home should be reminded of their employer’s policies in relation to data protection and confidentiality, including the procedures which employees must follow and the safeguards which they should observe while working from home.
Risk assessments
Employers should also carry out a data privacy impact assessment regarding the implications of employees working from home. As part of that assessment, employers should consider:
- Who will have access to the employee's computer and the data stored on it? Specific security measures should be in place to ensure that members of the employee’s household do not have access to work-related data held on the computer. Corporate devices should be provided wherever possible, together with appropriate organisational and technical measures such as remote access security controls and two-factor authentication along with training on things like phishing. If personal devices are used, anti-malware software should be installed, and all applications should be kept up to date. Employers should make all workers aware of their home working policies, and all documents and devices used for work should be locked away after use.
- Where will paperwork be kept and disposed of? Consider instructing employees to refrain from printing documents wherever possible and/or provide paper-shredding equipment.
- How will data and documentation be moved between the office and home?
- Do employees have the facility to encrypt or password-protect information?
Many employers will already have considered these issues and put appropriate measures in place. However, many businesses (understandably) were forced to put emergency measures in place in March 2020 to facilitate what they hoped would be a short-term phase of homeworking. If so, they must now address the longer-term practicalities, logistics and costs of ensuring appropriate and ongoing levels of data protection.
The Information Commissioner’s Office (“ICO”), the UK’s regulatory authority for data protection matters, has acknowledged the unprecedented challenges that businesses are facing during the pandemic and the fact that data needs to be shared quickly and in different ways. However, the fact remains that businesses must continue to comply with their data protection obligations; failure to do so could result in fines for the most serious infringements of up to the higher of £17.5 million or 4% of the business’s total annual worldwide turnover in the preceding financial year.
With that in mind, employers would be well-advised to ensure that they have appropriate data protection and cyber-security measures in place and to provide regular training and reminders to staff about their obligations.
Employee monitoring
Despite various studies suggesting that homeworking boosts employees’ productivity, some employers will be concerned about work levels dropping and they may be tempted to install employee monitoring technology.
According to a recent survey of 3,000 workers carried out by the Trades Union Congress (“TUC”), 15% of workers have experienced an increase in employer monitoring since the Covid-19 pandemic began. In particular, 26% of those polled reported that their employers were using technologies to track when they started and finished work and 13% of individuals were having their breaks recorded. 8% of workers even had their social media screened.
Employers should think very carefully about whether employee monitoring is appropriate or necessary as it has significant privacy implications, as well as the potential negative impact on trust and confidence between staff and the company and even the possibility for employees to raise accusations of discrimination (if, for example, they need to take more frequent breaks or work slower due to a disability of child-care responsibilities). This is a tricky area for employers, and we would recommend that legal advice is taken.
If you have any concerns about the data protection implications of homeworking, then we are here to help. Please contact your usual member of our Employment or Commercial team.
