The Coronavirus pandemic and the COVID-19 disease outbreak has many people working from home who have not done so previously and many companies may not have a work from home policy or be geared up for mass homeworking.
Data protection legislation, namely the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) will still apply to the company and the employees where there is the controlling, processing and handling of personal data, regardless of whether they work from home or the office.
The core security requirement under Article 32 of GDPR states:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Subject to the above, there is no clear and simple answer in respect of what a company would need to do in these circumstances and it will also depend on the sensitivity, volume and type of personal data being processed. In essence the circumstances around COVID-19 do not change the standards that would apply, however a company may decide to take a commercial view and decide to take more risks due to COVID-19. To do large scale remote access properly is not a quick or simple exercise, especially if the business is not set up for it already, it is essentially a project in its own right. There are also marked differences in the security and other issues between inter employee communication by say video conferencing, granting remote access to emails and granting remote access to a company database. Each brings its own particular problems and issues, with remote access to databases usually being the most problematic.
This list is not exhaustive, so depending on resources, to do home working properly from scratch would realistically take weeks to set up, and even that would be optimistic, as opposed to days, even if the company has its own IT internal resource. How the set up works and is put into practice will also depend on what IT systems are currently being used, as some might be much easier than others.Therefore, if a business is going to take any short cuts, then they have to accept the risks that come with that and do the best that they can, and look to improve as time goes on. It will be a case of weighing up the risks of lack of remote access against the risks of facilitating remote access. It could be expected that external IT consultants are going to be very busy in the short term and also charging premium rates, so there may also be substantial cost involved.
There won’t be a one size fits all requirement and what is listed above are things that could be considered good enough in some circumstances but equally they may not be good enough in others. It will be for individual businesses to decide what security measures would be appropriate but extracting a database containing personal data and putting it on an unencrypted memory stick is unlikely to ever be sufficient.
Employees won’t necessarily be committing a criminal offence by undertaking activities which are not secure, but they are exposing their employers to liability. Employers need to think carefully about how they manage this risk and exposure appropriately and as best they can in the circumstances.
Consider sending an email to employees to remind them of their obligations, which may be contained within employment contracts or policies and procedures as to how they should be handling and protecting personal data, specifically reiterating that they must not download the database or make any personal or unlawful use of the data.
A final consideration would be to the protection of data and confidentiality where employees have devices and smart speakers such as Amazon Echo or Google Nest. There have been reports that these devices listen to everything that is said where they are located and that humans have access to those voice recordings. This could pose a security threat and therefore companies have to decide how to manage this, it could include not disclosing confidential or sensitive data when they are nearby or in use, checking default settings to reduce the risk or switching them to mute or off during the working day.
Whilst the standards applicable to protecting personal data have not changed as a result of COVID 19, the ICO have stated:
“The ICO recognises the unprecedented challenges we are all facing during the Coronavirus (COVID-19) pandemic. We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate - if something feels excessive from the public’s point of view, then it probably is.”
The ICO have also a series of questions and answers on their website, one of which is:
More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?
Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.
In simple terms whilst the ICO may be a little less enthusiastic about enforcement of data protection requirements as a result of COVID 19 and give businesses some short term latitude, the standards themselves have not changed and the extent of any latitude the ICO will give is uncertain, so any organisation giving remote access to personal data in an unsecure way will have to face the risk of enforcement action if something goes wrong or the unsecure access comes to the attention of the ICO.