The current Coronavirus restrictions have forced many people to work from home.
While some will be familiar with the concept, for many it is a completely new experience.
And there are a number of things to be conscious of.
Some useful guidance has been circulating recently in relation to remote working. Here we attempt to cover the main points.
- Take extra care that devices, such as USBs, phones, laptops, or tablets, are not lost or misplaced,
- Make sure that any device has the necessary updates, such as operating system updates (like iOS or android) and software/antivirus updates.
- Ensure your computer, laptop, or device, is used in a safe location, for example where you can keep sight of it and minimise who else can view the screen, particularly if working with sensitive personal data.
- Lock your device if you do have to leave it unattended for any reason.
- Make sure your devices are turned off, locked, or stored carefully when not in use.
- Use effective access controls (such as multi-factor authentication and strong passwords) and, where available, encryption to restrict access to the device, and to reduce the risk if a device is stolen or misplaced.
- When a device is lost or stolen, you should take steps immediately to ensure a remote memory wipe, where possible.
- Use work email accounts rather than personal ones for work-related emails involving personal data. If you have to use personal email make sure contents and attachments are encrypted and avoid using personal or confidential data in subject lines.
- Before sending an email, ensure you’re sending it to the correct recipient, particularly for emails involving large amounts of personal data or sensitive personal data.
Cloud and Network Access
- Where possible only use your organisation’s trusted networks or cloud services, and complying with any organisational rules and procedures about cloud or network access, login and, data sharing.
- If you are working without cloud or network access, ensure any locally stored data is adequately backed up in a secure manner.
- It’s important to remember that data protection applies to not only electronically stored or processed data, but also personal data in manual form (such as paper records) where it is, or is intended to be, part of filing system.
- Where you are working remotely with paper records, take steps to ensure the security and confidentiality of these records, such as by keeping them locked in a filing cabinet or drawer when not in use, disposing of them securely (e.g. shredding) when no longer needed, and making sure they are not left somewhere where they could be misplaced or stolen.
- If you’re dealing with records that contain special categories of personal data (e.g. health data) you should take extra care to ensure their security and confidentiality, and only remove such records from a secure location where it is strictly necessary carry out your work.
- Where possible, you should keep a written record of which records and files have been taken home, in order to maintain good data access and governance practices.
General advice and security
You need to be realistic about what can be achieved with technology given people’s existing capabilities and skills.
Don’t do video calls in your nightwear or when you have just returned to your desk from a sweaty workout. Remember, you are at work and your meetings should be conducted just as they would be if you were in the same room. Good manners should still apply.
Fraud/phishing: Attempts are unfortunately on the increase so be alert to suspicious emails and do not open any attachments which look untrustworthy.
Physical security: Even when working from home, PCs and laptops should have two step password protection – involving both a password and a pin number sent to your mobile phone.
Privacy: Individuals are potentially more vulnerable to having their privacy rights exploited when their image and voice is being beamed remotely over the web. Respect others and ask that they respect you. Photographing and videoing of content for publication elsewhere should not be done without a proper legal basis.
Email: To avoid data breaches, extra security precautions need to be taken in relation to the content of emails.
Online file sharing: Online file-sharing services may not be secure enough for sensitive and confidential communications. All large files or data sets should be sent using applications that provide a number of security features, including:
- Link-expiry settings
- Number of allowed downloads
- Password protection
Employees need to satisfy themselves on their GDPR obligations in the use of all products, in the normal manner. Advice is to caution against use of apps that have not been assessed as GDPR compliant.