Working from home is new for many BIBA members and their employees necessitated by the Government’s requirements related to the Coronavirus (Covid-19) pandemic. Even if members have supported their staff in working from home for a while, there may suddenly be more people home working than usual, some of whom may never have experienced it before. Home working is an area where BIBA has experienced a huge increase in queries from our membership and below are some tips and pointers to information that may be of assistance to members as they get to grips with the new reality of work.
The Information Commissioner’s Office (ICO), the data protection regulator, has put guidance together to help businesses meet what it has called the ‘unprecedented challenges’ that all are facing as a result of the pandemic. Members should take comfort from what the ICO said recently in one of its regular blogs that:
‘We are a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with information rights work when assessing a complaint brought to us during this period, we will take into account the compelling public interest in the current health emergency.’
The ICO has compiled a list of common Q&As that it has been asked since the outbreak of the pandemic, and two particularly pertinent questions are shown below:
‘During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?’
‘No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.’
‘More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?’
‘Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.’
The ICO helpline can be reached on 0303 123 1113.
BIBA members may wish to consider the following:
The message is that the data protection regulator is listening to businesses and is pragmatic, but nonetheless individual’s information rights do still need to be protected. The ICO expects a proportionate response from firms as they adjust their ways of working during the pandemic. Firms should not be using the pandemic as an excuse not to process data subject access requests (DSARs) or perform other information rights requests. The data regulator’s expectation is that organisations should still have the intention and the resources to respond to individual’s information rights requests even if it is going to take longer than usual. If there is going to be a delay in responding to a data subject access request then organisations should ensure that they explain this to the individual and the reasons why.
The GDPR requires businesses to implement appropriate technical and organisational measures to ensure they process personal data securely which should be taken into consideration when creating a homeworking policy.
Article 32 of the GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of a firm’s data processing activities. Encrypting data while it is being stored (eg on a laptop, mobile, USB or back-up media, databases and file servers) provides effective protection against unauthorised or unlawful processing. It is especially effective to protect data against unauthorised access if the device storing the encrypted data is lost or stolen
Encryption is a widely-available measure and there are a large variety of solutions available.
Businesses may wish to consider having an encryption policy in place that governs how and when they implement encryption, and staff should receive training in the use and importance of encryption where such measures are implemented.
When storing or transmitting personal data, businesses should may wish to consider using encryption and ensure that their encryption solution meets current standards.
The ICO has produced detailed guidance on encryption which can be accessed by clicking here.
Paper records count too!
Paper files containing personal data should be kept securely and not left around where they can be accessed or removed. Keeping business information confidential while at home, members may wish to consider giving staff adequate facilities so that they can follow the same rules for storage and data transmission that they do at home as they would in the office.
Members may also wish to consider storage or disposal of that data once it is no longer required at a location.
Some organisations encourage the use of a shredder for confidential paper documents once they are no longer needed. Organisations may need to issue a reminder to staff that the recycling box/bin/receptacle is not the place for disposing of unshredded documents containing personal/confidential data.
Webcams and teleconferencing
Make sure that webcams are only activated when they need to be. Avoid broadcasting activities/outfits unwittingly to colleagues and customers. Always look out for the little light on the computer’s webcam (if it has one) that shows when it is active. If worries persist that the webcam is being activated when it is not required, then stick a Post-it note across it as a shield while it is not in use.
Individuals could be giving away information by accident to people outside the business if documents are caught within the field of vision of their webcam. It may be a good idea to have a little tidy away of documents or shield them from the webcam when going live online
Many teleconferencing facilities will give the option to just use audio links to participate in proceedings if camera shyness/bad hair is a problem.
When participating in teleconferencing do ensure that your screen is not overshared. Make sure that if sharing your screen or desktop other tabs and applications are closed, so that those with whom the screen has been shared only see what you want them to see.
The National Cyber Security Centre (NCSC)
The NCSC, which is a part of GCHQ, has published advice for UK businesses to help them reduce the risk of cyber-attack on deployed devices including laptops, mobiles and tablets, and tips to help staff identify typical signs of phishing scams. It has produced cyber security best practice guidance to help businesses prepare for an increase in home and remote working in the wake of coronavirus.
The NCSC has outlined recommended steps for organisations in:
Preparing for home working – this looks at the practical considerations of transitioning staff from working in the office to remote locations. It encourages businesses to think about the new services that they may need to provide so they can continue to collaborate such as chat rooms, video teleconferencing (VTC) and document sharing. The NCSC has written guidance for organisations looking to use, deploy, and understand the risks of adopting a range of popular Software as a Service (SaaS) applications.
Setting up new accounts and accesses – The advice is to set strong passwords for user accounts and to implement two-factor authentication (2FA) if it is available. So, none of using the wife’s/dog’s/cat’s/favourite football club’s name as your password as this can so easily be guessed at. In addition, remind staff not to write their passwords down on paper where they can be discovered or have their laptop automatically save the password as this will all undermine system security. The NCSC has produced guidance in this area:
Controlling access to corporate systems
Virtual Private Networks (VPNs) allow remote users to securely access an organisation’s IT resources, such as email and file services. VPNs create an encrypted network connection that authenticates the user and/or device and encrypts data in transit between the user and an organisation’s services.
Helping staff to look after devices
The prospect of devices being lost or stolen increases outside the office environment. Whether using their own personal device or the organisation’s, ensure staff understand the risks of leaving them unattended. Leaving a laptop on the dining room table overnight for work the next day can only be a target for thieves so encourage staff to keep their devices somewhere safe when they are not being used. Members may want to encourage staff to lock away laptops or put them out of sight when not in use, this would be useful advice for confidential documents/personal data that are being used at home too.
If a device is lost or stolen, members’ staff should know what to do and who to report to, to ensure an early response which can limit the damage and possible data loss.
Removable media exposures
USB drives may contain lots of sensitive information, are easily misplaced, and when inserted into an IT system can introduce malware. When USB drives and cards are openly shared, it becomes hard to track what they contain, where they have been used, and who has accessed them. The NSCS says that the likelihood of infection can be reduced by:
- disabling removable media using mobile device management (MDM) software settings
- using antivirus tools where appropriate
- only allowing products supplied by the organisation to be used
- protecting data at rest (encrypt) on removable media
Staff can also be encouraged to transfer files using alternative means (such as by using corporate storage or collaboration tools), rather than via USB. For more information go the NSCS’s Removable media guidance. https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps/removable-media-controls
Within the guidance there is advice on dealing with suspicious emails, as evidence emerges that criminals are exploiting the coronavirus online by sending phishing emails that try and trick users into clicking on a bad link. If clicked, these links could lead to malware infection and loss of data like passwords or money. The scams may claim to have a ‘cure’ for the virus, offer a financial reward, or be encouraging charity donations.
The guidance offers advice on spotting those emails, as well as on how to respond in the event of falling victim to a scam.
BIBA members may wish to review their online policy in relation to email, internet and social media usage and ensure that staff have been issued with online safety advice with regards to cyber security. They will also need to ensure that staff know what to do in the event that they fall victim to a scam or click on a bad link. This may also mean that members need to revisit their plans for what to do in the event of a data breach and reporting to the ICO to ensure that their approach remains up-to-date and reflect the new pandemic operating environment.
The NCSC has also taken measures recently to automatically discover and remove malicious sites which serve phishing and malware. These sites use COVID-19 and Coronavirus as a lure to make victims ‘click the link’, so members should make their staff aware that such links while ostensibly looking helpful could be particularly harmful for their computer and data and ultimately the reputation of the organisation.
Members may wish to consider directing staff to official information about Coronavirus in order to reduce the risk of them being misinformed or deliberately misled. Trusted website resources include:
https://www.gov.uk/government/organisations/public-health-england – Public Health England
https://www.nhs.uk/conditions/coronavirus-covid-19/ – National Health Service
Members may also wish to consider informing staff that within the context of their working environment that the senior management of the firm will provide the sole source of information about Coronavirus.
https://www.ncsc.gov.uk/guidance/home-working – Home working guidance
https://www.ncsc.gov.uk/guidance/suspicious-email-actions – How to spot and deal with suspicious emails
https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks – Mitigating and defending against malware and ransomware.
Anyone that does fall victim to cyber related incident should report it to Action Fraud as soon as possible. Action Fraud has 24/7 live cyber reporting for businesses.
NSCS has produced a Small business guide: response and recovery to assist in the event of a cyber incident:
Advisory, Conciliation and Arbitration Service (ACAS)
ACAS is a Crown non-departmental public body of the UK Government its purpose is to improve organisations and working life through the promotion and facilitation of strong industrial relations practice. ACAS has published excellent guidance about working from home, although this was created in a time before the pandemic, when having the time to take the decision to set up homeworking was a luxury.
The guidance looks at the HR and employment implications of homeworking for both the employer and the employee, the pros and cons of working from home, how to go about creating a policy, setting up a homeworker, managing homeworkers, health and safety as well as providing suggested further reading.
Members may access the ACAS guidance Homeworking – A guide for employers and employees by clicking here.
ACAS has also created a checklist for setting up home working and sample policy for homeworking. The organisation also talks about the importance of creating a good working environment when working outside the office and supporting mental health and wellbeing among staff working in isolation.