With the increase in demand for working from home comes headaches for the data protection officer. A recent case highlights the need for comprehensive policies to be in place for home working, and not just covering the worker themselves but their immediate supervisor.
In the case mentioned, the inquiry into the matter found the company, a city council, in breach of the Data Protection Act (DPA) in an number of ways. The failures resulted in a £100,000 fine and conditions being imposed on them with regards to processes.
Now that I have got you worried, I'll point out that it is easy enough to protect you, your company, your staff and the contents of your email marketing list.
The council failed in three major areas:
1) No home working policy for staff,
2) No policy for supervisors to check if the requirements were being adhered to, and
3) Insufficient control on sensitive data being downloaded.
First things first; you must have processes to ensure you have sufficient control on your sensitive data. Indeed, there should be controls on all personal data, sufficiently robust to ensure it is available only to those who have reason to access it. That a city council did not is appalling. Make sure you do not make the same mistake.
Establishing processes for your staff who work from home, whether occasionally, regularly or all the time, is straightforward enough and will be covered in a later article. Not only that is has the benefit of protecting the company, and your data controller, to a certain extent.
If the person working from home breaches the DPA either deliberately or maliciously then you have mitigation: they went against your instructions. This is dependent on you communicating your policy to the person in a clear manner and ensuring that they understand what is required of them.
Another essential is that there is a policy for supervisors. Each one must know what their responsibilities are and be trained well enough to comply.
Prosecution for failure to comply with the DPA will be bad enough, especially with fines of £100,000 being imposed, but how many subscribers will remain if you treat their personal information casually?