There was a recent case against a city council which allowed confidential data to be available to unauthorised people due to insufficient security of staff working from home, this against the Data Protection Act (DPA). Once it was aware of the security breach the council quickly secured it. It would appear that there was no injury to the persons whose information was available over and above their loss of privacy.
The council was fined £100,000 by the Information Commissioners’ Office and had to work to strict conditions for staff working from home. The decision gives clear directions to every company where staff work from home with access to confidential data.
The ICO highlighted specific failings of the council:
1. no relevant home working policy in place for staff,
2. no checks in place to see whether existing data protection guidance was being followed, and
3. insufficient measures in place to restrict the downloading of sensitive information from its network.
The fact that there was no published policy in place for home working is the killer in this case. This is basic data management. It could have been used to mitigate the fine, the council suggesting that the employee had gone against instructions. This would not have affected the guilty verdict but may well have lowered the penalty.
Even if there is a policy in place, checks are essential. Remote supervision of a person working with data is a risk. These can be reduced by systems of checks and controls. Having none means trusting an employee not to make an occasional error or to deliberately break the law.
Measures to limit downloading of sensitive data are an essential regardless of any home working.
Your sympathy for the council might well have been reduced given their failings. They are rather basic and an organisation that large and with that amount of sensitive and confidential data should have robust systems in place.
If the only time you’ve had employees working from home is during such occasions as family illness and tube strikes you might feel you have no need for a policy. You’d be wrong though, and it would be a tremendous risk as if there is a breach of the DPA any defence will be compromised. On top of that, who would trust a company that was so casual with their data?
We will cover the format of a home working policy in a later article, but you should accept that if someone takes a laptop from work to use at home or, much more risky, uses their own personal one, then you need strict guidelines. Not only that, they need to be checked to ensure compliance.
What this means is that you not only have to have guidelines for those working from home, or using their own devices, but also for line managers. Even if you are the sole line manager, you still need to have the safety net of a policy so you can say ‘this is what I always do’.
With the rise of various forms of home working comes a rise in risk of compliance problems.