If you have staff who work from home, whether permanently, regularly or infrequently, you should have a written policy to which they must sign up to. You will also require a written policy for their immediate supervisor.
We will cover only the matters with regards to the security of data. Subjects such as Health and Safety and contractual matters will not be addressed and should be a matter for the specialists in your company.
The form the policy needs to take will depend of factors such as whether you have just one, or a number, of home workers, whether they have access to your company’s records, and their level of confidentiality. The essential is to ensure that home working staff do not breach the Data Protection Act or put your company at risk of prosecution through ignorance of proper procedures.
The best types of policies are those which are straightforward and clear in intent. Many start this way but over time become bloated with add-ons and conditions for specific circumstances. Accept that if there is a considerable number of these, then the basics were not covered initially.
It can be useful, if it applies to your company, to have policies for different kinds of home working. For instance, a member of staff who works permanently from home will require an all encompassing policy. The casual, just during the school holidays type of home worker, will need a simpler one.
Things to consider in a policy:
1/ Home set up
Set rules with regards to security of internet. The connection must be password protected. You might want to restrict the person using any other ISP. A home visit to assess the situation can be useful.
Many companies require the person to use only a company supplied laptop to ensure that the operating system is up to date, that it has a firewall, and that it is password protected. If they are to use their own computer then the same rules should apply. However, there are problems with clearing information from a hard drive.
3/ What files they may access from home
It is sensible to limit the data they may download onto the computer, especially if they are using their own device. The best way to do this is via technology rather than rules. If the person is a data processor, or even a data controller, then specific limits on what they may access and what they can do to, for instance, an email marketing list should apply.
Ensure that no one else can view confidential documents they are working on. So if possible, you should demand that they are on their own when working.
5/ Data transfer
Restrict the use of discs and memory sticks for transferring data. Require that any is password protected or encrypted.
Be specific as to the nature of the work they can perform.
Strict enforced guidelines not only limit the chance of a data breach, if it happens your infrastructure might well be an important factor when deciding on any penalty.