We are all operating in unprecedented times due to the Coronavirus pandemic and many of us are now working from home. This blog provides 5 top compliance tips to staying safe and protect confidential information whilst working from home.
What are the 5 top compliance tips for for working from home during COVID-19?
Below are what we consider to be the 5 top tips to staying compliant and protecting confidential information whilst working from home. Advice is given to both individuals and organisations in each tip.
1. Don’t accidentally upload confidential or private information to social media
Advice for individuals:
If you absolutely have to post a photograph of your home working setup on social media then be extremely careful not to capture any confidential information. This could be an open document on your screen, handwritten notes or an entry on your wall calendar.
Perhaps you want to post a photo of the view from your desk? Consider whether your location could be pinpointed from street signs or local landmarks and whether you’re happy for this to become public knowledge. Cybercriminals are known to use this information to make their fraudulent emails and calls more convincing. The less they can find out about you, the less convincing they’ll be if you’re targeted.
It is also a good habit to lock your screen when you’re away from you desk. Particularly if you live with others who are working from home.
Advice for organisations:
You should already have clear policies about confidentiality. Whilst some might see it as draconian, a blanket ban on home workstation photos could be the safest option. Regular reminders on cybercrime risks are a good idea but be sure to mention current trends and contextualise the reminders. If you are sending out the same warning over and over again, people are likely to delete it without reading.
2. Make sure your home computer is secure
Advice for individuals:
A network is only as secure as its weakest link. If you need to use your personal computer to access work systems then check that your operating system is up to date, including any recent security updates. If you don’t feel comfortable doing this yourself, don’t be afraid to ask your IT team for assistance. They should be able to help you remotely.
Be extra vigilant about spotting fraudulent and malicious emails. Scammers will latch onto people’s concerns about COVID-19 and try to trick them into clicking links or giving away account details. If you think you’ve clicked something you shouldn’t have, speak to your IT team immediately.
Advice for organisations:
The National Cyber Security Centre (NCSC) has released home working guidance aimed towards organisations “Home working: Preparing your organisation and staff“. IT support teams are likely to be under heightened pressure at the moment so if you can circulate an FAQ of common support queries which have easy fixes, that can help lighten the load.
If you haven’t done so recently, it would be advisable to assess the security of your networks and to ensure that backup systems are sufficient to mitigate the fallout of a system failure or ransomware attack. Staff should avoid moving confidential files or information outside of the organisation’s ‘ecosystem’ where at all possible.
3. Be careful about what software and apps you use
Advice for individuals:
Necessity is the mother of invention. Don’t have a scanner at home and need to send out a signed document? Perhaps you download a PDF conversion app onto your phone and create a PDF from a photo. Not able to open a particular file type on your home computer? Perhaps you download a free piece of software recommended by your favourite search engine.
Before downloading any new app which you’ll use to access confidential information (including personal data) find out whether your organisation has recommended an alternative. If not, exercise your common sense and think carefully about the following:
- Have I heard of the app before? Is the publisher reputable? Where are they based? What is the rating for the app (if any) and do the reviews seem credible?
- Can I be reasonably sure that the app will keep the information confidential? Does it use encryption? Does the app upload the information to a server or is it stored locally on my phone or computer?
- Am I using the app to process personal data? If so, does the app’s T&Cs contain data processing clauses which comply with the GDPR? If you are unsure about this, speak to the person in your organisation who is responsible for data protection compliance before using the app.
If your organisation’s system doesn’t allow you to install new software then you will need to speak to your IT team for assistance.
Advice for organisations:
Consider producing a list of approved software for various purposes (video conferencing, team chats, document sharing, PDF creation, etc.) and sharing this with your staff. Have a clear policy for staff wanting to use other software to achieve these purposes, perhaps requiring IT team or senior management sign-off.
You should already have a list of providers used by your organisation to process personal data. This should include software and online service providers. New entries should be reviewed by your Data Protection Officer (DPO) or, if you don’t have a DPO, the person responsible for data protection compliance. The relevant T&Cs will need to be checked to ensure they contain the data processing clauses required by the GDPR.
If the provider is based overseas then additional safeguards will need to be put in place before you can lawfully upload personal data to the app. If you don’t feel confident making this assessment, or simply don’t have the manpower to do so at the moment, then Paris Smith’s data protection team can make these assessments and update your records in a quick and cost-effective manner.
4. Be careful what you say about people
Advice for individuals:
If your organisation has moved to a platform such as Microsoft Teams or WhatsApp then internal communications might feel more informal than traditional email. Be careful though, any personal data in messages, including people’s opinions, may still need to be disclosed if your organisation receives a data subject access request (DSAR).
It is a criminal offence to try and delete records which would be disclosable under a DSAR. The best policy is therefore to keep things professional. Resist making personal remarks about colleagues and customers, as they could come back to haunt you.
Advice for organisations:
A throwaway comment between colleagues in a team WhatsApp group could end up making or breaking an employment tribunal claim. Although much less common, think about what comments a key customer or supplier might be entitled to see if one of their staff submitted a DSAR. Best practice is basic common sense: staff should be reminded not to make disparaging or potentially embarrassing remarks using the organisation’s systems (and ideally not at all!).
5. Take your time (as best you can)
Advice for individuals:
One of the most common types of data breach is an email sent to the wrong person or forgetting to BCC the recipients on an email newsletter. These mistakes are more likely to happen if you don’t make time to check what you’re doing. Give yourself a few extra seconds to check over your work and you could avoid days of extra work picking up the pieces.
If you’re able to distance yourself from distractions at home by working in a separate room then you’ll find yourself less likely to make a mistake. If something does go wrong then be honest and open about it with your organisation. Extra steps may be required to rectify the issue. Don’t be tempted to cover up or hide data breaches in any circumstances.
Advice for organisations:
Where possible, try to alleviate pressure on members of staff with very heavy workloads. They will be a heightened compliance risk compared with their colleagues. This is particularly the case if they work with sensitive information.
Technical measures can be taken to reduce the risk of human error. These include disabling the autocomplete function when typing an email address into the ‘To’ box, and using AI-based software to check whether an email is being sent to the correct person. Operationally, it’s important to have a culture where staff feel comfortable admitting their mistakes. Data breaches in particular should be properly documented and a decision made whether to notify the ICO and/or the affected individuals.
If you have any questions relating to confidential information, data protection (including GDPR and data breaches) or employee policies then we can provide practical solutions to help take the pressure off and reduce your compliance risk. Please email Ryan Mitchell.
Our dedicated “Coronavirus – Legal advice and guidance” page contains advice and guidance on matters affecting, businesses, employers, self-employed, employees, planning legislation etc. and is regularly updated as and when new guidance comes in from the government or other regulated bodies.