Some Data Protection Considerations for Remote Working regarding Covid-19

Introduction

Luke Irwin[1] wrote and interesting article in 2017, with the central point being “whenever an organisation creates a new way of accessing its data, it puts that data at greater risk. Remote working intensifies that risk as it can be hard for the employee and the organisation to know when the data is breached, and it will be even harder to identify how it happened.” So, in a nutshell remote access increases the risk of Data Loss.

To mitigate this risk we would advise clients to ensure the following matters are in place prior to rolling out remote access. Please note this advice regards the use of Laptops/desktops in the home, and does not give any guidance on the use of mobile smart phones and tablets and the advice below is not exhaustive. And as always when it come to IT talk to an IT expert.

Areas for consideration

  1. Device and Network Security

Laptops and desktops should be:

  • Provided by your chosen IT provider
  • Have hard drive encryption in place and active
  • Login details should include a strong password
  • Require that employees use a non-stored password to connect during each session, especially for VPN access.
  • Devices should have up to date software, anti-virus and malware installed
  • Don’t allow family members to use your work devices. Under no circumstance should laptops or desktops used for remote working be used by the wider household – no matter how many time the kids ask!!

Always use a secure network connection and secure VPN when working from home – Your IT service provider should be able to advise

Never use public wifi or unsecure network

  1. Email and software

Areas that may be considered in relation to email and software include:

  • Logging on and using email should be arranged by your service provider. Two factor authentication needs to be in place. Previous guidelines regarding passwording attachments and deleting old emails should be adhered to.
  • Enforce reasonable session time-outs for sensitive programs or applications.
  • Limit program/file access to only the areas absolutely needed by that employee.
  • Reserve the right to terminate employee access at any moment.
  • Provide the software and storage services for remote file storage and other tasks; don’t rely on individuals to use their personal programs and accounts. [2]
  1. Information Management

Some considerations under this heading include:

  • Clear guidelines around what information should never leave a secure environment, ie printing off of financial information
  • Get your service provider to establish access permissions that support these guidelines.
  • Save material to where the organisation advises ie Onedrive, A secure Dropbox etc.
  • DO NOT USE USBs
  • Have Clear backup procedures for material saved locally. (I am assuming that adequate backups and restore is sorted for the organisations data/systems)
  1. Clean desk policy

When working from home, staff will have information that pertains to your organisation around people that are not company employees. There are obvious challenges to this with regard to Remote workers but ensuring that information is kept secure is of high importance. Some simple (low tech) measures may include:

  • Try an have a space or office away from the kitchen table
  • Do not work or access your organisations data while there is someone else in the room – remember the confidentiality of the Personal Data
  • No written material should be left unattended – even for a cup of tea!
  • Logout if you are leaving the laptop or desktop unattended – seemingly cats have a habit of jumping on computer keyboards and might press a few keys when a laptop is unattended![1]
  • Adhere to a clean desk policy.
  • Use locked drawers
  • Have paper securely shredded
  1. Policy Awareness

Your organization must have clear and practical policies that stress the importance of data protection. One such policy should address the need always to use a secure network connection when working from home. Every worker should have easy access to a written security policy that explains the responsibilities of employees and clearly states what they are and are not allowed to do regarding data—and all workers should verify that they have read and understood the policy. Staff members using remote access should be reminded that all organisational policies apply, such as:

  • Data Protection
  • IT security
  • Clean desk
  • Access to data
  • Passwording of emails

Finally, a way to achieve data protection compliance for those working remotely, is for organisation to adequately and consistently express the importance of data security.

For those considering Remote Working,

we are also offering a Residential Shredding to reduce risk of Data Breach – Contact 042 9749515 or email: info@m1shred.com

[1] https://www.itgovernance.eu/blog/en/gdpr-the-implications-of-working-from-home-or-on-the-road

[2] https://www.businessnewsdaily.com/9372-secure-home-office.html

[3] https://minutehack.com/guides/10-security-tips-for-remote-and-mobile-working

New Partnership deal to provide companies with a “One-Stop-Compliance-Shop”

PRESS RELEASE

A specialist Data Protection consultancy company and a local Human Resource (HR) management firm, have teamed up to provide a unique service offering to Companies and Organisations a “One-Stop-Compliance-Shop”.  Data Protection Training & Auditing Services and Hands-On HR will help companies be compliant with current legislation in the areas of:  Data Protection and the GDPR; Human Resources and Health & Safety.

“We are very excited with this partnership” said Eugene Grant, Principal Consultant of Hands-On HR.  “It’s clear that small to medium sized organisations are looking for an affordable compliance partner to ensure there are on the right side of any legislative or regulatory in terms of their client and staff data and legal obligations.  Through this partnership, we can now address their compliance needs with a value for money proposition”.

John Nealon managing Director of Data Protection training and Auditing Services stated that, “the benefits of using our “One-Stop-Shop” Regulatory Compliance Service includes access to a team of subject matter specialists, which ensures your company is up to date with Data Protection, HR and Health & Safety legislation.  This expertise ensures that business owners have peace of mind.

Our service will also deliver practical benefits to companies including gains in efficiency and quality; flexibility to scale; single point of contact; reduced burden on internal infrastructure and resources and effective cost reduction.”

At a recent function, the partnership was welcomed by Minister for Business, Enterprise, and Innovation, Heather Humphreys, TD.  The Minister wished the two companies every success into the future and detailed that “data protection and human resource compliance work hand in hand, and are hugely important for organisations.  I believe this partnership will deliver a quality service to their clients in the areas of Data Protection; HR and Health & Safety compliance.”

For further information contact John Nealon or Fionnualla McKenna on 042 9749515 or email info@dataprotectionservice.ie

Schedule of Training: June 2019 to December 2019

Title of trainingDateDurationCertificates / CPDCost (First/additional attendees)Book Here
The business case and road map to implementing ISO 27001To Be confirmed4 hoursCertificate of attendanceTo Be confirmedRegister your interest here
Preparing a Request for Tender of an IT/Cyber security projectTo Be confirmed4 hoursCertificate of attendanceTo Be confirmedRegister your interest here
Data Protection Training for Front line staff22nd April 20203.5 hoursCPD hours: Institute of Bankers; ILCU and LIA
Certificate of attendance
€120/€90Register your interest here
  • Training takes place in our Castleblayney training centre unless otherwise stated.
  • Course start at 9.30am unless otherwise stated.
  • (10% Early Bird discount on all bookings made two weeks before training session)
  • To book your place, simply email Info@dataprotectionservice.ie or phone 042 9749515
  • Early booking is advised as places are strictly limited. Bookings are only secured with full payment. Full payment must be made prior to course commencing. Course run subject to demand.

TRAINING COURSES NOT TO BE MISSED!
If appropriate please pass on to Your Marketing Department

 

What our Customers are saying

“John is extremely knowledgeable and always willing to go that step further to ensure his information is accurate”

“As always, a good course organised and run by John, with good discussion points”

“Learned a lot and all questions answered well. My company has got excellent clarity on what we can/cannot do regarding direct marketing now. Thanks very much”

“GDPR in simplified terms”

“Very interesting course and I learned a lot”

TRAINING – Direct Marketing and GDPR – The Can Do’s and Cannot Do’s

John Nealon, Certified Data Protection Officer, will be holding another one of his very successful Training Courses on how the GDPR and e-Privacy Directive together impacts of various Direct Marketing initiatives.

The session is focused, practical in its content and covers topics such as: 

  • The key aspects of the GDPR and E-Privacy regulation impacting on Direct Marketing
  • Implications of using Consent and Legitimate basis for direct marketing
  • Current fines being imposed by DPC on Direct Marketing infringements
  • Business to business marketing
  • The “Can Do’s” and “Cannot Do’s” for:
    • Email Direct Marketing
    • Postal direct marketing
    • Telesales
    • Faxes and SMS (texts)

Date: Thursday 20th June 2019
Time: 10am to 1pm
Location: Castleblayney
Cost: €290 for first attendee, €190 per person thereafter.
(10% Early Bird discount on all bookings made by 12th June)

To book your place, simply email Info@dataprotectionservice.ie or phone 042 9749515.

A TRAINING COURSE NOT TO BE MISSED!

If Appropriate please pass on to Your Marketing Department
Early booking is advised as places are strictly limited.  Bookings are only secured with full payment.  Full payment must be made prior to course commencing. Course run subject to demand.

10 Insightful Q and A’s – Dash Cams, Business and Data Protection

Whether it is used to mitigate personal security concerns or having a means to establish liability in the event of an accident, the use of Dashboard mounted CCTV – Dash Cams – in business vehicles has increased over the past number of years. This article details some of the considerations business managers need to consider if they have or are thinking of installing dash cams into their fleet.

Do the images of individuals recorded on our dash cams constitute personal data processing?
Yes. If your dash cam records people on the public road, licence plates or (in relation to inward facing systems) company employees this constitutes the processing of personal data.

I use dash cams in my company vans or lorries in case of an accident, what practical steps should I do to comply with the GDPR?

Personal data needs to be processed in a transparent manner. To ensure this the following actions should be undertaken by the company: a) Have clear signage both on and inside the vehicle, indicating that filming it taking place. b) A policy detailing the purposes of the recording. Note here, that if you only state that the purpose is for use in the event of an accident – it can only be used for this purpose! c) The policy should also contain contact details, the basis of processing and how long you retain the data. d) leave hard copies in your vehicle so that your driver can give a copy out in the event of a query, e) consider issues such as security and who can access the footage.

My dash cam usually rewrites over previous footage every week – can I hold the footage longer if there was an incident like an accident?

Yes. While your normal retention period might be a week, in the event of an accident or other incident, the recording may be kept longer

If the dash Cam records an individual, can that individual request a copy of the footage?

Yes. You should be able to provide a copy of the footage containing the data subject within 30 days. You should also avoid sharing other peoples data, ie other licence plates etc. It is your responsibility that necessary redaction is completed on the footage before it is released.

Can An Garda Siochana view a Dash Cam recording?

Yes, An Garda Siochana can view any footage upon request. However, a copy of the footage should only be released following receipt of a written request as per Section 41 of the Data Protection Act 2018.

Can I pass a Dash Cam recording to an insurance company?

Yes, but you must be satisfied that the insurance company will restrict its use of the data to only what is necessary, keep it secure and hold it only for as long as required. You should request a company’s policy with regarding to submitting recording prior to sending the material.

My insurance company offers discounts if I install dash cams, are there any Data Protection implications?

According to the data Protection Commissioner “If you enter into an arrangement with your insurer that requires you to own or operate a Dash cam to avail of a discount, your insurer may be acting as a joint controller”. As a minimum, you should ask the insurance company for a copy of their policies in relation to personal data that you record and ensure that the policy sets out each other respective responsibilities.

What are the key employee data protection implications for inward facing dashcams?

Many companies now have inward facing dash cams within company vehicles. There are a number of concerns in relation to this a) What is the purpose of the recording; b) have these purposes of processing been put in a written policy document; c) have employees clearly been informed of the existence of the dash cams and the purposes of processing; d) is such processing dealt with by way of Employee contract

What is the situation regarding video and Audio inward facing dashcams within taxis etc?

Audio and Video recording dashcams are usually deployed in buses and taxis for security and other reasons. In addition to the previous answer, such recordings may also capture images of passengers etc. In this situation, passenger need to be informed in a clear and transparent manner.

But, I only have a dash cam for my own personal use, is there any data protection implications?

If your dash cam is inward facing and is in your own car, the domestic use exemptions may apply. However, as a general rule of thumb if your dash cam is outward facing and you are recording the street outside, this is NOT domestic use.

You, should ensure that private Dash Cams are NEVER used within company vehicles.