Some Data Protection Considerations for Remote Working regarding Covid-19

13th March 2020

Introduction

Luke Irwin[1] wrote and interesting article in 2017, with the central point being “whenever an organisation creates a new way of accessing its data, it puts that data at greater risk. Remote working intensifies that risk as it can be hard for the employee and the organisation to know when the data is breached, and it will be even harder to identify how it happened.” So, in a nutshell remote access increases the risk of Data Loss.

To mitigate this risk we would advise clients to ensure the following matters are in place prior to rolling out remote access. Please note this advice regards the use of Laptops/desktops in the home, and does not give any guidance on the use of mobile smart phones and tablets and the advice below is not exhaustive. And as always when it come to IT talk to an IT expert.

Areas for consideration

  1. Device and Network Security

Laptops and desktops should be:

  • Provided by your chosen IT provider
  • Have hard drive encryption in place and active
  • Login details should include a strong password
  • Require that employees use a non-stored password to connect during each session, especially for VPN access.
  • Devices should have up to date software, anti-virus and malware installed
  • Don’t allow family members to use your work devices. Under no circumstance should laptops or desktops used for remote working be used by the wider household – no matter how many time the kids ask!!

Always use a secure network connection and secure VPN when working from home – Your IT service provider should be able to advise

Never use public wifi or unsecure network

  1. Email and software

Areas that may be considered in relation to email and software include:

  • Logging on and using email should be arranged by your service provider. Two factor authentication needs to be in place. Previous guidelines regarding passwording attachments and deleting old emails should be adhered to.
  • Enforce reasonable session time-outs for sensitive programs or applications.
  • Limit program/file access to only the areas absolutely needed by that employee.
  • Reserve the right to terminate employee access at any moment.
  • Provide the software and storage services for remote file storage and other tasks; don’t rely on individuals to use their personal programs and accounts. [2]
  1. Information Management

Some considerations under this heading include:

  • Clear guidelines around what information should never leave a secure environment, ie printing off of financial information
  • Get your service provider to establish access permissions that support these guidelines.
  • Save material to where the organisation advises ie Onedrive, A secure Dropbox etc.
  • DO NOT USE USBs
  • Have Clear backup procedures for material saved locally. (I am assuming that adequate backups and restore is sorted for the organisations data/systems)
  1. Clean desk policy

When working from home, staff will have information that pertains to your organisation around people that are not company employees. There are obvious challenges to this with regard to Remote workers but ensuring that information is kept secure is of high importance. Some simple (low tech) measures may include:

  • Try an have a space or office away from the kitchen table
  • Do not work or access your organisations data while there is someone else in the room – remember the confidentiality of the Personal Data
  • No written material should be left unattended – even for a cup of tea!
  • Logout if you are leaving the laptop or desktop unattended – seemingly cats have a habit of jumping on computer keyboards and might press a few keys when a laptop is unattended![1]
  • Adhere to a clean desk policy.
  • Use locked drawers
  • Have paper securely shredded
  1. Policy Awareness

Your organization must have clear and practical policies that stress the importance of data protection. One such policy should address the need always to use a secure network connection when working from home. Every worker should have easy access to a written security policy that explains the responsibilities of employees and clearly states what they are and are not allowed to do regarding data—and all workers should verify that they have read and understood the policy. Staff members using remote access should be reminded that all organisational policies apply, such as:

  • Data Protection
  • IT security
  • Clean desk
  • Access to data
  • Passwording of emails

Finally, a way to achieve data protection compliance for those working remotely, is for organisation to adequately and consistently express the importance of data security.

For those considering Remote Working,

we are also offering a Residential Shredding to reduce risk of Data Breach – Contact 042 9749515 or email: info@m1shred.com

[1] https://www.itgovernance.eu/blog/en/gdpr-the-implications-of-working-from-home-or-on-the-road

[2] https://www.businessnewsdaily.com/9372-secure-home-office.html

[3] https://minutehack.com/guides/10-security-tips-for-remote-and-mobile-working