Practical, Technical and Legal hints and tips for best practice
Morgan O'Neill, Director of Data Protection Services, and Phil Telfer, ClearSky Logic have joined forces to give a number of hints, tips and best practices on keeping safe and secure while working from home.
Remote Home working, ‘the new norm’.
Remote Working has become the new normal for many of us in recent months and for most, it’s set to continue. For those who would otherwise have gone into an office environment - or a shared location, sitting behind a laptop or PC and logged onto a shared network - this is no longer the case. Those working from home rely on their home internet connection, remote login access to services, and communicate with their colleagues and clients through a range of applications.
Issues around safety and security of remote.
Working outside the office environment can present challenges when it comes to managing and protecting the data we process during our working day. In relation to personal data, the requirement to comply with data protection law has not changed since the COVID-19 pandemic struck. If anything, individuals carry a greater responsibility to protect the personal data they process when working in their home surroundings.
Good data security management and compliance with data protection laws is underpinned by tight technical and organisational security measures and procedures, which help to mitigate against the risk of loss, theft and unauthorised disclosure of your company data.
We recommend that businesses focus on: How data is transmitted and how data is stored.
Transmission of Data
When transmitting data, whether sending via email, moving it onto a FTP server or sending it in a message, the relative risks should be understood and appropriate steps put in place to reduce the likelihood of anything going wrong.
Practical ways to mitigate the risks in relation to sharing data are:
- Encrypt documents containing personal data before transmission via email or FTP.
- Double check the recipients before transmitting data. One of the main causes of data breaches is when data is sent to the wrong person.
- Avoid transmitting data using personal accounts, or through unofficial channels like instant chat, even if it may be more convenient to do so.
Video calling?
Video Calls are the new alternative to the traditional face-to-face meeting. For most organisations, VC has been key to continuing business operations during lockdown but it’s important to ensure that this tech is used in a secure way to protect your business data.
Often during video calls there will be an individual who will be screen-sharing to illustrate a point, present information, or give a demonstration. Under these circumstances, if you are not careful and have other applications running such as email, Slack or messenger apps and only have a single screen you may accidentally share sensitive information which pops up as notifications on these applications.
Accidental sharing of confidential information
There are many issues that could arise from screen-sharing, such as leaking confidential information about the company or an individual, or issues surrounding legal/HR matters dependent on your seniority within the company. Where personal data relating to an individual is erroneously shared, this can lead to a complaint being made to the Information Commissioner about the way your organisation handles it’s personal data.
Where possible, use two screens
The recommendation would be having two screens and sharing one of those screens on your video calls with all your notification apps on the other screen.
We understand this is not always possible, and our recommendation where you only have access to one screen would be to have only relevant information open when on a video call and have ALL notifications turned off on applications to minimize the risk of transmitting sensitive data.
Storage of Data
Under data protection law, organisations must ensure personal data is securely stored and deleted after it has served its purpose. These principles are generally the same for non-personal company data. Whether processing your own company data or a customer’s business data, you must have effective security and delete-and-destroy procedures. Individuals who share their personal data with your business expect secure storage to be your default. If your methods of storing personal data contains gaps, your business is more vulnerable to a data breach due to a malicious attack on your systems. Where the fault lies with your organisation, the ICO is unlikely to be sympathetic when determining whether enforcement action should be taken. You are also likely to suffer reputational damage and loss of customer confidence.
Practical steps to take to reduce risk include:
- Consider the location of your work devices and any physical copies of personal data to safeguard against unauthorised access.
- Store data in approved secure locations. Do not be tempted to move data around or save copies of data in other locations which may be less secure.
Be safe and secure: Always Lock your devices
A simple security feature on any PC/laptop is the ability to lock it; many devices will auto-lock after remaining inactive for several minutes. As a matter of course, individuals should lock their laptops/PC’s as soon as they leave their desks, or kitchen tables.
Access to many new online systems and the rise of weak Passwords
Another feature of working from home is the boom in usage of online systems, such as Zoom. Using multiple online systems may give you the temptation to use simple, similar passwords across these systems, and this is something we highly discourage. Similarly, making each password difficult to hack, is as important as keeping these passwords safely stored.
Non-secure passwords
Noting down passwords exposes this information to anyone with access to your workspace. When you don’t safeguard your credentials, you make yourself vulnerable to others who can access them and use them for their own personal gain.
Introduce a Password Manager/BitLocker
With the increase in requiring access to multiple systems, we would recommend the use of a Password Manager. If you use a Password Manager, you will no longer have weak passwords or need to re-use old passwords. You only need to create a single, strong pass-phrase which you must remember to ensure you can access all your other passwords. If used correctly, all your passwords will be strong and unique. Furthermore, we recommend you always password protect files, individually, when they are installed on your computer. There is also a feature on Windows laptops called Bit Locker, which means that the entire hard disc is encrypted, meaning when you log-in you provide a password which decrypts the drive. If you have Windows 10 Pro you can encrypt entire folders, so you can save your sensitive data in this way.
If you have any questions on home working, technical capabilities, security, and data protection issues please do not hesitate to contact either Morgan O’Neill, moneill@thorntons-law.co.uk or Phil Telfer, phil.telfer@clearskylogic.com for a further conversation.