The internet and the proliferation of portable digital media, such as laptops, tablets and smartphones enables many people to work remotely, i.e. away from their office, a practice that is now is commonplace and one that has benefits for both employers and employees.
Many people think ‘remote working’ means using a desktop at home, but it means much more than that and includes, for example, using a laptop on a train or in a café and using a smartphone in the street or on the Tube.
Unfortunately, remote working carries hidden risks for employers, of breaching the Data Protection Act 1998, (‘the DPA’). Such breaches can and sometimes do result in employers incurring substantial fines and/or loss of reputation, employees being disciplined and/or losing their positions and the people whose personal information has been compromised being distressed and/or harmed.
There have been a few cases over the last few years that illustrate the risks involved.
In one case an employee working at home downloaded onto his work laptop information about 24,000 clients, including their names, dates of birth, postcodes, employment status, ethnicity and income levels. Unfortunately, his home was burgled and the laptop stolen. This resulted in the employer being fined £60,000 by the ICO.
In another case an employee working at home accidentally uploaded documents that related to her work that contained sensitive personal data. She was using her own PC that she has bought second hand. She was unaware that it had a programme installed on it (by the previous owner) that she unknowingly activated and which auto-uploaded the entirety of her ‘My Documents’ file. Once the information had been uploaded it became accessible to all internet users if they inputted specific search terms into a search engine, such as names of those attending a meeting.
Some time later another employee entered his own name and job title into a search engine and upon scrolling down the search results he noticed a meeting of his employer listed. He clicked on the link and was able to see the minutes of a meeting that identified those attending, the individual who was the subject of that meeting and the names addresses and dates of birth of other individuals. This resulted in the employer being fined £100,000.
In both of these there was a breach of the DPA arising from people carrying out their duties, in the course of their employments, working from home. In the second case the Information Commissioner’s Office, (‘ICO’), found the employer’s data protection policy to be “impractical and ambiguous” and said that it relied on employees complying with the policy but “without providing the technical infrastructure to make this achievable”. The ICO also found that the employer had failed to monitor how personal information was being used and had no guidance to help home workers look after such information.
In both these cases the employer was responsible to the ICO for the security of the data on the device and in both cases the ICO acted on the basis that access to the data could have caused substantial distress and substantial damage, (not that actual distress or damage had occurred).
As if having to pay a substantial fine was not enough, another risk to be taken into consideration is the likely administrative burden that will follow. In one of these cases all affected data subjects were informed of the data loss and 3,200 people contacted the employer for further information about how this had happened. This shows that any business found to have breached the DPA may not only face the prospect on some form of enforcement action from the ICO, but is also likely to be inundated with requests for further information from those whose privacy has been invaded.
Yet another risk to be taken into consideration is the likely impact on the reputation of the business.
All those who work remotely must understand the importance of protecting personal data, be familiar with their employer’s data protection policies and put those into practice. To ensure this happens organisations should provide appropriate initial and refresher training for all staff and this should cover the organisation’s responsibilities and obligations under the DPA and the responsibilities of individual staff members for protecting personal data.
Robert Wassall
Director, Azon Consulting