When you are up against deadlines, it is easy to forget that all the lovely security you set up in the office. GDPR can go right out the window along with your confidential paperwork when your team walk out the door!
GDPR applies to all your team when working home.
If you’re the boss (or the client paying sub-contractors or freelancers) it is your job to make sure the paperwork is properly handled. We get so focussed on computing and IT security we tend to forget how vulnerable paperwork can be. Before your let the only copy of sensitive, special category personal data leave the office tonight, let’s take a moment.
Let’s look at some of the questions people often ask.
Can staff take paper records home?
Despite all our focus on cyber-crime, losing paper records can be a data privacy issue. A lot depends on the type of records that are being taken home.
Typically this might include:
Sales or purchase invoices being taken home for processing – these are often from traders using their own names and addresses (which can plainly identify living individuals) or customers purchasing from a home address.
CVs and interview records
These could be candidate files for assessment for interview or appointment. Unless they simply contain internal ID numbers they will contain a lot of personal information.
Staff appraisal reports are often written at home.
End of year tax returns and other financial records.
Advice and litigation files
If you are working on a litigation or advice file the documents will usually name living individuals and often give their name and address.
Data privacy impact assessment
You need to make a data privacy impact assessment. You will need to assess whether the paperwork includes special category data on living individuals (health, political views, sexual orientation etc).
You will also need to assess what the risk to data privacy is if a file is lost or mislaid.
Having made this assessment you may wish to consider:
• Whether only parts of the file could be taken home to reduce the risk.
• Whether there are other ways of working that would reduce or remove the risk of data loss in transit or at home.
• Whether staff are properly trained on how to transport and use personal data when removing it from the office.
It would be most unwise to take the only paper copy of anything around since if the briefcase is lost there is no way to replace the material. The loss of paperwork is still a GDPR breach with all the attendant need to report and notify.
If it has already been scanned would it be more secure to access the information electronically, as long as the home Wi-Fi is secure?
Security rules for home working
You will need to set some rules about:
- Who has permission to take paperwork home
- What records are kept of what goes (and returns)
- Whether only copies may be removed or whether originals can be removed
- How the paperwork should be transported for example
– in a locked briefcase
– not left in open view in a car
- How home working should be set up
– Physical space where family members and visitors cannot see the paperwork
– Locked away securely when not in use
- How to report a lost file
Who needs to know work is being done at home?
The supervisor/boss needs to know in order to make the assessments and to ensure the work is being done in accordance with data security and home working policies.
It is not a good plan to have staff randomly take home files and personal data without any form of sign- off or records
Contracts of employment should have proper data privacy clauses and refer to appropriate security, homeworking, transporting data rules.
And don’t forget to make sure all your team know what to do if they lose a file (Data breach reporting) and the GDPR deadlines associated with that.
Your associates and contractors should be properly contracted for data security too. If you are using an external VA or Bookkeeper you will want to know they are not leaving random print outs around!
For more information on contracts and support for hiring your team check out our team hiring page