We all know we have to sort out GDPR and data security for people who are homeworking, but what about the staff who do so occasionally or just one day a week?
If your team work from home occasionally or to meet deadlines, or write reports, all that lovely security you set up in the office can go right out the window when they walk out the door!
Let’s look at some of the questions people often ask.
Can staff take paper records home?
Despite all our focus on cybercrime, losing paper records can be a data privacy issue. A lot depends on the type of records that are being taken home.
You need to make a data privacy impact assessment.
Typically this might include:
- Invoices – Sales or purchase invoices being taken home for processing are often from traders using their own names and addresses (which can plainly identify living individuals) or customers purchasing from a home address.
- CVs and interview records – These could be candidate files for assessment for interview or appointment. Unless they simply contain internal ID numbers they will contain a lot of personal information.
- Appraisal reports – Staff appraisal reports are often written at home
- Financial records – End of year tax returns and other financial records
- Advice and litigation files – If you are working on a litigation or advice file the documents will usually name living individuals and often give their name and address
Make and record an assessment
You will need to assess whether the paperwork includes special category data on living individuals (health, political views, sexual orientation etc).
You will also need to assess what the risk to data privacy is, if a file is lost or mislaid.
Having made this assessment you may wish to consider:
- Whether only parts of the file could be taken home to reduce the risk
- Whether there are other ways of working that would reduce or remove the risk of data loss in transit or at home
- Whether staff are properly trained on how to transport and use personal data when removing it from the office
If you are member of our GDPR support groups you will find a form to help you do this in your GDPR modules.
Lost paperwork can be a GDPR breach too
It would be most unwise to take the only paper copy of anything around since if the briefcase is lost there is no way to replace the material.
The loss of paperwork is still a GDPR breach with all the attendant need to report and notify.
If it has already been scanned would it be more secure to access the information electronically, as long as the home Wi-Fi is secure?
Set simple rules
You will need to set some rules about:
- Who has permission to take paperwork home
- What records are kept of what goes (and returns)
- Whether only copies may be removed or whether originals can be removed
- How the paperwork should be transported for example
– in a locked briefcase
– not left in open view in a car
- How home working should be set up
– Physical space where family members and visitors cannot see the paperwork
– Locked away securely when not in use
If it has already been scanned it would be more secure to access the information electronically, as long as the home Wi-Fi is secure.
Who needs to know if the work is being done at home?
The supervisor/boss needs to know in order to make the assessments and to ensure the work is being done in accordance with data security and home working policies.
Data Privacy policies (made available to data subjects including clients) don’t normally specify the exact work location of each employee (which would also give rise to data privacy problems!).
Contracts of employment should have proper data privacy clauses and refer to appropriate security, homeworking, transporting data rules.
Your associates and contractors should be properly contracted for data security too. If you are using an external VA or Bookkeeper you will want to know they are not leaving random print outs around!
Find out more about our GDPR ready Team Hiring agreements..