Guidance on Working From Home - How to Stay Compliant
With a significant proportion of the population working from home for the foreseeable future, organisations are having to adapt to new ways of accessing systems and communicating.
For higher education institutions, this is likely to have involved adapting to completely new ways of working and, amidst all the learning and teaching and student welfare concerns, security should also be one of your priorities.
Hasn't the Information Commissioner's Office (ICO) Said That it's Taking a Relaxed Approach to Compliance?
Not in relation to security - no. The ICO has said that it is unlikely to take enforcement action if the impact of coronavirus (COVID-19) means that you are slightly late on a subject access request deadline, but this does not mean that the same approach will be taken if there is a data breach.
Whilst the ICO is generally a fairly pragmatic regulator, and clearly understands that this is a difficult and highly unusual situation, basic attention to security and the protection of personal data will still be expected. Falling short of this because you have not considered the implications is unlikely to serve you well if there is a breach.
There are three key areas to ensuring compliance:
- system security
- staff awareness
- record keeping
System Security
By now, you will likely have the systems in place to allow work from home where this is practicable. Security will have been one of the initial considerations when selecting and testing systems to allow for this, but it is an ongoing requirement.
Phishing and other attempts to gain access to your systems are likely to increase, so you should continue robust testing to ensure that the methods you have adopted continue to be safe. Weaknesses need to be identified and action taken (where possible) to strengthen your defences.
Some of these measures will be relatively simple, such as ensuring software is up to date and installing patches, but these should not be overlooked. You should be alive to the possibility of increased attacks whilst systems are potentially at their most vulnerable, because everyone is trialling new systems - do what you can to protect your institution.
Staff Awareness
Your staff, and your students, are adapting to a new way of working. This might involve using new and unfamiliar technology. Everyone working in this way needs to understand the ground rules for doing so and what they need to do to keep information safe.
Ask yourself the following questions:
- Do we have an information security policy?
- Are staff aware of this policy?
- Do we need to make changes to our policy in light of the new way of working?
- Have we communicated these changes to staff?
It is likely that your current policy will need amending, and possibly extending, in the current circumstances. However, the key element in all of this is ensuring that staff understand the limits of what they can and cannot do. Some messages will be the same, but may need reinforcing, e.g. not using public Wi-Fi and only accessing the information needed to carry out the work that is expected. Sending personal data to a home (unsecured) email address is also likely to remain a "don't", but again this may need reinforcing.
Other messages are likely to be new in light of the current isolation situation, such as how to work effectively in a shared living space, what to do with confidential paperwork that is no longer needed, use of WhatsApp for keeping in touch and how to print via a Citrix system. Whilst some of this may seem like common sense, in times of high anxiety, clear and simple instructions will ensure that everyone knows what is expected and this will help to protect the vital personal information that you are dealing with.
Record Keeping
No systems are perfect, and no human beings are perfect, so mistakes are inevitable. One of the key requirements of GDPR is that you can demonstrate your compliance, so recording your decisions and the reasons for them is vital if the worst does happen. Have a record of testing that has taken place, of weaknesses identified and actions taken. Have a record of discussions around your policy, a record of the changes and evidence that all staff have received these. If you have this, should the worst happen, you can at least show the ICO that you have done all that you can reasonably do to protect your data.
Stay Compliant
Across the world, individuals are showing considerable resilience and resourcefulness in keeping key industries going. In the midst of such a crisis, it is easy to lose sight of security and compliance in favour of innovation and "getting the job done", but a data breach could significantly impact your institution and make an already difficult situation far more complicated than it needs to be.
Take some time to review what you have in place and how you might be able to improve your current policies and procedures, and don't forget to document your discussions and decisions.
The above reflects guidance as at 27 March 2020. We will continue to update this as the situation develops.