• Contact Us

Guidance on Working From Home - How to Stay Compliant

on Friday, 27 March 2020.

With a significant proportion of the population working from home for the foreseeable future, organisations are having to adapt to new ways of accessing systems and communicating.

For higher education institutions, this is likely to have involved adapting to completely new ways of working and, amidst all the learning and teaching and student welfare concerns, security should also be one of your priorities.

Hasn't the Information Commissioner's Office (ICO) Said That it's Taking a Relaxed Approach to Compliance?

Not in relation to security - no. The ICO has said that it is unlikely to take enforcement action if the impact of coronavirus (COVID-19) means that you are slightly late on a subject access request deadline, but this does not mean that the same approach will be taken if there is a data breach.

Whilst the ICO is generally a fairly pragmatic regulator, and clearly understands that this is a difficult and highly unusual situation, basic attention to security and the protection of personal data will still be expected. Falling short of this because you have not considered the implications is unlikely to serve you well if there is a breach.

There are three key areas to ensuring compliance:

  • system security
  • staff awareness
  • record keeping

System Security

By now, you will likely have the systems in place to allow work from home where this is practicable. Security will have been one of the initial considerations when selecting and testing systems to allow for this, but it is an ongoing requirement.

Phishing and other attempts to gain access to your systems are likely to increase, so you should continue robust testing to ensure that the methods you have adopted continue to be safe. Weaknesses need to be identified and action taken (where possible) to strengthen your defences.

Some of these measures will be relatively simple, such as ensuring software is up to date and installing patches, but these should not be overlooked. You should be alive to the possibility of increased attacks whilst systems are potentially at their most vulnerable, because everyone is trialling new systems - do what you can to protect your institution.

Coronavirus Legal Advice

Staff Awareness

Your staff, and your students, are adapting to a new way of working. This might involve using new and unfamiliar technology. Everyone working in this way needs to understand the ground rules for doing so and what they need to do to keep information safe.

Ask yourself the following questions:

  • Do we have an information security policy?
  • Are staff aware of this policy?
  • Do we need to make changes to our policy in light of the new way of working?
  • Have we communicated these changes to staff?

It is likely that your current policy will need amending, and possibly extending, in the current circumstances. However, the key element in all of this is ensuring that staff understand the limits of what they can and cannot do. Some messages will be the same, but may need reinforcing, e.g. not using public Wi-Fi and only accessing the information needed to carry out the work that is expected. Sending personal data to a home (unsecured) email address is also likely to remain a "don't", but again this may need reinforcing.

Other messages are likely to be new in light of the current isolation situation, such as how to work effectively in a shared living space, what to do with confidential paperwork that is no longer needed, use of WhatsApp for keeping in touch and how to print via a Citrix system. Whilst some of this may seem like common sense, in times of high anxiety, clear and simple instructions will ensure that everyone knows what is expected and this will help to protect the vital personal information that you are dealing with.

Record Keeping

No systems are perfect, and no human beings are perfect, so mistakes are inevitable. One of the key requirements of GDPR is that you can demonstrate your compliance, so recording your decisions and the reasons for them is vital if the worst does happen. Have a record of testing that has taken place, of weaknesses identified and actions taken. Have a record of discussions around your policy, a record of the changes and evidence that all staff have received these. If you have this, should the worst happen, you can at least show the ICO that you have done all that you can reasonably do to protect your data.

Stay Compliant

Across the world, individuals are showing considerable resilience and resourcefulness in keeping key industries going. In the midst of such a crisis, it is easy to lose sight of security and compliance in favour of innovation and "getting the job done", but a data breach could significantly impact your institution and make an already difficult situation far more complicated than it needs to be.

Take some time to review what you have in place and how you might be able to improve your current policies and procedures, and don't forget to document your discussions and decisions.

The above reflects guidance as at 27 March 2020. We will continue to update this as the situation develops.

In order to assist clients, we have developed a 'COVID-19 Homeworking Policy' which covers the main areas of risk for staff working from home in the current environment.

If you are interested in finding out more, please contact Vicki Bowles in our Data Protection team on 0117 314 5672, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input