Ask the experts: Data protection while working from home

Iain Bourne, head of personal information and privacy at Grant Thornton UK, shares some insight on how to protect data while working from home
by Bethan Rees


All employees should be aware of the rules and regulations surrounding data protection, and know how to protect themselves against any potential breaches. Iain Bourne highlights some possible data protection issues that might happen outside of the office environment, and what employees and employers can do to stop such breaches.

Complete our GDPR Professional Refresher to earn 1.5 hours CPD

What are the main threats to data protection while working from home?

Cyber security, such as the security of a domestic WiFi system versus one in a regulated environment, is one of the main threats. However, there are also more human risks arising from a relatively unsupervised environment. For example, the ability to meddle with equipment, to leave confidential papers on your desk or to photograph and pass on sensitive onscreen material.

This can all happen in the office too, but it is likely to be easier to detect and counteract in a more supervised work environment. The overall duty under data protection law to implement appropriate security falls to the 'controller', i.e. to the organisation whose employees are home working, rather than to the individual employees themselves. That is why it is so important for employers to do all they can to ensure that employees are aware of the rules relating to home working, and that appropriate supervision takes place, as far as is possible, given the constraints home working inevitably brings.

There are also additional risks, mainly reputational ones, around taking calls and carrying out videoconferencing in a home environment. Not all employees will have a separate, secure home office and work will be carried out in kitchens, bedrooms and elsewhere. While employers cannot dictate what home environments should look like, some sensitive advice and regular reminders about maintaining professional standards might be helpful.

What can employees do to protect themselves from the above risks?

Employees should maintain professional standards of behaviour, including confidentiality rules and information security, as far as they can. If they are in doubt as to whether something they are doing presents a data protection risk, then they should seek advice from their line management, data protection or cyber security expert.

Top tips for protecting data at home
- Issue a clear do and don't checklist to employees working from home.
- Make sure your current policies and procedures are up to scratch and have been actively communicated to staff.
- Reinforce your advice around recognising and escalating a data breach.
- Remember that employee monitoring or surveillance programmes can be more intrusive in a home environment.

Employers should also clearly signpost where their people should go for advice or support if they need it. Some basic housekeeping rules can help employees to minimise data protection risks. These include keeping all work-related papers in a separate area of the home and making sure that devices used for home working are shut down and stored securely at the end of the working day.

What are the main rules and regulations that impact data protection?

In the UK it is the General Data Protection Regulation (GDPR) and associated UK legislation. However, there is also guidance from the Information Commissioner's Office (ICO) and other regulators that employers should be aware of. Data protection law can be a grey area, and its practical requirements can be quite unclear, so it is important to keep up to date with the guidance regulators are issuing.

Every firm should aim to ensure that their employees are aware of the rules around cyber security and data protection and that they comply with them, whether they are working from home or in the office. It is not enough to have a 'rulebook' sitting on the shelf.

The ICO expects active communication and regular reminders to staff. Most financial services firms will carry out monitoring and surveillance of employees to some extent, for example as part of a data loss prevention programme or as the result of a regulatory duty to record certain phone calls. These activities are subject to data protection law as they will involve the collection of information about employees. This means the process has to be as transparent as it is practicable – employees should be made aware, in broad terms at least, of how information about them is being collected as part of a monitoring or surveillance programme and what this will be used for. Employers should also be prepared to deal with queries and complaints about this.

What can companies do to help protect their employees?

From a data protection perspective, companies should be using the current boost in home working as an opportunity to make sure that they have clear policies and procedures in place (security, acceptable behaviour and so forth) and that these have been communicated effectively to their people.

It is a good idea to keep a record of this and to ask employees to indicate that they have read the material that has been sent to them. If there is then a data breach when someone is working from home, this activity will show the ICO that the employer has taken reasonable measures to minimise the risk. That would be a mitigating factor for the ICO if it were investigating and considering enforcement action.

Are data breaches harder to detect while working from home? What should employees do if they think they have been part of a data breach?

About the expert
Iain Bourne has extensive experience in practical application of data protection law. As head of personal information and privacy at Grant Thornton UK LLP, he manages the development and delivery of privacy-related services and is the firm’s subject matter expert.

He worked for more than 20 years at the ICO, taking on a variety of guidance and policy roles and generally helping organisations to comply with the law. Prior to this, he was the office lead on the European Commission's proposal for the General Data Protection Regulation.

Watch Iain speaking on CISI TV about information security in August 2019. 
It is more likely that breaches that occur in a home environment will go undetected or unreported. That is why employers need to educate employees around how to recognise a data breach and how to react if they become aware of one.

Technological solutions and strong IT systems can help reduce the time between a potential data breach occurring and the ability for the business to react and contain the impact. This is an ideal time for businesses to consider strengthening their data governance and cyber infrastructure, to minimise the impact of these increasingly inevitable attacks.

There should be a clear point of contact in the case of a breach, followed by an assessment of its severity and whether it is 'notifiable'. Remember with a GDPR breach, the ICO has to be notified within 72 hours, so timescales are tight and a failure to notify can result in a large fine.

How do privacy and data protection work together and against each other while at home?

Data protection law comprises principles that govern the personal information lifecycle, from initial collection (which must be transparent), through to its use (which must be reasonable) and to its final erasure.

However, it also gives employees and other individuals a set of information rights – the main one being the right for someone to access their personal information. This means that employers must make sure that suitable information governance is in place, while also respecting their employees’ privacy rights.

Employers should make sure that any surveillance or monitoring that is carried out is proportionate and is as transparent as it is practical. Privacy intrusion can be a problem in 'bring your own device' environments, where employees are using their own equipment to carry out their work. There is a danger here of monitoring or surveillance intruding into employees’ private use of their own equipment. This would certainly be a data protection and a privacy problem, and one the regulator would take seriously.

Will the enforced working from home during the Covid-19 outbreak provide employees with any useful data protection lessons that they will be able to take back into the office with them (providing they return)?

There is a chance that home working will become much more common, so the thought that employers are giving to data protection compliance during this period may stand them in good stead for the future. The increase in home working during the pandemic will likely highlight to employees that there are additional risks when working from home and a greater need for good 'information hygiene' – locking computers, shredding print-outs, keeping information secure and so forth.

For more information on data protection, visit the ICO website.

Seen a blog, news story or discussion online that you think might interest CISI members? Email
Published: 05 Jun 2020
  • Risk
  • Operations
  • Fintech
  • The Review
  • working from home
  • professional refresher
  • GDPR
  • data protection
  • cyber
  • Covid-19

No Comments

Sign in to leave a comment

Leave a comment