If you have an employee who is going to be working from home, or would like to do so, something you must give careful consideration to is data security.
When someone is working in the office, they are in a contained environment and are working to normal office protocols with regards to data they handle. At home, this is a different matter – they are not under your direct control in the same way and are not within the company’s normal central IT framework or under office security arrangements.
Before someone starts working from home, you need to conduct a risk assessment from a data security point of view. What kind of data will they be handling/accessing? How will they access it and how will it be transferred/communicated? Will the normal data security protocols used be possible for the homeworker? If not, is there an adjustment that would be acceptable?
Here are some restrictions or guidelines you may want to consider:
Requiring them to only use the company’s equipment means you can control the type of devices being used, software used, security measures in place and access arrangements. Allowing them to process data owned by the company on their home computer is risky and insecure, and unlikely to be satisfactory, especially if they share the computer with other family members.
Make sure they know that any company devices they have been given to do their work are suitably protected in terms of access, with logons and passwords that are adequately secure and changed regularly, and make clear that no unauthorised person should be allowed to use the device.
Ensure devices used by remote workers are included in any software or anti-virus updates applied across the company, and that your employee knows how to make sure these happen.
Printing out confidential information adds an extra security risk – there is potential for data to be left lying around and seen by unauthorised people, or lost as it gets ‘caught up’ with personal papers, and there is also a risk when it comes to disposal, unless your employee has a shredder or can access confidential waste disposal facilities.
Perhaps the easiest solution is to tell your employee they should not print anything confidential at home.
If your employee is going to have papers or anything confidential, make sure they have the ability to lock anything away from family members or others they live with. A lockable cabinet, or the ability to lock a home office completely.
Data Protection Policy
Assuming you have a Data Protection Policy (and if not, you probably should), make sure your employee knows it applies to them when working at home, and that they understand exactly how to follow it outside the office environment. Check through the policy to see whether any of it doesn’t seem to apply, and get the wording adjusted if necessary, or different guidelines drafted to ensure equal protection for data processed outside the office.
Privacy for calls
If your homeworker lives with family or friends, there is of course a possibility that they may be working while others are around. If telephone or video calls are likely to be part of the employee’s role, make sure they can conduct these in private and aren’t going to be potentially having confidential client discussions at the kitchen table while their partner is making the dinner and their children are floating about.
Make sure your employee knows that if there is a data breach, or if they think there might have been a data breach, they must report it to the appropriate person immediately. Not all breaches are reportable to the Information Commissioner’s Office, but for those that are, there is only a short window of 72 hours in order for the breach to be reported, and in addition obviously the sooner you know about a potential breach the sooner you can deal with it and minimise the impact.
If you need further advice on data security for your homeworkers, do get in touch.