Aisleen Pugh tells HRNews about the data compliance risks when staff print documents at home
HR-News-Tile-1200x675pxV2

We're sorry, this video is not available in your location.

  • Transcript

    How prepared is your business for adopting a hybrid working model? If you’re planning for that, what are the legal risks of allowing staff to work from home?

    To help with that, last week the CIPD published new guidance ‘Planning for Hybrid Working’ to help organisations prepare for a longer term move to this model which a majority of employers are now considering according to the latest data. Surveys by YouGov and the CIPD’s show 40% of employers now expect more than half their workforce to work regularly from home after the pandemic has ended.

    The guidance is useful to a point. It covers a lot of issues such as checking contracts of employment, putting hybrid working policies in place, protecting the wellbeing of homeworkers, running training programmes for managers, and making sure staff have the IT support they need when working from home. It also has a section on the legal implications of hybrid working but, surprisingly, it deals only with issues to do with employees’ contracts of employment – so, whether terms need changing to allow for hybrid working. An obvious omission, in our view, is data protection compliance when staff are homeworking in view of the GDPR. There are just two brief reference to data protection in the guidance. At one point they suggest ‘reviewing other related policies including, for example, expenses, IT usage, homeworking and data protection’. Later on they say: ‘organisations may wish to consider putting in place appropriate security measures to ensure system and data integrity’. We agree, both points are good ones, but both require an appreciation of what the risk is, yet they don’t explain that. So, what is the data protection risk when you have staff working from home? The obvious one, in our view, is staff printing off documents at home using their own printers. 

    This is a problem. Earlier this year InfoSecurity Magazine published data from a survey showing that 66% of home workers have printed work-related documents since they began working from home, averaging five documents every week. A quarter have not yet disposed of printed documents. When questioned about that they said they planned to take them back to the office. A further 24% use a home shredding machine but then admit to disposing of the documents in their own waste bin. 12% admit they have absolutely no knowledge of the GDPR regulation.

    So, clearly this is a serious issue and one that we think is being overlooked. Aisleen Pugh is a data specialist who joined me by video-link to discuss it. I started by asking Aisleen why the act of printing is a problem:

    Aisleen Pugh: “Printing off documents and storing them at an employee's home outside of their office working place and remains a processing activity for the purposes of the General Data Protection Regulation and the UK's data protection law requirements. That means that in printing off those documents employers and their employees are expected to continue to adhere to the data protection principles that are set out in the data protection legislation, principally that any document containing personal data or confidential information needs to be securely stored. Now, in the office, procedures for secure storage and destruction of documents are pretty well understood and easy to adhere to. So for example, maybe employers have industrial shredding machines and confidential waste bins. Those things are not going to be as accessible or available to people in their own homes and so employees are going to need to be thinking about how, in the absence of working from the office, they are securely storing confidential information that contains personal people's personal data and potentially also sensitive personal data."

    Joe Glavina: "I can well imagine that a lot of employees printing off material at home will feel they have no choice because they can't get into the office." 

    Aisleen Pugh: "So some employers are actually implementing no print policies, so it's an absolute ban on printing from home, and that is basically to ensure that they are complying with their data protection compliance standards. That is not going to be possible for many employees, particularly those, perhaps, in the HR profession who are, on a daily basis, printing and dealing with a huge volume of documents that contain piece of people's personal data. So for those people it is going to be particularly important that employers are making sure that they have in place clearly drafted policies relating to data protection, security, information security, that are well communicated to all employees, or relevant employees, who are going to be potentially printing a large number of documents from home. Also, ensuring that people are aware of the standards of protection that they are expected to adhere to when printing those documents at home. One of the things that that we saw a lot of employers do following the implementation of the GDPR in May 2018 was prepare all-singing-all-dancing policy documents that dealt with compliance measures and information security measures and that's all well and good but the problem is at that point no one could have foreseen the circumstances of the coronavirus pandemic and the vast change to working arrangements that have been forced upon us as a result of that. For that reason employers need to think about dusting off those policies, keeping them under constant review, making sure that they are agile, dynamic, and are able to adapt to changing working arrangements, increasing working from home and a different landscape that has been created in terms of potential data breaches and security risks." 

    Joe Glavina: "What are the consequences for employers if these breaches are allowed to continue? Is the ICO really going to take action in the midst of a pandemic?"

    Aisleen Pugh: "So the risks of failing to put in place adequate security measures and demonstrate to the ICO's satisfaction that an employer has taken appropriate steps to ensure that its data compliance standards are adhered to is enforcement action by the ICO and pretty hefty fines. Now, whilst the ICO is taking an empathetic approach towards potential data breaches given the ongoing coronavirus pandemic and the massive shift in working arrangements and policy provisions that employers have had to adapt to in a relatively short space of time, given that we have now been living with the coronavirus pandemic for almost a year, and we're now in our third national lockdown, you can see that the ICO might be starting to take a slightly less sympathetic view where employers haven't taken adequate steps or shown that they've been proactive about recognising the types of risks that come with home working arrangements and having adapted, and reacted, to those risks in in an appropriate way. Now, there are clear legal risks from an enforcement and financial perspective in terms of the steps the ICO can take in the event of a data breach and inadequate safeguards put in place by an employer but in addition, and this is something that is pretty hot in the media as well, so pretty much no week goes by where we don't hear another story of an employer who has fallen foul of information inadequately shredded, information contained on a USB stick left on a train, so there are, in addition, real reputational risks that go with failing to think about these things in a comprehensive and proactive way."

    The ICO has some useful guidance for employers when it comes to destroying documents that are no longer needed - simple and practical methods which you might want to include in a data policy, or guidance to staff. We've put a link to that in the transcript of this programme.

    LINK
    - Link to ICO guidance on practical methods for destroying documents that are no longer needed

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.