April 2020 edition: Data Protection and COVID-19; The Keys to Securing Agile/Home Working

Data Protection and COVID-19; The Keys to Securing Agile/Home Working

With Covid-19 declared a global pandemic, school trusts need to be prepared for homeworking. Organisations where agile working is the norm will already have adopted systems and equipment to maintain business operations and manage the risks of working "beyond the perimeter”. For many schools and MATs, this will be a new challenge.

Although it may be unplanned, now is the time to look at how you enable your distributed staff to collaborate. Doing this now will pay dividends in the future, long after the current threat of Covid-19 has gone away.

Planning for agile working as a response to Covid-19 will necessitate identifying which functions can be deployed remotely and which cannot.

Paula Williamson

Right now, in the midst of Covid-19, GDPR may not feature strongly (or at all) on your list of considerations. But there are two big reasons why it should. First, protecting personal data will remain a statutory obligation for all educational institutions under GDPR, regardless of whether it is being processed at school or from an employee’s home and their personal devices. (Remember, under GDPR, you have a statutory obligation to take appropriate technical and organisational measures to protect personal data). Second, new data security risks are likely to emerge as attackers exploit the Covid-19 crisis to launch new phishing attacks and identify vulnerabilities in your security measures.

Planning for agile working as a response to Covid-19 will necessitate identifying which functions can be deployed remotely and which cannot. What measures must you put in place in order to ensure your school or academy’s continuity? Do all employees have equipment to work from home in a way that is secure and GDPR-compliant? Have you established an IT help desk to support staff working offsite? Have you enabled remote access to your systems and network? Can you guarantee endpoint security and physical security?

If you are going to be reliant on your staff using their own personal devices to work from, it is critical to deploy Bring-Your-Own-Device (BYOD) measures.

Bring-Your-Own-Device (BYOD) is the use of employee-owned devices to access the employer’s network or content.

BYOD comes in many guises. For example, staff accessing their email from their personal smartphone or working from a home PC or personal laptop. However, if you plan to rely on BYOD, it needs to be GDPR-compliant.

The first thing to understand is that BYOD will increase security risks and the likelihood of a data breach occurring. The reason for this is that although your school or MAT remains the Controller of any personal data being processed, it does not legally own the device upon which it is being processed. You will become reliant on your staff properly securing their device, recognising GDPR risks and how to mitigate those risks.

Here are our 10 top tips for adopting BYOD:

1. Remind all staff of their obligation to protect personal data when working away from the building.
2. Remind all staff that data breaches can cause real and significant harm to individuals and result in enforcement action (including substantial fines), adverse publicity and unwanted scrutiny.
3. Any device that is used for work, including personal devices, should be protected with end point security such as up to date antivirus, malware and personal firewalls etc.
4. Refresh and re-circulate your BYOD Policy to all staff. If you don’t have a documented BYOD Policy, we can quickly provide you with one that is tailored to your organisation.
5. Any device that is used to store or process personal data should be encrypted with a password (noting that not all passwords double up as encryption.) This includes for example, personal smartphones, personal laptops, USB memory sticks, home PCs and printers.
6. Protect personal data from being accessed or seen by others including friends, family and the public. Do not share passwords or access credentials.
7. Lock your screen when stepping away from work. Log off at the end of working and ensure that personal data is locked away.
8. Work stored on personal devices should be securely backed up. Ensure that it can be retrieved when required in a timely manner.
9. Post crisis, ensure that staff securely transfer all personal data back to your system and delete all copies from any personal device and backup.
10. Alert staff to be vigilant against emerging new risks such as phishing attacks.

Stone King’s specialist Information Law Group provides novel and responsive solutions to all types of business. It is led by a core of lawyers that have specialist Information Law qualifications and long-standing expertise.

Stone King LLP is a CST Platinum Partner.