Data security and remote access

Security and data protection measures can often be overlooked in certain types of flexible arrangements

Advanced IT systems have been instrumental in the expansion of remote working by enabling employees to log on and work from home. Most companies have policies that spell out the procedures that must be followed. But what about those who are not home workers but who occasionally work from home?

Security and data protection measures can often be overlooked in certain types of flexible arrangements. Mid-Staffordshire NHS Foundation Trust recently experienced embarrassing publicity after the Information Commissioner’s Office (ICO) was notified that one of the Trust’s HR staff had saved a “statement of case” to their home PC. The information contained sensitive personal data relating to a criminal conviction. As a result of this breach, the Trust’s chief executive had to sign an undertaking pledging to introduce security measures to prevent this happening again.

In larger firms, HR employees who assist with disciplinary and grievance investigations often work remotely. On a wider level, with threats such as swine flu preventing employees coming to work, remote access and the rules regarding systems security are as important as ever.

Take, for example, an employee who accesses a work email at home which contains a Word document. After making changes to the document, the employee saves it to their home PC. The employee forgets to delete the document, which is retained on their computer. If the document is not password protected or otherwise encrypted, and the home PC is accessed by others, third-party access becomes a possibility.

Data security breaches
A breach of security policy may have far-reaching implications. Importantly, where a breach occurs, methods of dealing with it are not just an internal HR matter, as there may be wider data protection issues. The Data Protection Act 1998 (DPA) imposes obligations on data controllers (ie employers) who must process personal data fairly and lawfully, and ensure that such data is accurate and kept up to date. Information relating to a person’s health, racial or ethnic origin, any criminal convictions and trade union membership are examples of “sensitive personal data” and additional obligations relate to the processing of such information.

If an information breach occurs, data controllers may be faced with the prospect of: (i) having to notify the Information Commissioner of the breach (depending on factors such as the sensitivity of the data); (ii) receiving requests from individuals to access their personal data; and/or (iii) receiving requests from individuals to prevent the processing of data likely to cause damage or distress.

The Information Commissioner has the power to enforce compliance with the DPA. Failure to comply with an enforcement notice is a criminal offence. Looking ahead, the Information Commissioner will shortly have the power to fine organisations that are in breach of their obligations under the DPA. Other regulatory bodies, such as the Financial Services Authority, also have the power to fine regulated entities for breaches of data security. These fines can be significant.

The importance of the IT policy
To try to prevent data security breaches happening, most employers will have in place an information security policy that links in with their home working policy and disciplinary policy.

The security policy should include a clear prohibition on employees working from home unless sufficient safeguards (to be detailed in the policy) are put in place. The policy should also specify the types of information that employees can and cannot take home, as well as detail the company’s policy on the use by employees of portable media such as CD-ROMs and memory sticks. Finally, the policy should explain what steps should be taken to report any breach or suspected breach.

Dealing with employees who breach the policy
Consistent internal enforcement of any IT policy will also act as a deterrent f or those who may wish to cut corners. It is essential that the IT policy ties in with the disciplinary policy, and outlines whether the firm views serious breaches as amounting to gross misconduct.

One of the difficulties with data security breaches can be the disparity between the employee’s relatively innocuous actions and the consequences of those actions, which is why employers need rules to spell out how employees should handle sensitive and personal data.

In the absence of a policy breach, is it reasonable to dismiss someone who sends a disc containing a database of sensitive information by normal post that gets lost? While the impact on the company may be significant and the data protection consequences severe, in the absence of a policy regulating the transmission of discs, it could be said that the employee’s action in itself was simply careless.

Whistleblowing
Care should also be taken to ensure that those who report data security breaches are given appropriate support following any disclosure. Any suggestion of negative or detrimental treatment may lead to a valid claim for whistleblowing, where compensation is not capped and financial awards can be high. Reports of malpractice should be in line with the procedure in the company’s whistleblowing or IT policy.

An employee is not expected to prove any potential problem with IT security, as the case of Bolton School vs Evans demonstrates. Mr Evans, a technology teacher, had raised concerns that the school’s IT system was vulnerable to hacking. When he did not receive a suitable response to his concerns, he hacked into the system to prove it. He was subsequently disciplined for this behaviour and issued with a written warning. He then resigned claiming constructive unfair dismissal and that the disciplinary warning amounted to detrimental treatment following his protected disclosure that the IT security was flawed. His claim was unsuccessful on the basis that the law was not there to protect employees who committed an act of misconduct to prove their claims.

Other legal issues
Flexible working arrangements may also expose employers to other, less obvious legal risks. Are the terms of the licence to use software, which the employer has agreed with a software company, wide enough to permit home use of that software? Will any home use infringe such licence terms and expose the employer to having its licence revoked and also a possible claim for damages by the licensor (software company)?

What, too, of any materials, ideas or methodologies created or generated by an employee in their own time at home and using their own resources? Do the employer’s internal policies address the issue of ownership of intellectual property rights in these materials in such circumstances? And at a more basic level, how are employees discarding any printed confidential or sensitive material at home? At the very least, such printed information should be shredded and certainly not discarded with the rubbish. These are issues that should be addressed in the employer’s IT/HR policies.

Best practice
Accordingly, as best practice, employers should view their security policy in the same way that they view their fire alarm process – a mandatory exercise that is regularly reviewed. Employers should train new staff not only on the contents of the security policy during the induction process, but also on the situations where risk issues may arise. Staff should be asked to sign a copy to confirm that they have read and understood the contents. Employers should also circulate and update their security policy at least annually, with employees signing the document each time it is updated.

Further, when someone leaves the company, they should be asked to return all portable devices and company property, with the IT department taking the necessary steps to prevent remote access after they have left. While it does not happen very often, disgruntled staff could copy or destroy valuable information.

Employers should also consider less obvious legal risks associated with working at home, including software licensing issues, ownership of intellectual property rights in work created, and the discarding of information.

Following these steps should not only raise the risk profile of security breaches within the workplace, but also improve compliance.

Mandy Laurie is a partner in the employment practice and Scott von Poulton an associate in the IT/IP practice at UK law firm Dundas & Wilson