Management of occupational safety and data protection risks arising during work from home – Part 2
Part 2 of this series is about data protection. In case of questions, please contact Zoltán Balázs Kovács.
How do you secure data in the home office environment? What policies should be in place to secure data and devices? What does a data breach mean?
Employers must comply with the principle of accountability and demonstrate compliance (including by way of applying proper internal policies). This is important also from the perspective of data security. From the employer’s perspective, it is crucial to implement the appropriate technical and organisational measures, including a proper data security policy, data breach policy and policy on the use of IT devices. IT security means that when an employee is using an IT device for the purposes of work, the device has to be connected to a secure network, the device has to be secured with a strong passcode and it must be equipped with proper software and adjustments, including an anti-virus software, firewall, spam filter, child-lock, etc. Physical data security also has to be ensured. This may include the use of a security door at the employee’s home, an alarm system, an entry phone system and a fire-proof safe for confidential documents.
What does a data breach mean? A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A data breach raises a number of issues (assessment of the breach, notification to the DPA, notification to the persons concerned, registering of data breaches, taking the necessary security measures). When a security breach case occurs, a notification needs to be made to the person in charge of data protection within the employer’s organisation.
When creating your policy on the use of IT devices, it is important to address the following main aspects:
- is private use of the device allowed? If yes, the separation of work-related and private information is key,
- purpose of the control / check by the employer of the use of the device,
- procedure of the check: who is performing it, what is the purpose and reason of the check, gradual approach, employee’s presence, minutes taken,
- back-up of the device,
- data subject’s rights,
- what happens when an employee leaves the company (procedure for the return of the devices).
When returning to the workplace, employers are using different tools in an effort to try to prevent the further spread of the virus. The most common tools include, amongst others, the filling out of questionnaires and the measurement of body temperature. It is important to comply with data protection requirements before and during the use of such tools. Similar to Hungarian schools where temperature measurement has been obligatory since 1 October, the general measuring of body temperature without data recording is most likely considered proportionate at private employers as well, due to the current stage of the pandemic.
We encourage every employer to revisit the internal company policies and check if everything is in order based on the above overview.