EN
HR Legal Data protection

Data security challenged in the home office

logo
Legal news
calendar 23 January 2017
globus Denmark

In a recent statement, the Danish Data Protection Authority has criticized that personal data was stored on a municipal employee’s private IT-equipment, which the authorities did not have control with. IUNO therefore focuses on what a company shall be attentive to, when they allow their employees to work at home.

A number of employees in the municipality of the Danish town, Odder, had conversations with the local work psychologist. An employee had transferred the summaries from the meetings to an USB device and uploaded it to his private server. The information was thereby accessible on a server, where the authorities did not have any control with the level of data protection.

The Data Protection Authority found reason to criticize the situation and stated that the local authority’s processing of personal data did not meet the necessary security requirements as set forth in the Danish Data Protection Act.

The local authorities informed the Data Protection Authority that employees were not allowed to process personal data on private computers and that they took data security very seriously. The Data Protection Authority encouraged the local authorities to intensify the effort in relation to securing all employees were familiar with and acted in accordance with the guidelines on processing of personal data. The local authorities were also encouraged to set out guidelines regarding under which circumstances it was allowed to copy data from the municipal to a USB device.

According to the Data Protection Authority it was not necessary to inform the people who were affected by the breach of security, because the documents were of a certain age and because only the work psychologist would be able to identify the partially anonymized persons.

Guidelines for protection of staff information
Moreover, the Data Protection Authority emphasized some of the minimum requirements to data security, which also appear from the Danish Data Protection Act, the statutory order on data security and the Data Protection Authority’s general guidelines.

One of these requirements is that companies shall review their guidelines regarding their processing of personal data at least once a year and that there ought to be set out guidelines for the companies’ own inspection of the applicable security measurements. Finally, the Data Protection Authority enhanced the fact that companies – including the local authority – ought to ensure the necessary instructions of those employees who process personal data.

Special guidelines for a home office
Specifically for home offices, the Data Protection Authority has set out some problem areas related to data security, which companies should be aware of.

If the employee has a need to store data on the home computer the data should be encrypted. The local authority should therefore in each specific case guide the employee on how to encrypt the data before it is stored on a private server.

Moreover, an employer shall set out guidelines and give instructions on the storing and destruction of transcripts to the extent that an employee needs to print at home. The guidelines shall also contain rules on how and to which extent home computers may be used for private purposes. If there is a wireless exchange of data, e.g. between a computer and a printer, the guidelines shall contain information about this as well.

Finally the Data Protection Authority demands a certain physical securing of the home against theft and vandalism.

IUNO’s Opinion
Companies shall generally be attentive to update their guidelines about home offices and processing of personal data often in order to secure that the employees work with sufficient security measurements. A review and update of the guidelines should happen at least once a year, If not more frequently.

The Data Protection Authority’s statement also emphasized that it is not sufficient to settle with guidelines about processing personal data at the home office; the company shall also supervise compliance with the rules.

With the General Data Protection Regulation coming into force in May 2018, it will be of higher importance to comply with the rules on the company’s personal data processing, because breaches of the new rules will be sanctioned significantly harder than today. IUNO therefore encourages companies to carry out a gap-analysis to clarify whether the company’s present personal data processing meets the requirements of the current law and the General Data Protection Regulation.

[The Data Protections Authority’s statement from 3rd October with journal number 2015-632-0154]

The Article 29 Data Protection Party released guidelines on Data Protection Officers (DPO’s) on 13 December 2016.

Receive our newsletter

Anders

Etgen Reitz

Partner

Søren

Hessellund Klausen

Partner

Similar news

logo
HR Legal

17 January 2021

Whistleblowing - Who can follow up on reports?

logo
HR Legal

15 January 2021

Coronavirus: the compensation scheme for fixed costs proposed extended

logo
HR Legal

6 January 2021

(ALL) Coronavirus and employees: Can companies require vaccination?

logo
HR Legal

20 December 2020

Coronavirus: New draft bill to extend short-time work allowance

logo
HR Legal

20 December 2020

Employer did not have to consult trade union when deciding that an employee could not work from home

logo
HR Legal

20 December 2020

How are companies responsible for preventing and reacting to sexual harassment?

Learning

logo
HR Legal
2 September 2019

Livestream on restructuring in the Nordic Region

logo
HR Legal
2 September 2019

Seminar on restructuring in the Nordic Region (Copenhagen)

logo
HR Legal
3 December 2018

International HR Legal Day 2018

logo
HR Legal
3 December 2018

Seminar on development and employment forms (english)

logo
HR Legal
21 November 2018

Seminar on Employee Influence in the Nordics (Helsinki)

logo
HR Legal
20 November 2018

Seminar on Employee Influence in the Nordics (Copenhagen)

// COOKIE INFORMATION POPUP SCRIPT