Data security challenged in the home office
In a recent statement, the Danish Data Protection Authority has criticized that personal data was stored on a municipal employee’s private IT-equipment, which the authorities did not have control with. IUNO therefore focuses on what a company shall be attentive to, when they allow their employees to work at home.
A number of employees in the municipality of the Danish town, Odder, had conversations with the local work psychologist. An employee had transferred the summaries from the meetings to an USB device and uploaded it to his private server. The information was thereby accessible on a server, where the authorities did not have any control with the level of data protection.
The Data Protection Authority found reason to criticize the situation and stated that the local authority’s processing of personal data did not meet the necessary security requirements as set forth in the Danish Data Protection Act.
The local authorities informed the Data Protection Authority that employees were not allowed to process personal data on private computers and that they took data security very seriously. The Data Protection Authority encouraged the local authorities to intensify the effort in relation to securing all employees were familiar with and acted in accordance with the guidelines on processing of personal data. The local authorities were also encouraged to set out guidelines regarding under which circumstances it was allowed to copy data from the municipal to a USB device.
According to the Data Protection Authority it was not necessary to inform the people who were affected by the breach of security, because the documents were of a certain age and because only the work psychologist would be able to identify the partially anonymized persons.
Guidelines for protection of staff information
Moreover, the Data Protection Authority emphasized some of the minimum requirements to data security, which also appear from the Danish Data Protection Act, the statutory order on data security and the Data Protection Authority’s general guidelines.
One of these requirements is that companies shall review their guidelines regarding their processing of personal data at least once a year and that there ought to be set out guidelines for the companies’ own inspection of the applicable security measurements. Finally, the Data Protection Authority enhanced the fact that companies – including the local authority – ought to ensure the necessary instructions of those employees who process personal data.
Special guidelines for a home office
Specifically for home offices, the Data Protection Authority has set out some problem areas related to data security, which companies should be aware of.
If the employee has a need to store data on the home computer the data should be encrypted. The local authority should therefore in each specific case guide the employee on how to encrypt the data before it is stored on a private server.
Moreover, an employer shall set out guidelines and give instructions on the storing and destruction of transcripts to the extent that an employee needs to print at home. The guidelines shall also contain rules on how and to which extent home computers may be used for private purposes. If there is a wireless exchange of data, e.g. between a computer and a printer, the guidelines shall contain information about this as well.
Finally the Data Protection Authority demands a certain physical securing of the home against theft and vandalism.
Companies shall generally be attentive to update their guidelines about home offices and processing of personal data often in order to secure that the employees work with sufficient security measurements. A review and update of the guidelines should happen at least once a year, If not more frequently.
The Data Protection Authority’s statement also emphasized that it is not sufficient to settle with guidelines about processing personal data at the home office; the company shall also supervise compliance with the rules.
With the General Data Protection Regulation coming into force in May 2018, it will be of higher importance to comply with the rules on the company’s personal data processing, because breaches of the new rules will be sanctioned significantly harder than today. IUNO therefore encourages companies to carry out a gap-analysis to clarify whether the company’s present personal data processing meets the requirements of the current law and the General Data Protection Regulation.
[The Data Protections Authority’s statement from 3rd October with journal number 2015-632-0154]
The Article 29 Data Protection Party released guidelines on Data Protection Officers (DPO’s) on 13 December 2016.
Receive our newsletter
15 January 2021
Coronavirus: the compensation scheme for fixed costs proposed extended
Employer did not have to consult trade union when deciding that an employee could not work from home