EN
HR Legal Technology

Data security challenged in the home office

logo
Legal news
calendar 23 January 2017
globus Denmark

In a recent statement, the Danish Data Protection Authority has criticized that personal data was stored on a municipal employee’s private IT-equipment, which the authorities did not have control with. IUNO therefore focuses on what a company shall be attentive to, when they allow their employees to work at home.

A number of employees in the municipality of the Danish town, Odder, had conversations with the local work psychologist. An employee had transferred the summaries from the meetings to an USB device and uploaded it to his private server. The information was thereby accessible on a server, where the authorities did not have any control with the level of data protection.

The Data Protection Authority found reason to criticize the situation and stated that the local authority’s processing of personal data did not meet the necessary security requirements as set forth in the Danish Data Protection Act.

The local authorities informed the Data Protection Authority that employees were not allowed to process personal data on private computers and that they took data security very seriously. The Data Protection Authority encouraged the local authorities to intensify the effort in relation to securing all employees were familiar with and acted in accordance with the guidelines on processing of personal data. The local authorities were also encouraged to set out guidelines regarding under which circumstances it was allowed to copy data from the municipal to a USB device.

According to the Data Protection Authority it was not necessary to inform the people who were affected by the breach of security, because the documents were of a certain age and because only the work psychologist would be able to identify the partially anonymized persons.

Guidelines for protection of staff information

Moreover, the Data Protection Authority emphasized some of the minimum requirements to data security, which also appear from the Danish Data Protection Act, the statutory order on data security and the Data Protection Authority’s general guidelines.

One of these requirements is that companies shall review their guidelines regarding their processing of personal data at least once a year and that there ought to be set out guidelines for the companies’ own inspection of the applicable security measurements. Finally, the Data Protection Authority enhanced the fact that companies – including the local authority – ought to ensure the necessary instructions of those employees who process personal data.

Special guidelines for a home office

Specifically for home offices, the Data Protection Authority has set out some problem areas related to data security, which companies should be aware of.

If the employee has a need to store data on the home computer the data should be encrypted. The local authority should therefore in each specific case guide the employee on how to encrypt the data before it is stored on a private server.

Moreover, an employer shall set out guidelines and give instructions on the storing and destruction of transcripts to the extent that an employee needs to print at home. The guidelines shall also contain rules on how and to which extent home computers may be used for private purposes. If there is a wireless exchange of data, e.g. between a computer and a printer, the guidelines shall contain information about this as well.

Finally the Data Protection Authority demands a certain physical securing of the home against theft and vandalism.

IUNO’s Opinion

Companies shall generally be attentive to update their guidelines about home offices and processing of personal data often in order to secure that the employees work with sufficient security measurements. A review and update of the guidelines should happen at least once a year, If not more frequently.

The Data Protection Authority’s statement also emphasized that it is not sufficient to settle with guidelines about processing personal data at the home office; the company shall also supervise compliance with the rules.

With the General Data Protection Regulation coming into force in May 2018, it will be of higher importance to comply with the rules on the company’s personal data processing, because breaches of the new rules will be sanctioned significantly harder than today. IUNO therefore encourages companies to carry out a gap-analysis to clarify whether the company’s present personal data processing meets the requirements of the current law and the General Data Protection Regulation.

[The Data Protections Authority’s statement from 3rd October with journal number 2015-632-0154]

The Article 29 Data Protection Party released guidelines on Data Protection Officers (DPO’s) on 13 December 2016.

A number of employees in the municipality of the Danish town, Odder, had conversations with the local work psychologist. An employee had transferred the summaries from the meetings to an USB device and uploaded it to his private server. The information was thereby accessible on a server, where the authorities did not have any control with the level of data protection.

The Data Protection Authority found reason to criticize the situation and stated that the local authority’s processing of personal data did not meet the necessary security requirements as set forth in the Danish Data Protection Act.

The local authorities informed the Data Protection Authority that employees were not allowed to process personal data on private computers and that they took data security very seriously. The Data Protection Authority encouraged the local authorities to intensify the effort in relation to securing all employees were familiar with and acted in accordance with the guidelines on processing of personal data. The local authorities were also encouraged to set out guidelines regarding under which circumstances it was allowed to copy data from the municipal to a USB device.

According to the Data Protection Authority it was not necessary to inform the people who were affected by the breach of security, because the documents were of a certain age and because only the work psychologist would be able to identify the partially anonymized persons.

Guidelines for protection of staff information

Moreover, the Data Protection Authority emphasized some of the minimum requirements to data security, which also appear from the Danish Data Protection Act, the statutory order on data security and the Data Protection Authority’s general guidelines.

One of these requirements is that companies shall review their guidelines regarding their processing of personal data at least once a year and that there ought to be set out guidelines for the companies’ own inspection of the applicable security measurements. Finally, the Data Protection Authority enhanced the fact that companies – including the local authority – ought to ensure the necessary instructions of those employees who process personal data.

Special guidelines for a home office

Specifically for home offices, the Data Protection Authority has set out some problem areas related to data security, which companies should be aware of.

If the employee has a need to store data on the home computer the data should be encrypted. The local authority should therefore in each specific case guide the employee on how to encrypt the data before it is stored on a private server.

Moreover, an employer shall set out guidelines and give instructions on the storing and destruction of transcripts to the extent that an employee needs to print at home. The guidelines shall also contain rules on how and to which extent home computers may be used for private purposes. If there is a wireless exchange of data, e.g. between a computer and a printer, the guidelines shall contain information about this as well.

Finally the Data Protection Authority demands a certain physical securing of the home against theft and vandalism.

IUNO’s Opinion

Companies shall generally be attentive to update their guidelines about home offices and processing of personal data often in order to secure that the employees work with sufficient security measurements. A review and update of the guidelines should happen at least once a year, If not more frequently.

The Data Protection Authority’s statement also emphasized that it is not sufficient to settle with guidelines about processing personal data at the home office; the company shall also supervise compliance with the rules.

With the General Data Protection Regulation coming into force in May 2018, it will be of higher importance to comply with the rules on the company’s personal data processing, because breaches of the new rules will be sanctioned significantly harder than today. IUNO therefore encourages companies to carry out a gap-analysis to clarify whether the company’s present personal data processing meets the requirements of the current law and the General Data Protection Regulation.

[The Data Protections Authority’s statement from 3rd October with journal number 2015-632-0154]

The Article 29 Data Protection Party released guidelines on Data Protection Officers (DPO’s) on 13 December 2016.

Receive our newsletter

Anders

Etgen Reitz

Partner

Søren

Hessellund Klausen

Partner

Similar

logo
HR Legal

27 March 2024

Rules on pay transparency on the way

logo
HR Legal

27 March 2024

Internal information was not trade secrets

logo
HR Legal

10 March 2024

Every beard you take

logo
HR Legal

25 February 2024

A salary freeze is not always a breeze in the Nordics

logo
HR Legal

25 February 2024

Next stop, neutrality town!

logo
HR Legal

25 February 2024

Money speaks louder than words

The team

Alexandra

Jensen

Legal advisor

Anaïs

Kjærgaard Crouzet

Associate

Anders

Etgen Reitz

Partner

Caroline

Thorsen

Junior legal assistant

Cecillie

Groth Henriksen

Senior associate

Johan

Gustav Dein

Associate

Julie

Meyer

Senior legal assistant

Kirsten

Astrup

Managing associate (on leave)

Maria

Kjærsgaard Juhl

Legal advisor

Sofie

Aurora Braut Bache

Managing associate

Søren

Hessellund Klausen

Partner