GDPR: Is working remotely in breach of the regs?

One firm owner is insisting staff work from the office due to GDPR. Are they right to do this?

Didn't find your answer?

Greetings from chilly Bristol, AWeb members.

At our event back in November, I got chatting with a small firm owner (who shall remain anonymous ). They told me that since the last lockdown lifted, they have insisted on staff working in the office at all times for 'GDPR reasons'. They justified this by stating that they handle sensitive client documents and wouldn't want them viewed by others outside the firm. I don't doubt for a second the sensitive part is true, but there are plenty of firms that work remotely, look at client documentation on mobiles etc. Has my firm-owner friend taken a very literal interpretation of GDPR? Misunderstood the regulation? Or were maybe having me on? Thoughts welcome as always :-)

All the best,

Tom

Replies (35)

Please login or register to join the discussion.

avatar
By Brian Book
18th Jan 2023 15:50

Not directly related but I have thought about this a few times while dealing with insurance and financial issues over the phone If the person I am dealing with is working from home how secure is the information I am divulging. Anyone could be visiting the house and overhear what is being said.

Thanks (2)
By ireallyshouldknowthisbut
18th Jan 2023 15:52

I think they just didn't want to say "I dont trust my staff".

There is as ever an element of this which is fair comment, taking confidential documents 'home' you are potentially widening access to them, but I don't think this is any different staff leaving at 4.30pm as they need to go to little Jonney's dental appointment, but take something home to finish later so its done by 9am as you might have done in the old days.

That is to say your employee still has to take care of it, and not leave it on the bus.

I think the reality is its very easy indeed to blame GDPR for everything you don't like. Right wing press do it all the time, just like they used to for the EU, if its not GDPR its human rights gone mad, or elf and safety.

However if you drill into the specifics of "ok, so what bit of this applies here then?" then you cant get an answer as it was just a blanket reactionary statement to cover up an unpopular decision. "Its out of my hands", "nothing I can do".

Of course this will be toast by the end of the year if Sunak burns all the EU rules. Spammers and cold callers are going to be delighted. All that lovely data to play with and sell on.

Thanks (3)
Replying to ireallyshouldknowthisbut:
paddle steamer
By DJKL
18th Jan 2023 16:06

Methinks he doth protest too much.

How many barristers carry briefs around, take them home, work on them in the evening, surely these documents are far more confidential?

Back in the very early 80s ,one late evening, I found a set of advocate's papers on an outside window ledge near the Court of Session, someone obviously carrying them, placed them down for some reason and forgot to pick them up again- like the upright citizen I am (though at the time I was less than upright as was coming back from the students' union) I handed them in to the police the next day.

Thanks (1)
Replying to DJKL:
avatar
By creamdelacream
19th Jan 2023 09:00

It wasn't the advocate's fault, it was the right wing media's fault.

Thanks (1)
By williams lester accountants
18th Jan 2023 15:52

My desk is near a window, should i shut the blinds whilst working in case a random person looks through the window and sees some client info?

Thanks (3)
Replying to williams lester accountants:
avatar
By Martin B
18th Jan 2023 16:06

You should move desk as soon as possible and notify the relvant authorities via your compliance officer.

Thanks (2)
Replying to Martin B:
avatar
By paulwakefield1
19th Jan 2023 07:31

Yes, but if you do that, the debits and credits will all be on the wrong side.

Thanks (7)
Replying to williams lester accountants:
avatar
By Barbara G
18th Jan 2023 20:39

I'm laughing at this because I actually do that. My desk is near a window and I sometimes set files on the floor. So I keep the blinds closed in case someone walking past can see client names. Maybe I'm going a bit overboard here, lol.

Thanks (0)
VAT
By Jason Croke
18th Jan 2023 16:21

I suppose it depends on the how the business is set-up.

If it is a dinosaur where everything is still done on paper and emails are only sent to one inbox and no-one else allowed to email clients, then I guess the person has a point.

Done properly every laptop must have secure password access, 2-step verification when accessing remote apps, emails shouldn't be sent if they contain anything GDPR related, so tax returns should be sent via secure email (mimecast, etc), dropbox or similar, ideally move away from emails and use WhatsApp, etc.

Any employee with a works mobile should have encryption and finger print enabled with ability to remote wipe/delete in the event of theft. It depends how far you want to go.

In the OP's story, it just feels like the boss wants people back in the office where they can be watched (ie, lack of trust).

Thanks (4)
By Duggimon
18th Jan 2023 16:21

GDPR is suggestive, not prescriptive. I've not checked the regs before posting this but I'm virtually certain it says something along the lines of "taking all due care with sensitive information", "enacting measures necessary to protect sensitive data" and things along those lines, without defining what those are.

We expect staff working from home to take any records required with them, keep them on their person or in a locked vehicle while in transit then keep them secure in their homes and not disclose the contents to anyone in their household.

Our staff are aware of GDPR and the need for security around personal data. We deem that to be compliance with the regulations and I don't believe there's anything in there that says otherwise.

Thanks (2)
Replying to Duggimon:
avatar
By Hugo Fair
18th Jan 2023 17:07

100% agree.

GDPR is about responsibilities/accountability ... not predefined rules. Indeed, much to the consternation of people who like to 'simply follow the rules' it doesn't even specify basics like a min or max duration of retention.

In non-legal speak it's all about 'fitness for purpose, and balancing the needs of the individual with those of the organisation holding the data' ... which means each organisation should have put together its own set of procedures/standards and is responsible for ensuring that staff follow those procedures.

FWIW I'm not sure why people here are concentrating so much on paperwork ... the risks are much higher with electronic/digital data. And if you have good procedures for dealing with those, then it's not hard to transpose methodology (or technology) to fit in with WFH.

Storm in a teacup ... or methinks your friend is tilting at windmills, Tom.

Thanks (2)
avatar
By Catherine Newman
18th Jan 2023 17:07

I spoke to someone on the ADL (in the days that you could) and I asked whether he was working from home. He said he was working in a small bedroom at home and was required to keep the door locked. He answered three queries for me in one call. I couldn't fault that particular agent.

Thanks (1)
Replying to Catherine Newman:
avatar
By Vallery Lee
21st Jan 2023 09:40

That's good to hear - any tips for the rest of us on how to achieve a good result?

Thanks (0)
avatar
By paul.benny
18th Jan 2023 17:08

How did this practice ensure GDPR compliance during lockdown? I don't recall any derogation during that period.

If a business has trained its staff in good data protection and has put in place appropriate processes and procedures, it has a defence should a rogue or careless employee can leak personal data. If there is no training and no processes, the business is culpable.

Thanks (3)
Replying to paul.benny:
avatar
By Mr_awol
19th Jan 2023 09:00

I agree almost entirely - apart from the lockdown angle.

Whilst there were still the same requirements, it was somethign of an emergency situation that we all managed as best we could - and the staff werent having friends round, werent going out and leaving the babysitter/in-laws/kids/carpet fitter/etc alone where they could easily walk past something confidential if it were left out.

Thanks (0)
avatar
By JD
18th Jan 2023 20:07

Cars queuing to pick records up from the office in the evenings...even at large well established firms. Individuals working from kitchen tables in full view of the kids/spouse, resulting in misplaced conversations in the pub. Of course it is a massive risk (including reputational).

We work from the office only, are proud to do so and clients appreciate the care we take. I would have no hesitation in pointing out the risk that others are taking to any potential client. Controlling your front door is essential

Thanks (2)
Replying to JD:
avatar
By paulwakefield1
19th Jan 2023 07:38

I think I'd trust my family rather more than some of my former colleagues!

There is nothing in your approach that stops staff talking outside the office. It's more an attitude of mind (enhanced by training).

Thanks (2)
Replying to paulwakefield1:
avatar
By Mr_awol
19th Jan 2023 08:57

I'm not sure if JD was wholly serious - maybe there was some exaggeration, maybe that's genuinely how they feel.

They do have a point to an extent, i feel. Take the issue of family looking in - you've taken it from the perspective of not trusting the employees. I view it rather as not trusting the employees' family - or maybe accepting that the family themselves may not be aware of, used to, etc the need for confidentiality. They may include (teenage) kids. They may work down the local pub or hair salon/nail bar/whatever. They might be a nosey gossip and if they haven't worked in financial services or anywhere where confidentiality is important, this could be an issue.

The employee might do everything they can to keep things tidied away but unless you are completely paperless, if there are working papers/files and/or client records in the house then there is little they can do to stop a nosey partner/kid/cleaner/babysitter/mother-in-law or any other people who might have opportunity to leaf through items, from doing so.

So yes, WFH is definitely a risk if you have any kind of paper trail at any point (and possibly even if you dont, although your employees should be able to manage that). I wouldn't say it's an automatic breach of GDPR, but it would be important to have staff policies in place, training, and reminders, to ensure you are doing everything you can to mitigate it.

Then again, on the other side, some people are very lax. If our IT support co wanted to nose around our (otherwise secure) electronic storage they could. Some people are even happy to outsource to another country with no idea how many times the work may or may not be subcontracted further, as long as their main contact assures them it is all 'GDPR compliant'......

Thanks (0)
Replying to Mr_awol:
avatar
By Mr_awol
19th Jan 2023 09:19

As an example of people not getting the need for confidentiality, I've worked at my parents' house before - to get a bit done whilst visiting them. I had some sensitive material on screen and in front of me and my mum (innocently enough) mooched over to see if i wanted a sandwich and peered over saying 'what you doing then'.

She probably wouldnt have looked anyway, nor understood/cared, and in any case a quick alt+tab to switch screens covered the data up with something much less confidential whilst iI politely (if wearily) told her she shouldnt really be looking 'in case' there was something on screen.

Thanks (1)
Replying to Mr_awol:
avatar
By paulwakefield1
19th Jan 2023 09:48

I take your point. I suppose I am in an unusual situation in that all of my family work in areas where confidentiality is key (some with an even higher requirement than for accountants) so they completely understand and respect the need.

Thanks (0)
Replying to paulwakefield1:
avatar
By Mr_awol
19th Jan 2023 10:04

That tends to work better. TBH my wife's job includes just as much awareness of confidentiality etc but she is totally uninterested in accountancy so even if i tried to talk about it she'd soon tell me to shut up! :D

For others though, it could be a very different matter. My dear old mum could easily have seen a name she recognised depending on what i was working on - last thing i need is her telling her mates 'in confidence' that her son is the accountant for x/y/z - even if it didn't get back to the clients in question it wouldn't sound good for smaller, local, clients to hear.

We also have staff whose spouses are accountants for other firms, which was a tricky consideration for us - will they share/hot desk a 'home office'? Will they use a spare room or larger home office in which case they'll both be working in the same room at the same time? How does that impact phone calls to clients or HMRC where there's no alternative but to give out the clients' names? How well do we know (and do we trust) the spouse and/or the firm they work for?

Fortunately all of our staff hate WFH and say it's less productive so the issue has largely gone away.

Thanks (0)
Replying to paulwakefield1:
avatar
By JD
19th Jan 2023 09:57

Thank you, Paul

I full accept that one man bands and larger corporate firms with full blown IT systems and perfect clients that load everything up to cloud storage of choice can make it work.

For those with just a few staff in my humble view the office is important for the team as a whole (for a whole series or reasons not related to lack of trust) and to maintain efficiency of client service.

From a pure GDPR view has there not been some interesting post here occasionally, from angry client or anxious accountant where a family member has been discussing client information at the local pub/golf club/client records lost. I know it is against the trend, but there are too many risks with not being able to control your front door.

Thanks (0)
Replying to JD:
avatar
By paul.benny
19th Jan 2023 10:40

The risks you mention are all to do with lax attitudes to confidentiality and data protection and nothing to do with WFH. Gossiping at the golf club, files left on the train, etc all happened long before WFH and indeed long before GDPR brought obligations to the fore.

There may be other reasons for preferring staff to work at the office but GDPR isn't one of them.

Thanks (1)
avatar
By Winnie Wiggleroom
18th Jan 2023 20:19

how do you spell codswollop?

what he really meant was, I neither understand nor wish to invest in the required security and I also do not trust my staff

Was he called Noah (other archaic names are available)?

Thanks (4)
Replying to Winnie Wiggleroom:
avatar
By JD
19th Jan 2023 10:02

Of course Noah would have a been little less effective and his boat pointless, if he had left his family/work mates and 2*2 animals to work from home.....

Thanks (2)
Replying to JD:
avatar
By Winnie Wiggleroom
19th Jan 2023 10:19

JD wrote:

Of course Noah would have a been little less effective and his boat pointless, if he had left his family/work mates and 2*2 animals to work from home.....

On the contrary, the very reason he was so successful was that he worked from home for many years, although I suspect he was far too busy with other things to worry about data confidentiality

Thanks (0)
Replying to Winnie Wiggleroom:
Avatar
By I'msorryIhaven'taclue
19th Jan 2023 11:21

Winnie Wiggleroom wrote:

On the contrary, the very reason he was so successful was that he worked from home for many years, although I suspect he was far too busy with other things to worry about data confidentiality

Noah was far too busy getting stuck into the old vino to worry about such matters. His son Ham, however, was guilty of a data breach.

And there's the two-pronged problem with homeworking. Employees working from their lounge hit the sauce far too early in the day; and their loose-tongued family members become privy to sensitive information.

Thanks (1)
avatar
By bendybod
19th Jan 2023 10:00

We have staff working from home and / or flexibly between the office and home for various, non Covid related reasons, as well as the majority being 100% office based. They know the rules regarding client records and confidentiality. As much as possible they don't take physical records home with them but occasionally it is necessary. If they were found to be divulging or being careless with information it would, therefore, be gross misconduct.
Equally, if the phone isn't answered in the office, it diverts to my mobile. Occasionally I might have left the office early or be catching some fresh air at lunchtime. If I'm not somewhere where I can be 100% private, I tell them and let them make the decision as to whether to continue the conversation or not.

Thanks (0)
By JCresswellTax
19th Jan 2023 10:05

What an utterly boring thing to think about.

Thanks (2)
avatar
By moneymanager
19th Jan 2023 13:21

This issue isn't so much a matter of compliance with GDPR but the delineation between the boundaries of work and social, the push towards digital everything and "always on" is both disruptive and inherently dangerous, the Bill Gates incentivised digital id developments in India being a case in point, the government (and we have had similar faux pas) posted on over a hundred of its own websites the personal details of millions of its citizens, the data was even posted for sale for just $7!

Thanks (0)
Avatar
By I'msorryIhaven'taclue
21st Jan 2023 11:36

I noticed that my AML reviewer, who tested and lectured yours truly on the nebulous topic of GDPR, was working from home. And yes, I had to provide live client files for the review.

I wonder whether no-seat-belt Rishi ever works from home? I was reading the other day how doddery old Joe Biden keeps leaving classified files lying around his abode.

Thanks (0)
Replying to I'msorryIhaven'taclue:
avatar
By Hugo Fair
21st Jan 2023 13:23

What did "provide live client files" actually entail?
It's potentially debatable whether identifiable (i.e. non-anonymised) files are covered by the general GDPR (under governmental requirements) exemptions - but the potential for accidental wider-spread disclosure would be what might worry me.

[And yes, re Rishi, PMs are arguably the originators of WFH ... no. 10 and all that].

Thanks (2)
Replying to Hugo Fair:
Avatar
By I'msorryIhaven'taclue
21st Jan 2023 16:50

Hi Hugo, it meant uploading a sample of unredacted clients' AML assessment/KYC files to a safe haven; from whence they are scrutinised for compliance with our AML policies and procedures manual.

(And any client who might object to having their personal data / mugshot / risk-assessment of their threat to perform savage acts of terrorism and/or avoid tax uploaded in such fashion is advised to read the small-print of our privacy policy, which accompanied our engagement letter, to which they gave their express consent for their personal data to be forwarded to our AML supervisory body for monitoring. So there! We care about your privacy.)

I'm beginning to see Russell Brand's view: that all this AML stuff and nonsense classifying terrorists in the same band as fundamentally honest citizens who happen to put a toe over the line with their tax matters amounts to distraction tactics; a ploy to keep us all too busy to see what's really happening (London is, after all, the money-laundering capital of the World; and the UK has control or influence over circa half of the World's dozen or so tax havens. So why are we, on our minor scales, all being encouraged to police and report one another for GDPR non-compliance / minor tax transgressions / taking a walk for longer than an hour during lockdown?)

Thanks (1)
Replying to I'msorryIhaven'taclue:
avatar
By Hugo Fair
21st Jan 2023 17:20

From a GDPR perspective it sounds like you've got everything necessary (policy, procedures and communication) tied down - with a pretty ribbon to boot!
And one likes to assume the same can be said for your AML assessor (but if not the use of a 'safe haven' is the point at which your responsibility ends anyway).

On the wider issue regarding the purpose of AML, I've not seen Mr Brand's views previously - but my only thought would be "he might very well think that; but I couldn't possibly comment"!

Medieval kings declared war just to occupy the nobles who had the resources to be a threat; Marx observed religion to be the opium of the people; and Maggie used the Falklands as a means to reinvigorate a sense of pulling together.
'Twas ever thus and no doubt will continue to be ... the cleverer ones don't tell outright porkies, relying instead on hijacking something true-but-unimportant for their own unrelated ends.

Thanks (1)
avatar
By Justin Bryant
23rd Jan 2023 09:38

I bet these people will heartily agree that it's a problem: https://www.accountingweb.co.uk/any-answers/dodgy-looking-gdpr-provision...

Thanks (0)