Share this content
1
2568

GDPR - staff working from home

To meet the January deadline staff work extra hours at home. It means the firm gets the work done, the clients get their returns filed on time and the staff get extra pay. In the past staff would take clients paper records home and work on spreadsheets on USB sticks. In the light of GDPR what is permitted and what is not. I've checked ICAEW and ACCA guidance but they don't answer questions such as:

1. Does GDPR permit staff to take paper records out of the office?

2. Must this need to be in the letter of engagement?

3. Is it permitted to carry data on USB stick?

4. Must the data be encrypted as opposed to it merely being good practice?

5. Is it permitted to sync data between work and home PC using DropBox? If so, must it be encrypted as opposed to it merely being good practice?

6. Is it permitted to email data between work email and home email? If so, must it be encrypted as opposed to it merely being good practice?

Replies

Please login or register to join the discussion.

avatar
20th Nov 2018 16:10

good luck finding a definitive answer here

you've probably found that the professional bodies have sat on the fence and left you to make your own mind up (AKA make your own mistakes)

it really does defy logic that these rules can be brought into play with such ambiguous or no real guidance from anyone

The one thing I have found with GDPR is there is always someone willing to tell you that you are doing it wrong....usually when its a hassle for them and they cant be bothered to change their ways, such as the client who doesn't want to use iris openspace, because its another password to remember!

Thanks (2)
avatar
By mbee1
21st Nov 2018 09:13

If staff work at home regularly why not set up a VPN so they can access office software from home? We've done it for years and there is nothing I can't do from home and, particularly when it's very busy I only go into the office one day a week. This also precludes the need for memory sticks.

Not from an accountancy point of view but being a school governor, memory sticks have been banned since GDPR. I have two daughters who both teachers and both schools where they teach have also banned them - it seems to be more or less universal and I can see why.

We also have a policy, as do schools, that nothing work related is left in a vehicle and, when I leave my home study desk, I log out my laptop in case anyone comes into the study including my wife and other visitors. Any paper documents have to be locked away but, as we're virtually paperless, there isn't much around and anything that is I shred.

Thanks (3)
to mbee1
21st Nov 2018 10:36

mbee1 wrote:

Not from an accountancy point of view but being a school governor, memory sticks have been banned since GDPR. I have two daughters who both teachers and both schools where they teach have also banned them - it seems to be more or less universal and I can see why.

They can be encrypted, easily. An encrypted USB stick is as (or possibly more) secure as/than a password protected laptop.

Thanks (2)
avatar
to Duggimon
21st Nov 2018 11:53

Duggimon wrote:

They can be encrypted, easily. An encrypted USB stick is as (or possibly more) secure as/than a password protected laptop.

However, if you look carefully at the judgements in the Vidal Hall case there is an implication that encryption per se is not a protection or defence, merely a mitigation.
The thrust was that Google "could use the data" - whether it chose to or not was irrelevant.
Analogously, it is thought in some legal circles that since encrypted data "could be decrypted", with the subtext that as IT progresses this will be ever more readily effected, the fact of encryption cannot be depended upon.
As with much of GDPR, there will be thirty years of litigation before we have a 90% understanding of how to deal with it - but for sure, nowt is certain by any means.
Thanks (1)
to dgilmour51
21st Nov 2018 12:04

As you rightly say, most of this is untested and so nobody is really speaking from a position of authority here, I think it's good to discuss though.

The Vidal Hall case is one in which data was gathered contrary to the express consent of the claimants and I don't see it's application in the scenario under discussion. If your client expressly asks you not to put their data on a USB stick then good business sense, not GDPR, would be your main motivation for agreeing, IMO.

It may be thought in some legal circles that encrypted data could be decrypted but not in IT circles. It is, in fact, impossible to break relatively simple decryption that relies on a decent password.

Thanks (1)
21st Nov 2018 10:33

1. Yes
2. If you think it appropriate
3. Yes
4. If you think it appropriate
5. Yes, and if you think it appropriate
6. Yes, and if you think it appropriate.

Personally I would include the fact you, as a business, occasionally take records out of the office in my privacy policy, and I would encrypt all emails/USB sticks/cloud storage containing sensitive data, because it's easy to do so there's no argument for not doing it.

GDPR is not prescriptive which is why you can't find a definitive answer. My answers 1-6 are literally the answers per the legislation, not me being glib.

Thanks (3)
avatar
21st Nov 2018 11:47

The best way to approach this is from the position of what could go wrong. If there is an incident, the ICO would always consider whether you should have known better - so the fact that you are asking questions shows that you realise that something could go wrong. So if something did go wrong, should you have known better? Things are still permissible as long as the appropriate precautions are in place. So if you allow staff to take paperwork out of the office, then there ought to be something in place to tell staff what their responsibility is with regard to that information and what they are and are not permitted to do (e.g. someone mentioned about leaving paperwork in a car unattended - you might want to stop staff from doing that). You may therefore end up with more policies - writing things down is a key part of GDPR! I hope that helps a little.

Thanks (3)
avatar
21st Nov 2018 12:11

In regard to portable drives and USB sticks we now use this range: https://istorage-uk.com/products/

They are incredibly secure as you have to enter a long code to even get the thing to wake up.

In conjunction with a cloud backup we use the larger drives for a physical backup.

They are not cheap but they have self destruct mechanisms built into them such that they say there is no way the data can be accessed unless someone knows the physical code to unlock them. If someone tries to prise the case open to get to the hard drive within it destroys the data.

Suffice to say if staff are working from home they have to securely log in remotely to our systems or, alternatively, they carry the data on the USB stick version.

If I left a drive on a train I could sleep easy knowing that the data could not be accessed - albeit I'd be annoyed because the drives aren't cheap to replace!

Thanks (2)
22nd Nov 2018 09:34

Thank you all for you replies. Very helpful.

Thanks (0)
avatar
25th Nov 2018 15:28

What Duggimon said - it ia matter for you

From the risk management perspective the issue is whether , in order to carry the risk of loss/theft of client information, you have policy/guidance in place which covers the various options for staff (paper/usb/vpn) and which specifies the controls required (obtaining permission , recorded keeping, encryption, credential allocation and removal) and you have documented monitoring to ensure the guidance is being followed and the controls are effective in practice. Often the benefit of the irksome formality required is to increase staff awareness and encourage pause for thought when under time pressure, which is when things often go wrong. One additional thought - if you would expect to call on an insurer if things do go wrong, you might want to check their expectations in this area.

Thanks (1)
Share this content