Save content
Have you found this content useful? Use the button above to save it to your profile.
Businessman peering over desk AccountingWEB Is the office now a bigger GDPR risk than remote work?
iStock_businessman-peering-over-desk_Paul-Bradbury

Is the office a bigger GDPR risk than remote work?

by

The GDPR spotlight has shifted from home to office desks, as the tables have turned regarding confidentiality breaches. A discussion was sparked on Any Answers by a client’s insistence that permission was required for another employee to be in the same office during an online meeting. 

3rd May 2024
Save content
Have you found this content useful? Use the button above to save it to your profile.

When remote working was introduced, there were a whole host of general data protection regulation (GDPR) questions circling. What if someone looks through a window and reads sensitive client information or what if a neighbour overhears a confidential phone call?

But for one accountancy firm, the office now seems to be the issue. AccountingWEB member, mbee1 came to Any Answers to seek advice on a complaint that a client had made regarding a “confidentiality breach” in the office. 

“A client had a Zoom call with a staff member while there was another member of staff in the office. He wasn’t listening in as he was working himself but the client has now emailed saying that we have broken confidentiality as we needed her permission to have a third person in the room.” 

This led mbee1 to question whether they should:

  1. accept that the client is right and apologise
  2. change their working policy to ensure clients are aware staff may be working in the same room, or
  3. find out whether they were right or not.

Community thoughts 

The Any Answers community agreed that while certain measures need to be taken to ensure that confidentiality is maintained, this situation doesn’t qualify as a breach. 

One member, Roland195 said, “Etiquette usually requires introducing everyone on a call. However this would not extend to everyone in the vicinity and would not be a legal requirement in any event (unless it actually was random third parties in a coffee shop).”

Regular contributor, Stepurhan mentioned that because the third parties work for the same firm it shouldn’t matter whether or not they are privy to the conversation. “As accountants, we need to maintain confidentiality of client affairs. However, staff within a firm will generally have access to all client information, even clients they don’t directly work with. It would be different if you had other clients in the office at the same time who could overhear,” they said. 

JamesDS agreed with this point and mentioned that as the client would have signed a letter of engagement this most likely engages the whole firm and not just the single employee: “Thus the whole firm is covered by the expectation of confidentiality.” 

JamesDS added a fourth response to mbee1’s list, which was the suggestion to get rid of this difficult client. “Personally, I’d call her and ask: ‘Would you be more comfortable with a firm that can offer the service you appear to require?’ Nothing else, just that,” they said.

Taking the right steps 

Helen Booth, lead communications officer at the Information Commissioner’s Office (ICO) said, “What’s appropriate for you will depend, not just on your circumstances, but also the data you are processing and the risks posed.” 

Booth continued, “You must assess your information security risk and implement appropriate technical controls.”

While it may not have been a breach of confidentiality, Booth urged the importance of being aware of your surroundings. Whether you’re working in the office or remotely working, she advised being careful about “what you say and what documents are open on your screen when people are around you”.

The way the firm now responds to the client is important in protecting its reputation. The ICO includes steps to take to deal with data protection complaints successfully. “Even with appropriate data protection policies in place, sometimes your staff, contractors, customers or others whose data you hold may be unhappy with how you’ve handled their personal information. Your response matters, because taking the right steps will help to protect your reputation as a business that cares about people’s information.”

Have you experienced any similar confidentiality issues? Let us know in the comments below.

Replies (2)

Please login or register to join the discussion.

avatar
By FactChecker
03rd May 2024 20:42

The original AA post from which this article has been built made no mention of GDPR (and there was no suggestion of this being the basis of the client's 'concern').
If there had been, you might have expected some more robust responses pointing out that it would have been as relevant as when people give 'health and safety' as the reason for any incomprehensible policy/rule made up by an organisation.

This is not the place for a lecture on GDPR, but it still seems to surprise most people that it doesn't consist of a set of nice simple Rules with which everyone has to comply.
There is a framework (broad objectives and recommendations), but each organisation is expected to define their own specific policies - which is why, for instance, you will get such different answers to a simple question such as "for how long should we retain records of pension contributions?"*
[* = answers, depending on the organisation and on their logic, of 6 years or 25 years or 100 years or forever ... have all been found to be 'correct'.]

How many organisations properly create their GDPR policy, let alone train their staff on it and communicate its essentials to clients (or indeed review it and if necessary modify it), is of course another matter.
But that is a whole different story (not dissimilar to the gap between minimalist box-ticking and proper compliance with AMLR) that has nothing to do with one client being slightly 'precious' - which required client management skills wholly unrelated to GDPR.

Thanks (8)
avatar
By Paul Crowley
08th May 2024 14:21

The title makes absolutely no sense.
The original OP was not concerned about a breach of personal data to a third party.
The bigger risk would be hacking of the recording from the parties involved.
And chances are that the easiest hack would be the client's system.

Thanks (1)