Our DPO, Graham Francis, has written this handy guide for team ucisa regarding working from home and GDPR. I am sure that most of you will already have this covered but share it in case it is of use for your own teams. Graham is happy for you to share this but would appreciate being attributed. Should you have any questions you can reach Graham at grahamfrancisconsulting@btinternet.com
Introduction
In these difficult times, remote working is the recommendation however it presents both significant benefits but also potential risks. Whilst staff may have remote access to information held on secure campus servers, this is without the physical protections available on site and the protections provided afforded to the network by firewalls and access controls. There is also a much greater risk of unauthorised access to, and loss or destruction of, data whilst working in this way.
Does the General Data Protection Regulation (GDPR) apply if I am working from home?
Yes, if you are processing any identifiable personal data of any living individual as part of your directed duties then this must be done is accordance with GDPR, this includes paper based data.
What should I do when I am working from home?
When working from home you must ensure that that your computer is properly protected with the latest anti-virus and anti-malware software installed. Do not write down your Username and Password so that they are easier to remember.
Do not to leave the screen on when you are no longer using the computer as this could allow sensitive data to be seen by others. Where possible you should use a secure connection such as Citrix (if provided) to access and save files.
When you have finished working make sure that you fully close down all applications that you have been using, especially the secure connection that you might have previously established.
Where should I work from when I am working from home?
You should ensure that you maintain a similar level of privacy whilst working from home to that which you would when working in your own work space. You should ensure that your screen is not visible to anyone else at all times where possible.
I need to send a file which contains personal data to another member of staff, what should I do?
Rather than sending the data file it would be better to use an application such as Microsoft OneDrive to provide access to the file in-situ. If you cannot do this, do not send the data file to a personal email address as this would be considered a data breach and ensure that the file is encrypted before it is sent.
What should I do if I receive an email that includes an attachment which includes Personal Data?
Before opening any file you must be certain that it has been sent from a genuine source. Special care should be taken to ensure that when the data is no longer required it is deleted from your local device. This includes any files that have been saved automatically as part of the download process.
I suspect a Data Breach has occurred whilst I have been working from home, what should I do?
If you suspect a data breach has occurred whilst you are working from home you should report the suspected data breach to your Data Protection Officer. The suspected data breach will then be investigated and you are likely to be contacted again during the investigation for further information.
