Data protection for homeworking during the Corona crisis

Data protection guidance for homeworking

Data protection rules that apply in the office should continue to be applied when working from home. A minimum level of protection for the processing of personal data is required, particularly through technical and organisational measures. Employees should therefore make sure they follow the guidance below in particular:

• When homeworking, the work equipment used (e.g. laptop) should be set up so that screens cannot be seen by family members or neighbours. This can be achieved by using a privacy film or by positioning equipment appropriately.
• As soon work equipment is left unattended – even if only briefly – the screen lock should be activated. The password for unlocking the screen should be known to the employee only and company equipment should not be used for personal reasons or by family members.
• Printing should be avoided. If paper documents are used, they should not be left lying around in the open. Under no circumstances should they be accessible to others and be used, for example, as painting paper by children.
• Documents and other working equipment should be stored in a secure place (in lockable drawers, cupboards etc.) when not in use.
• If printed documents need to be destroyed, this must be done in accordance with data protection regulations. As not all employees have a shredder at home, documents should be disposed of by tearing them into very small pieces.
• Business calls, especially confidential business calls, should only be made if the possibility of third parties listening in can be excluded.
• To ensure that data is available, it should not be stored locally if possible. If USB sticks are used to store data, personal data storage devices that also contain private files should not be used.
• Business emails should not be forwarded to an employee’s private mailbox under any circumstances.

Safety measures for employers

To help your employees take the measures outlined above, you should ensure that at least the following requirements are met:

• Specify the work equipment (hardware and software) that can be used at home (e.g. in an IT Acceptable Use policy).
• Secure access to computers and operating systems used at home with a password.
• Ensure that PCs, notebooks and mobile data media such as USB sticks are encrypted.
• Ensure that employees can access their work email accounts and that emails are sufficiently encrypted if they contain sensitive personal data.
• To ensure that data is available, it should be possible to remotely backup data. If work outputs are stored locally, the data will not be included in your company’s data backup. Local storage should be avoided if possible.
• Require employees to report data breaches and security incidents immediately.

Who is responsible for data protection when homeworking?

According to the EU General Data Protection Regulation (GDPR), it does not matter who processes data or where it is processed. What matters is who decides on the purpose and means of data processing (Art. 4 (7) GDPR). In a business context, this is usually the employer.

Thus, under the GDPR employees working from home are not responsible for the data they process on behalf of their employer. This means that companies are liable for data protection breaches, even if GDPR breaches occur when employees are working from home.

Conclusion: Guidance for homeworking continues to apply during a crisis

The current corona pandemic is forcing companies that would not normally allow homeworking to let their employees work from home. As a result, many employers have not yet taken any data protection precautions and have not issued any corresponding regulations or guidelines. It is now more important than ever to take action quickly.

However, as the guidance in this article shows, data protection when homeworking need not be an unreasonable expense if the requirements of the GDPR are appropriately implemented by your company.