Data protection and data security in the home office
In the face of the corona pandemic, large parts of the working public, both employees and the self-employed, have suddenly found themselves working from the home office. Obviously, data protection and data security must not be allowed to fall by the wayside under these circumstances. Businesses that had already previously allowed people to work from their home offices were more likely in a position to offer their employees guidelines than businesses where this had not been the case before. Data protection law is not standing in the way of working from the home office either. It is important, however, to take precautions for data security that are commensurate with the risk associated with the processing.
In the home office, data is at least in part processed at a different location and by different means. Employers also remain the data controllers within the meaning of data protection law in the home office. It is therefore important for private and business data not to be mixed. Employers are setting the technical and organizational measures required for the protection of personal data in the home office as well.
Where data is processed on behalf of a third party, the underlying contract on processing must be examined. Not every contract provides for home office activities, some of them at least contain restrictions or require certain security precautions. Of course, this only applies where employees are working on behalf of the contractor.
Obligations under data protection law are not relevant where only data without personal reference is processed. In most cases, however, it is unavoidable for at least some personal data to be used or processed. Even confidential data without personal reference, such as business secrets, must be protected by sufficient technical measures within the company.
Companies are advised to set out all the requirements relating to working at home in a home office policy, which may then also stipulate all security precautions. It should particularly include the following items:
- Priority should be given to using the company’s IT equipment rather than private devices. This will ensure that security measures such as the operating system, virus protection, and firewall are kept up to date. Private use of this equipment should be prohibited, since otherwise the company may find it harder to access stored data.
- Storage media on the IT devices and external storage media should be encrypted to protect the data even in case of lost or stolen storage media. It will be best, however, if files containing personal data are stored on the company’s servers and not on the devices in home offices.
- Where the Internet at home is accessed via Wi-Fi, the network must be sufficiently encrypted, both as regards the type of encryption and the complexity of the key.
- Online connection to the company’s servers may only be established via a secure VPN connection.
- The forwarding of business e-mails to private e-mail addresses should be avoided.
- Where messenger applications are used, they should have sufficient end-to-end encryption.
- When leaving the room at the home office, (personal) data should be protected against unauthorized access. Screen savers with password protection should therefore be activated on the computers.
- Ideally, it is possible to lock the home office. Written documents should be kept in a locked receptacle anyway.
- Care must be taken to ensure that other persons in the household do not have access to personal data. Computer screens should be placed in such a way that they cannot be read by others. Phone calls should be made in rooms where no one can listen in. Printouts should be removed from the private printer as quickly as possible. Print jobs should not end up on printers in the company either where the person working from the home office is unable to pick them up.
- Care should also be taken with paper waste. Business documents and particularly documents containing personal data should always be taken to the company and disposed of professionally. Under no circumstances should such documents be disposed of in the household waste.
If data loss occurs nonetheless, employees should be aware that they must report the incident as soon as possible. They also need to know to whom the loss must be reported within the company.
Additional information on work at the home office is also provided by the data protection supervisory authorities, such as:
We will gladly support you in all issues relating to data protection law as regards work at the home office and particularly in drafting relevant corporate guidelines.
Status: April 1, 2020
Does the ECJ prohibit all US service providers? - Online webinar with our SKW Schwarz data protection experts
What are the next steps after Schrems II? – An initial assessment of the DSK press release - The Conference of Independent German Federal and State Data Protection…
BfDI publishes its position on anonymization under the GDPR - At the end of June 2020, the Federal Commissioner for Data Protection and…