Rest of the worldOur global pages
Close- Global home
- About us
- Global services/practices
- Industries/sectors
- Our people
- Events/webinars
- News and articles
- Eversheds Sutherland (International) Press Hub
- Eversheds Sutherland (US) Press Hub
- News and articles: choose a location
- Careers
- Careers with Eversheds Sutherland
- Careers: choose a location
Coronavirus - Tips for staying safe whilst working remotely during COVID-19 - Ireland
- Ireland
- General
17-04-2020
During these very uncertain times organisations are required to implement remote working mechanisms and strategies for employees during the current Covid-19 pandemic. Although remote working is essential to assist organisations in continuing to work as efficiently as possible, it is not without risk. The Data Protection Commission (the “DPC”) has highlighted the risk of online ‘hacks’ and ‘scams’ where there have been attempts to gain access to devices and personal data is then targeted.
The DPC has issued a number of guidelines on how organisations and their employees can stay safe whilst working online and remotely in order to ensure personal data, including special category data, is protected best.
We have summarised these DPC guidelines into ‘Dos’ and ‘Don’ts’ to help your organisation and employees stay safe whilst working remotely.
The ‘Dos’ and ‘Don'ts' of staying safe online
DO - ensure that you are sharing personal data with a trusted source. Avoid sharing special category personal data (health data, biometric data, genetic data etc.) with anyone other than trusted recipients such as government departments or public health authorities (and only share after engaging with said bodies to ensure that it is secure to do so).
DO – read over data protection notices or privacy policies of websites, apps or dashboards to determine what data is being collected, who is collecting this data, where the data is stored and/or processed, what purpose is the data being used for and what security mechanisms are in place before deciding to use a service provider.
DON’T – share personal data with apps, services or websites where the privacy policies or data protection notices do not set out the appropriate information or guarantee a sufficient level of protection unless you contact said service providers for clarity/assurances.
DON’T – click into links or open attachments sent through or forwarded by emails, sms or messaging apps, especially if it is not expected, without first investigating and ensuring that these links and attachments are safe and secure (this can be done by hovering the mouse over the link before clicking as a destination URL should appear).
DO – keep antivirus or online security software up-to-date and installed on every device including desktops, laptops, tablets and smartphones.
DO – ensure employees are using only agreed contracted service providers and that you have vetted and approved the security and privacy features of the services that employees are required to use. This should be kept in mind for external communication with clients/customers as well as internal communication between employees. For further guidance on what information should be reviewed before using and allowing employees to use alternative communication methods, please see our useful ‘Compliance Checklist’ below.
Video & Telephone Conferencing
DO – ensure that when employees are engaging with people outside of your organisation that they use work email addresses, phone numbers and other relevant work accounts. This would minimise the risk of inadvertently collecting personal contact and social media information.
DO – provide all employees with up-to-date and consistent organisational policies and procedures for video and telephone conferencing. These policies should set out what services are used and information on how to use these services. Information on the security mechanisms adopted by service providers should also be referenced so that employees are aware of how to best protect their data. Access to video-conferencing services should be offered to employees through VPN or remote network access capabilities.
DON’T – share company data including document locations or hyperlinks in shared chat facilities. These shared chat facilities are often public. This may lead to company data being processed in an unsecure and unsafe manner.
DO – ensure that your organisation and your employees implement and maintain adequate security measures such as access controls (for example, strong unique password requirements and multi-factor authentication).
DON’T – use or share more data than is reasonably necessary.
DO – ensure if video conferencing is being used by employees, that employees use these services in a safe location. Instruct employees to mute, turn off video, and log out as appropriate.
Further Guidance: Compliance Checklist
In determining whether alternative communication platforms or providers guarantee an adequate level of protection, organisations should assess in advance (and act upon the outcome), among other things the following:
• What data is stored by or transmitted from the concerned platform to the provider and its servers (eg chat histories, log-in data, etc.);
• Include this particular processing activity in your register of processing activities;
• Whether the platform guarantees a sufficient level of data security. In particular, companies should check whether the provider of the respective platform provides appropriate safeguards for third country transfers (eg certification under the US Privacy Shield, where their servers could be located in the USA);
• Whether internal corporate communication via the platform is sufficiently secure (eg risk of potential data breaches);
• If internal privacy notices and policies reflect this processing activity sufficiently or need to be updated;
• If a user policy is necessary because of trade secret, competition and/or cybersecurity aspects. For example,: employers are forced to put a Bring Your Own Device policy in place when platforms are used on private devices;
• Depending on the amount and qualification of the date exchanged (such as special category personal data) assess whether a Data Protection Impact Assessment (DPIA) is mandatory; and
• Whether it is likely that employees will exchange personal data protected by the obligation of professional secrecy via these platforms. In that case, an internal policy should be in place to prevent employees from doing that and prescribe alternative and GDPR-compliant ways of communication of this type of personal data.
The above list of ‘dos’ and ‘don’ts’ along with the actions/attention points for compliance is in no way definitive but we hope it offers some guidance on the relevant aspects of data protection compliance when companies require employees to work remotely and have to consider the use of alternative communication platforms and/or service providers in doing so.
For further information or to discuss the impact of this decision in more detail please contact:
Marie McGinley, Partner and Head of IP, Technology & DP - mariemcginley@eversheds-sutherland.ie
Kirsty Farrell, Solicitor, IP, Technology & DP - kirstyfarrell@eversheds-sutherland.ie
For support on legal issues facing your business in light of the outbreak of Covid-19, please visit our Coronavirus hub to get our latest information and guidance.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.
- Eversheds Sutherland advises Beech Tree Private Equity on its investment in Obsequio Group
- Introducing Our Company Registration Packages
- Legal Telescope: a view from our technology lawyers – March 2023
- Chambers & Partners 2023
- Eversheds Sutherland advises Lesha Bank LLC (Public) on the purchase of minority stake in Starlink
