Workplace Data Protection in the Home

Posted in : Supplementary Articles NI on 2 April 2020
Laura Gillespie
Pinsent Masons
Issues covered:

The situation with Coronavirus has brought many changes to the way we work and many employees, managers and employers need to work from home but continue to handle personal data as a necessary part of their role. Particularly with businesses considering how to manage workforce productivity, as well as sickness absence, this may often also involve “special category” or sensitive personal data. You may also be wondering what you can share within your business about employees suffering from symptoms of Covid-19. Also, what if staff are making subject access requests, concerned about whether they will be “furloughed”. Will you still have to respond?

Although the ICO has indicated that it will be understanding in the light of the Covid-19 crisis, with the increased diversity of working practices, this clearly presents an opportunity for cyber-criminals which could lead to breaches.

With that in mind, Legal Island and Pinsent Masons have recorded this webinar, Workplace Data Protection in the Home.

The Recording


Training Resources

[New] Protecting Data when Home Working in Northern Ireland

With most organisations suddenly having remote working thrust upon them, what are you doing to protect your employees, customers and reputation? Compliance around data and data protection for remote workers is very important.

This is why we created a 30-minute course to protect you and your organisation. Data breaches are often accidental and the result of staff carelessness. The fear and panic surrounding the coronavirus (COVID-19) have produced a perfect ‘high stress’ environment for cyber criminals.

Click here to find out more


Scott: Good morning, everybody. This is Scott Alexander. I'm from Legal Island. I'm here today with Rolanda Markey, who's also on L&D team with us, and our special guest, is Laura Gillespie. You'll be seeing the speakers in a moment. She's partner at Pinsent Masons, and Laura specialises in regulatory enforcement and advises clients in a range of sectors dealing with compliance issues ranging from data and cyber breaches, internal fraud, corporate crime, and health and safety. You can tell I've been reading that thing for her.

So you can see the speakers in front of you, all with darker hair than we have now, I would imagine, now that the hairdressers have been banned, so we hope you're getting on okay. There's a number of you joining us. Today's webinar is a wee bit different to the ones that we've been running if you've been listening in to the "Employment Law at 11," or any of the other ones we've been doing. What we're going to have is a presentation on the issues that you see before you. We have data protection compliance, home working particularly, those types of things from Laura.

By Easter we had intended running a seminar with Pinsent Masons and the Information Commissioner's office. Now, that's been postponed this season for obvious reasons. So we thought, well, we're trying to keep in touch with everyone that had booked on to that another besides, and particularly the issues of data protection now that most of Legal Island's customers are working from home, so we have data protection issues and what we're going to do. So what we're going to do is hand over in a second to Laura who's going to make her presentation.

We have a number of questions in. Rolanda is the only one that can see the questions. I can't see them. I'm just a panellist like Laura. So Rolanda is organising the questions and the webinar. So if you send them in, they're all anonymous. We have had one or two before the webinar was broadcast today, so we'll build those in, and most of them are going to be answered by Laura in her presentation. But if we've missed anything, you can see there's a little question box on your screen. You can put your questions in at any time and we'll take them at the end of Laura's presentation.

All the slides and this webinar will be available to see and listen back to after the event as well if you want to send the link on to colleagues who haven't managed to join us live. We have another couple of webinars coming up, one tomorrow, which is on coronavirus employment related issues, and that's with the LRA and O'Reilly Stewart. And on Monday, Mark McAllister from the LRA will be joining us to look at non-coronavirus employment developments. There's lots of new laws coming in on Monday, both the GB and the Northern Ireland, and we'll be looking at some case law developments as well. So back to today's agenda. I'm going to pass the thing over to Laura. But before we do that, I believe we've got a little quiz there, Rolanda. So over to you.

Poll Result 1

40% claimed their organisation had suffered a phishing attach in the last 6 months.

Poll Result 2

94% claimed they did not determine phishing attacks down to personal data breaches

Poll Result 3

Approximately 50% said their organisation had put additional security measures in place to cope with the number of staff working from home.

Laura: Thanks, Rolanda. I'm still seeing the quick poll, so I wonder if you can switch to the slides. While you do that, just say good morning, everyone. This is my first Legal Island webinar, and I have to say slightly unusual circumstances in how I find ourselves coming to you, but I hope you all continue to be well. As Rolanda says, the purpose of this morning is to talk through the data protection issues arising from working from home, so what sorts of challenges that face us on a particular business, and how that changes with . . . so how you manage the changes that that brings, and also some tips for really how you might manage that within the business.

So what I want to look at firstly is looking at the question of data protection compliance. And just moving the screen on, Rolanda, but it's not working, so I wonder if maybe if I could ask you to take control of your slides, and I'll . . . Thank you. So the first thing, data protection compliance. And, of course, you all will have programs in place already to manage your data protection regime, but obviously that very much has often been turned on its head now that we have seen that most organisations, where possible, are having people, you know, working from home.

And the ICO has been responding to the COVID-19 situation and has made clear, they've said, "We know that you may need to share information quickly or adapt the way you work. Data protection will not stop you from doing that. It's about being proportionate." But they go on to say, "If something feels excessive from the public's point of view, then it probably is." And what they do make clear is that obviously the data protection principles that we've all come to know is that principles will still apply.

So things that you need to remember are things like purpose limitation and data minimisation. So only process their personal information that you need to process. Don't be transferring more than you need to. Don't be handling more than you need to. Those are all things which you should already be doing as part of your compliance program, but it's particularly important as your IT infrastructure becomes broader as people work from home, and it also will minimise the risk that you are . . . effectively, if there is an issue or an incident, it means that you're not holding more personal information than you need to.

We'll come on to look at the specifics in a moment or two about the practicalities of that, but the first point to bear in mind is obviously about purpose for which you're processing information still must apply. So even though we're all working in very challenging times, and even though things are more difficult as you go about your daily job, it's not to say that those difficulties mean that data protection compliance can be ignored. The principles must still be adhered to, and you still must find a basis for processing information as that's been done within your organisation.

The second thing to bear in mind obviously is transparency, and this underpins basically, in many ways, the data subject rights within processing information. What that basically means is that people have or should have the right to understand how you're processing their information. Usually, organisations do that through their privacy statement. And I don't expect necessarily that privacy statements will need to be largely altered in light of the COVID-19 situation, but if there is some kind of change where you're sharing personal data with a third party that you weren't previously, or there is some other change to how you're dealing with personal information, you should consider whether or not that will require an update to your privacy statement.

So one of the biggest area of compliance is data security, and obviously that is something which remains fundamentally important as with all the other principles. And that probably is the biggest challenge that home working presents for particular organisations. As you move to, as with almost a bit of an unknown where, you know, you don't sit at home with people, you don't see what their surroundings are like, you don't see what their IT network is like, and so that is where the biggest challenge comes on, and we'll obviously come on to look at that in more detail and practical terms in a moment.

But the other issue is that of accountability. And I recall probably about three years ago now doing a fireside chat with Ken Macdonald at the Legal Island Annual Review, and an anticipation of GDPR coming into force. I asked him what he thought the biggest change is going to be, and I suspected at the time his answer was going to be the fines, but he said accountability. And I scratched my head slightly at the time thinking . . . I was surprised by his answer. But I think that I can see now that that is the biggest change for organisations in the sense that accountability requires you to have effectively a document log or an audit trail of how you as an organisation comply with the data protection principles.

So as you move from office space working to home working, each change that you make within your organisation and to take account of that, so the changes in IT platforms, the changes in which post or other hard copy files are dealt with, all of those changes should be documented as part of the accountability principle, because Liz Denham, earlier this year, did say that in the breaches that the ICO have been handling over the last year, one area where she sees there's still considerable lacking is in that of accountability, where organisations do not have the ability to demonstrate how they are complying with the principles. So as we move through this crisis, and as your systems change, do ensure that you're documenting the changes to processes so that if an incident occurs, you've got the evidence trail to demonstrate how you've been managing that as you go on through the particular changes within the organisation.

So, if we move onto the next slide, what I wanted to touch on then was really the practicalities of home working. What does that mean? What are the issues that that presents from a risk perspective, and how do you manage that? And I'm acutely aware of how difficult that is. Both my husband and I are sitting at home trying to work from home and have an almost-3-year-old toddler locked into the middle of all of that. And it is challenging. It's challenging for anybody who's trying to undertake it. You're trying to juggle a day job, and therefore you have to expect that people will be working in different circumstances to how they would be in an office setting.

And there's probably three broad ways that I want to touch on for you to think about it within your organisation. And what I would suggest, again, thinking back to the accountability principle, is to think about how you risk-assess and then manage the specific risks that the organisation are facing because of the home working situation that's arising. The first is the home working policy.

Home Working Policy

Again, many organisations might well already have had one of these. Certainly, I know within Pinsent Masons, given the agile way that we work, this is something which wasn't unfamiliar to the business, and therefore that could be adapted very quickly, simply to deal with a larger volume of employees who were obviously undertaking work from home. But it's, again, just making sure that your staff understands the risks that arise from working from home.

So, for example, locking screens. I know certainly my daughter is quick to say, "Can I have a page?" And wants to, you know, type things on the computer to be like Mummy doing her work. Obviously, the risk arising from that is that little fingers hit the wrong button, and somehow inadvertently ends up sending emails where they shouldn't. So practical things like when staff are away from their computer, to ensure that they're still diligent with locking their screens.

Other things, again, staff often want to be diligent about trying to get work done. They want to get responses sent to clients. They probably are concerned in the back of their mind of around furloughing, and therefore they want to ensure that they're staying busy. The risks that that presents from a data protection perspective is the fact that they could then seek to try and speed up a process. So, you know, depending on the volume of traffic through a VPN network, for example, it may well be that they struggle to log on to a secure system and they try and cut corners either by transferring information to a portable device, you know, a memory stick, or they try and email things to their home account.

Both of those present significant security risks in doing that because either their web-based email's not secure, USB stick gets lost. So there are all the risks that presented. So, again, making sure that you're communicating to staff the limits on what they're allowed to do. So, for example, ensuring that all email traffic must go through a VPN connection, must go through the normal communication channels within the business, because once they start to stray outside of that, you're losing control of what they're doing and how they're doing it.

Another thing is just to be mindful of obviously telephone calls and where they're taking calls, and just making sure that that, again, is done in a private setting where the nature of those telephone calls can't be overheard. A big issue again in terms of practicalities of setting at home is that of printing and shredding, so the paper records that people hold. Certainly I know within our team I had to request on Tuesday for a staff member to have a hard copy file retrieved from the office, and ultimately we decided it wasn't necessary to do because what was needed effectively was scanned and unavailable on the network system.

And my concern with permission that is, again, you know, this situation with home working could persist for many weeks to come, and as an organisation, if people start to take hard copy documents out of an office and not properly monitored, the risk is that they forget that they had one in the dining room, and one in the study, and one in the boot of the car, and, again, some of those get lost.

So just thinking around, is it necessary to take hard copy documents home? You know, trying to minimise where that is done, and ensuring it's only done so far as if necessary. And if people then are printing documents at home, again, you may just decide you prefer that only certain people within the business are allowed to print. So think about how you might categorise documents to minimise what's capable of being printed and by whom, so, again, you can just be clear and control what information is being generated in the home setting, because that naturally then gives rise to your risk around documents and destruction.

So, again, people at home, they may have a small personal shredder, but it may not be sufficient to deal with the shredding up of documents. So if you're looking at the risk assessment, to manage your employees at home, the first phase of that is thinking about their physical setting. So ensuring we lock screens, prohibit or restrict the transfer of documentation to portable devices, and making sure there's clear printing and shredding requirements if printing is permitted in the home setting.

Rolanda was asking questions at the start about phishing emails, and we'll come on to look at cyber risk in a little more detail in a moment. But the other thing to bear in mind is that staff must be reminded about the incident reporting requirements, particularly where the usual way in which that might be done is not possible. So, for example, if you have a small office, and if someone creates, you know, or presents a particular issue, you know, they'll go and talk to the chap in IT. Make sure they know to move that, or how they're going to report that.

IT Infrastructure

Looking on then to IT infrastructure. Obviously making sure . . . we've touched on most of this, but it's done through a VPN, things like a home email aren't permitted, and again, thinking about how you restrict the use of unauthorised apps and programs. The other issue is if you're trying to send information out to a client or customer, making sure that that's being done securely. So, for example, if it's particularly sensitive information, doing that through a secure FTP site, thinking about large file transfer sites, which are enabled to be done in an encrypted fashion rather than simply by email. Again, less sensitive documents might be sent by way of a password-protected PDF.

Social and Virtual Groups

And the last thing I just wanted to touch on was social and virtual groups. So I know circles in our organisation, we're looking at groups where people . . . we're just trying to keep people in good spirits and, kind of, give a way in which people can still interact with their colleagues. Just make sure that people remember that they shouldn't be putting any personal customer or client information within those groups.

Communicating Cases of Covid-19

So one thing, to move onto the question of how you communicate with them, obviously the communicating cases of COVID-19, we've had some queries around that. And the ICO have basically said that that's something which can be possible to do. It may not be necessarily give the names of people who might be suffering within an organisation. I suspect that's become less of a risk now that individuals have started to work from home, so it's not such a pressing issue.

Data Subject Access Requests

Another query we've had is around DSARs, and the ICU has been clear with that to say that it cannot extend the statutory time limit that is one month, but we communicate through their channels, but there is the potential for understandable delays. So within this organisation, it basically means you still have to comply within one month, and you have to think about the practicalities of how you go about locating personal information.

One potential way in which you can help yourself with that is to think under Article 12(5), which gives the potential to extend time for over two months if a request is complex. So, you might consider trying to use that if you think it's going to be particularly challenging to respond within the one-month period. But the ICO has basically said, "We can't extend statutory time in the current circumstances." And, again, just thinking about your duties in relation to sharing or transferring outside Europe, those all still apply. The reason I mentioned that is because as you move to different platforms, you may need to check whether or not it would also be hosted outside or hosted on servers outside Europe. So just be careful to check that.

Cyber Risks

So moving on then to the question of cyber risk, I just wanted to share with you the source of our Pinsent Masons' white paper last year which looked at the trends in the cyberspace, and that finds that 34% of the issues that we experienced as a cyber team in helping clients were phishing emails. It's most common sort of attack that we've seen.

Not all will be personal data breaches, on the question that Rolanda posed at the start, but many could be because ultimately what it means usually is that an attacker has been within a mailbox and been able to access that mailbox and everything within it. So how do you deal with the cyber risk then, and what are the things you should be doing to manage that cyber risk in the organisation? This is where we look at the next slide on that. The key issues, firstly, again, are to think about your incident response plan.

So firstly, you have to make sure that your staff understand what a phishing email is and looks like. Certainly, within our business, basically every quarter, pretty much a mock phishing email is sent, and we are judged against how we respond to that. So, do we report it as phishing? Do we click it? And those that click are sent on mandatory further training.

So, again, whether it's an email to your staff or whether you've got some kind of training platform, make sure that they understand how to be alive to the risk of phishing emails and other scams because both the NCSC and the World Health Organisation actually have said that they can see that there is an increased risk of cyber criminals using the COVID-19 crisis as a way in which to try and dupe people into giving information where they shouldn't. So there is an increased risk. You must remind staff firstly of what the risks are, so the risks of phishing emails, the risks around their system behaving oddly, and knowing to report that to IT, and having an escalation procedure so they understand when they're working from home, who they need to tell, and how they need to tell them.

Just then, want us to talk about invoice fraud because that most often is the purpose behind a phishing email. So typically, an attacker will want to get into your mailbox in order to carry out invoice fraud. That could be they change bank details to get payments made to their own bank accounts rather than the proper person. Increasingly, what we're seeing to guard against that is a change of process whereby contracts are now often saying that we will never change our bank details simply by way of email. You must always phone to verify the bank details before doing so. In these times where particularly people are working from home, it would be very prudent to ensure that people are calling what is unknown number or an organisation to check that any change in bank details are legitimate because I suspect invoice fraud will be on the rise.

Looking to password policies. So, again, many organisations already have these, but I have seen in some of the cyber cases that we've dealt with a specific request from the ICO for a copy of a password policy to where an attacker has gotten into a particular part of a system. The ICO can ask, "Well, tell me what the password requirements were for that particular part of the system."

Usually what those password policies will say, they needn't be terribly long or sophisticated, but will have requirements around the length, so things like a mixture of alphanumerical characters. It can't be one that's used within the last full rotation, and it's changed every 60 days. So thinking about how, again, you're forcing your workforce to ensure that those passwords are being changed.

Multi-factor authentication is commonly talked about in this space, but that is often a good way to guard against phishing attacks particularly, but that effectively is a dual-layered process for logging into a system. You probably are most aware of that with, you know, your personal banking where you effectively have to put in two layers of security questions to access it. It's not particularly complex to do. IT teams will be able to do that. But when we're dealing with phishing attacks that are personal data breaches, the first recommendation is always to consider multi-factor authentication for the email system. So, again, something to think about. If it's not already there, it's very much worth ensuring that that's put in place.

Again, just thinking about the fact that you'll be bringing in new processes to the organisation, think about any new software or applications that you're asking staff to use, so whether it's MS Teams, whether it's Zoom, whether it's any other range of new applications that people are effectively being bombarded with. Firstly, think about how you're going to restrict the use of those. So, consider whether or not you will have an approved list of people that are allowed to use, and then tell them what they're allowed to do on those particular platforms.

So, for example, it may be that when it's used simply for a social team catch-up, make it clear that those particular platforms are only for that, and should not have any clients or personal information shared on them, so they're just basically to facilitate team catch-up on, you know, a social level rather than a work-related level, and making sure they know that that's something which they understand what the limits are with those particular applications.

And lastly, there was a cyber report issued a couple of days ago by the NCSC, the UK government was basically giving an update on what the cybersecurity risks are. It seems that phishing attacks are on the rise. Malware, ransomware is on the decline, but having said, it's still something that we within the Pinsent Masons cyber team see reasonably frequently. So if an attacker gets into your system and encrypts that, the quickest way you can get back up and running is appropriate backups that are, you know, kept effectively separate from the system from which you can rebuild any servers that might be encrypted.

So, again, ensure your antivirus software is up-to-date, make sure there's regular backups being taken so that if an attacker gets in that you can effectively get the business back up and running very quickly because business interruption for, you know, days, weeks could be business-ending for many. So make sure that you've got those backups being taken regularly, and are stored in a way which is obviously on the same network, which would mean that the attacker could encrypt all of those.

Key Steps to Ensure Data Protection During Homeworking

Moving on then to the next slide, key steps to take now, and then we'll move onto some questions.

1. Firstly, review your incident response plan, home working plan. Tell staff what they can and can't do. Think about paper records. Think about the use of authorised applications within the business, and to remind them of the risks that will be coming from working from home, so the risks of phishing emails, restrictions on printing, and restrictions on how any hard copy documents are being taken off-site.

2. Secondly, be clear on the use of VPN with secure network. So, you know, tell them how they should be communicating against things like what particular network must be used, how records should be sent, again, use of unauthorised technologies, and then conduct your antivirus and IT security review.

So make sure all of those are up-to-date. If the clients have experienced ransomware attacks and it turns out to be antivirus hasn't been updated in 18, 24 months. And it's something that it's easy to do, but obviously, hindsight, it's a wonderful thing as it hasn't been done. So just make sure that you're taking those steps now in order to ensure that you best protect your system, and your workforce, and, indeed, your business if people are working from home.

Rolanda, I'll come back over to you in a moment. Just, I have some useful links there. The Pinsent Masons' website is providing an update on a range of business issues in response to the COVID-19 situation. So that's linked to our own website. Equally the ICO, the EDPB, which is the European Data Protection Board, and the NCSC, the National Cyber Security Centre, have been publishing guidance in response to the particular situation, so I've just included the links there for you as well so you can do some further reading at your leisure. That's all for me in terms of the formal presentation. Rolanda, I will hand over to you at this point.

Rolanda: Okay. Thanks.

Scott: Thank you very much to Laura there. This is Scott here as opposed to Rolanda. Rolanda, you've got some questions coming in, but I'd like to thank Laura just for the presentation. And there's couple of things may be coming up from that. So that second-to-last slide that you had there, kind of, would be your action list at the moment. I imagine that one of the problems . . . and it came up in your presentation, that most people probably don't know how to report an incident. Maybe in your organisation, obviously they will because you do your tests every month or so, don't you?

Laura: Yes.

Scott: And you try a phishing exercise with the staff to see what the results are. But probably most of us don't, and we've all kind of rushed in to working from home. A lot of people, certainly in Legal Island, very seldom work from home, if at all, and almost all of them are now working from home. But I'm not sure who I contact straight away, I'll be honest with you. And if there's a data breach . . . well, there must be a higher risk of data breaches if people are working from home.

Laura: Precisely. Yeah. So people need to understand firstly that if they get an unusual email that seems to be like a phishing email, or they get a phone call to say, "You said you paid me that invoice on Monday, it still hasn't hit our bank account," or if somebody rings to say, "I've got a very unusual email," or you get three phone calls to say, "I've got a really unusual email from your email account," all of those things suggest that there could be an issue with an attacker being within the mailbox. Someone might just put that under, well, that's a bit strange. They need to understand that that is a potential IT issue, and they need to then be clear on who they contact.

So a response plan can be on one page, you know. They can run to 10 pages, but it's . . . here's the things you need to identify. So unusual activity within your mailbox, particular, you know, invoices not being paid when you think you have paid them, or people ringing to say that they've received unusual emails from you. Those sort of things should be a red flag and a report call. And give a list of numbers, usually I would say at least two or three people within the organisation, and those should be people usually at board or equivalent level because they will have to then be responding very quickly to that. So, yeah, it doesn't need to be sophisticated, but it's just ensuring that people now have the right phone numbers because, again, if it's a mobile number rather than their desk, then obviously they need to have that as part of the response plan.

Scott: Okay. Thank you, because there's some GDPR reporting requirements still applies, doesn't it, even though everyone's working from home. Yeah.

Laura: Absolutely.

Scott: You still have three days to go to the ICO, basically?

Laura: Yeah. As soon as possible, and no later than three days from becoming aware. Yeah. So, yeah, those time limits will still apply. It includes weekends, it includes bank holidays, it includes Christmas Day, it will include Good Friday, Easter Monday. So, yeah, those reporting requirements will still apply.

Scott: Okay. Could we go over to Rolanda? Now, Rolanda, you've got some questions that have come in before and during the webinar. Maybe you could reel off a couple of those for Laura?

Rolanda: Certainly. Thanks, Scott. Okay. So the first one was,

Question: Data Subject Access Requests

"I currently have an open subject access request, which is due to this data subject via their solicitor on the 9th of April. I contacted the solicitor to inform them that we have stopped the clock as we are not in the office for the data setting awaiting reduction, etc. Are we right to do this, and what should we tell future data subjects who submit requests while we are working from home?"

Laura: That's a very good question, and the ICO guidance is that they are not in a position to extend the time limits. So their view is it was a month, or continues to be a month? What they have said is that they are telling people to expect reasonable delays. What they will do, if someone complains to them in due course because the response hasn't been given remains to be seen. Practical options. So, in short, are you right to do it? Technically, no, but there is a practical issue about the fact that you can't get into the office in order to obtain the information to provide the reduction.

Couple of ways in which it could be done, the documentation could be scanned in, and there are tools which can be used online to carry out reductions. If that's not practical, I would probably try extending time under Article 12(5), and saying that the situation is complex, and therefore you're seeking to extend time by a further two months given the current situation, and, you know, hope that that may be sufficient. And in terms of future data subjects who make requests, again, would just be upfront about how you're trying to manage response, but the official line from the ICO is that you're still expected to comply. They cannot extend the statutory time period.

So I think the best that you can do, and way in which you can manage that perhaps is also to give what you have at the moment, but then, again, just being clear about when you're sending the information, if that's going, you know, by post, and that it's not just ordinary First Class post, that you're sending that out by courier or by a secure file transfer if it's being sent electronically. So, again, just thinking about mode of transmission as you come to send that. But ensure the ICO is not officially relaxing that time period.

Question: Unstructured Files

Rolanda: Okay. Thanks, Laura. Another question then to do with GDPR,

"Recital 15 of the General Data Protection Regulations implies that data which sits outside of structured files is not covered under GDPR. Can you explain what comes under unstructured files?"

Laura: Yeah. No problem. So structured files, kind of, is a follow through from the old DPA '98. Usually, unstructured files aren't covered by GDPR as the person has said, but that caveat doesn't apply to public authorities. So if you're a public authority who replies to FOIA requests, this exemption of restriction doesn't apply to you. But the structured file, the old guide, the ICO doesn't use anymore. They've said they're updating their guidance post-GDPR, but the old guide was a temp test, and I thought it was quite a big way to explain that. So think about whether you had a temp in for the day, and you asked them to go and retrieve each particular document. Could that be done?

So, for example, you've got a file that's for John Smith, and it's categorised into payroll, absence, sickness records, and each of those are in date order, and you need to get a particular document. It's only in a physical file. You can go and you can retrieve that because the file is structured, that will be caught. But, for example, if you have an A4 kind of notebook that is just simply your thoughts on particular cases, matters, whatever they happen to be, as you go through, that typically will not be structured because it's just your random notes. There's no particular order to them.

So those sorts of documents will not be structured files because there's no order to them. So think about if you had a temp in for the day and you asked them to go and retrieve it, could they find it? If the answer to that is yes, it's likely to be in a structured file. The answer is no, it's more likely unstructured, and therefore will not fall within the scope of GDPR except if you're a public authority, in which case all documents will fall within the scope.

Question: Data Protection Issues Associated With Zoom

Rolanda: Okay. Thanks, Laura. Further few questions about the likes of Zoom, and people are saying . . . and there has been some discussion in the media about data protection issues with Zoom. So:

Is Zoom safe to use for remote consultation meetings?

I don't know whether you're really in a position to answer that yet. It may be better if I leave it. What do you think?

Laura: Well, I know it's a question that is being asked. Boris Johnson seems to have been confident to use it for his cabinet meetings, albeit that he was sharing his meeting ID. I'm on call actually with our Pinsent Masons cyber team yesterday. One of our colleagues said she was able to hack into her friend's personal training session. So a friend in the cyber team said she was able to hack into another colleague's personal training session. So what you have to do . . . I haven't gone through the Zoom's privacy policy yet, but what you need to do is look very closely at the privacy policy to understand how the information is being used.

So I know that some obligations will automatically record what is being said, and some will look at what particularly is being done, you know, with call logs and things, and where information is being stored. So you need to look very closely at the privacy policy in order to understand how the application will work, and what is being stored, because it may well be this recording is entirely inappropriate for clients or customer information to be discussed over those particular platforms.

So we look at the privacy policy to understand how information is being used. I have another colleague actually who used to work in the ICO, and her general rule of thumb is that if an application is U.S.-based, she'll not use it because of the difference in data protection requirements over there. So be very careful with the applications. Read the privacy policies very carefully to understand what they do.

Rolanda: Okay.

Scott: When it comes to using those kind of platforms, it's almost that it's not just the data protection issues. The thing about, you know, business protection and commercial confidentiality, which doesn't cover data protection, unless it's an individual, presumably. But if you're having business discussions, and they can be listened to or they're being recorded, that's pretty dangerous regardless of the data protection issues.

Laura: Precisely. Yeah. I mean, business issue is much broader than that. And, I mean, I think of as the BBC reporting on the Zoom issue in the cabinet meeting was that they were saying, is this a secure platform through which, you know, clearly very confidential information should or should not be shared? So you're quite right. It's not just about data protection, it's about clients and business confidentiality.

Scott: Okay. Rolanda, one last question maybe and then we'll have to close up.

Question: Data Protection Issues with Devices such as Amazon’s Alexa

Rolanda: I think probably it's maybe more, you know, of a data protection issue in the home. Somebody just in the question box mentioned the likes of Alexa, and other obviously similar devices available, but Alexa has had a bit of a bad press in the U.S. recording private conversations and such like.

So what would your advice be, Laura, for people working where maybe they have an Alexa (or something equivalent) in the background?

Laura: Again, it's making sure that the privacy settings on anything of that nature is set to private or thinking about whether or not it needs to be in the room. If you're making a lot of phone calls, you know, work calls where you're discussing clients and business information, does Alexa need to be in the room at all, maybe that you're choosing to listen to music in the background or, you know, for a whole host of reasons? But just, again, thinking about whether or not it needs to be there. I know that the likes of Alexa, the suggestion is if there's not necessarily recording happening, again, appears to be a debate about that but, you know, if you want to take the cautious approach, just make sure Alexa is not in the room at the same time.

Scott: Okay. Thank you very much to Rolanda and to Laura there. If you have any other questions, you can send them in. But before you do, you can see there's a slide there on training courses of Legal Island. We don't have any physical events at the moment, but we do have a whole range of eLearning courses. You can see there, "Protecting Data when Working from Home," so you can test yourself on what you’ve heard today and more. Also the protecting is more of a health and safety, and well-being course there. And there's a free one there on coronavirus awareness in the workplace. If you're interested in any of those, just type "yes" into the question box. We'll ask Debbie from the eLearning team to get in touch with you and give you details if you like.

That's about it. There's another slide to come, Rolanda? There you go. There's me and Laura. So thank you to everybody. If you want to join us tomorrow, the details of our next webinars, you go to Legal Island, click on "Events." On the very first tab is the upcoming webinars. You can see what's coming up there at the moment. Tomorrow is the "Employment Law at 11," then on Monday we have "Non-Coronavirus." So that's things that are coming to about various statements. There's also the limits for unfair dismissal awards redundancy payments, SSP, and so on going on. And we'll be looking at the Mortenson case and the case liability in a bit more detail.

Rolanda, you've one coming up there on 23rd of April about Managing Absence with Louise McAloon from Worthingtons. And then we have the other normal monthly . . . every first Friday of every month, we have "Employment Law at 11." So thank you very much to everybody listening. You can listen back this afternoon on the website. And if you go to the website, you'll also find under "Resources," all our coronavirus articles, links to various people that we think are useful. They're all in the coronavirus section if you go into "Resources" part. Thanks for listening, everybody. Bye-bye. Thanks, Laura.


This article is correct at 02/04/2020

The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.

Laura Gillespie
Pinsent Masons

The main content of this article was provided by Laura Gillespie. Contact telephone number is +44 (0)2890 894 885 or email

View all articles by Laura Gillespie