Meeting the data challenge of working from home

By Forbes Solicitors

06 May 2020

daniel-milnes-2.jpg

Before the UK went on lockdown, ‘work from home wherever possible’ was one of the earliest messages from the Government to try and delay the spread of COVID-19. For businesses not used to remote working, this presented a number of challenges surrounding IT equipment, networks and infrastructures. These were all very practical considerations, focused on enabling connectivity and accessibility to minimise operational disruption and ensure employees could actually work from home.

With these conundrums solved, businesses are now increasingly turning their attention to information security and data protection. Popular video conferencing platform Zoom has hit the headlines following reports of virtual meetings being hijacked by rogue users. This highlights a key data protection challenge of remote working but isn’t the only major risk companies need to be mindful of, they also need to effectively manage the trend of employees using their own devices for work purposes.

Video conferencing and virtual meetings

Companies using online platforms to host virtual meetings have two data privacy challenges to contend with. They need to consider the security of information shared during the video conference and also need to be mindful about how the online hosting company handles the personal information of employees.

The European Union’s General Data Protection Regulation (GDPR) provides a regulatory framework for how personal data is collected, handled, stored and retained for future use by organisations and is applied with modifications in domestic law across Brexit by the Data Protection Act 2018 (DPA). Part of this Regulation means that individuals, such as employees, have a right to know which organisations hold their personal information, why and how it is being used.

If companies opt to use a platform such as Zoom and request that employees join video conferences, a business could find it becomes liable for how the video conferencing provider uses and shares employees’ personal information. If a member of staff was dissatisfied with this or felt compromised because of this, they could potentially bring a claim for damages against their employer. The legal position here depends on the relationship between the employer and the provider and whether the provider is a “processor” or a “controller”. This is a significant distinction, because controllers are more regulated and have more duties under the GDPR and DPA. Processors have an independent duty to maintain appropriate data security, so an insecure provider could face enforcement action by the Information Commissioner’s Office (ICO)

The hijacking of Zoom video conferences has involved ‘Zoombombing’, where rogue users join virtual meetings and broadcast shock messages and pornographic content. The disruptive and offensive nature of this aside, this so-called ‘Zoombombing’ may expose a serious vulnerability, if rogue access is not being caused by users leaking access details.

Malicious users could join video conferences to access confidential business information and depending on how they gain access, the company which organised the conference could find itself liable for a data breach in relation to personal information or a claim for breach of confidentiality, as could the platform provider.

Businesses using video conferencing platforms need to ensure, at the very least, that hosting providers offer true end-to-end encryption and use unique passcodes for each participant for each session. They should also carry out some due diligence or even a Data Protection Impact Assessment before committing to use of the platform and apply some normal common sense about what they say and what they show during the conference. 

Using personal devices

Given the large numbers of remote workers, many organisations are permitting staff to work remotely on their own personal devices (commonly known as ‘Bring Your Own Device’ or BYOD). 

With this in mind, companies need to ensure they have a BYOD policy or conduct a review of existing policies. A policy will need to consider the suitability of a member of staff’s device, which should include an employee confirming that their device’s operating system is up to date and that relevant security updates have been downloaded. 

An update from Google in March 2020 confirmed that it had patched a vulnerability update to protect millions of Android phones, which were at risk of being exploited by hackers. If an employee hasn’t downloaded this patch and was using their phone to access work networks, their device could provide a gateway for hackers to commercial and personal data.

While business owners and managers may believe the employee is liable, because it’s their device and subsequent failing to download an update, this is unlikely to be the case. A company retains responsibility for the security of information processed through personal devices where they are used for work purposes with the knowledge of the employer. The recent Supreme Court judgment in the Morrisons data breach case repeated the established legal rule that, where the employee is acting for the employer’s business, then in many cases the employer will be liable for what the employee does or fails to do, even if it goes outside or against instructions.  

Businesses must also ensure that within their BYDO policy there is provision to deal with the loss, theft or failure of an employee’s device.  A device’s geo-locations should be switched on and a capability to remotely wipe data, if it is lost or stolen, should be installed if possible.

BYOD policies need to also address the practical elements of home device use, such as not having content replicated over their devices in the home, and not leaving devices accessible or visible from outside.

Finally, businesses must consider how to deal with BYOD for employees entering furlough or leaving their employment.  They may need to ensure employees do not access work information and networks during a period of furlough and make provision to retrieve stored documents and delete relevant information from the device, should the employee leave the business.

It is currently unclear how long government instructions to work from home wherever possible will last. This has left many businesses prioritising how to adapt their operations to keep them running. As part of this, companies should take the time to consider the new risks working remotely can present to data protection and information security. Addressing challenges will safeguard operation now and create a foundation for more agile and secure working in the future.

Latest news

1

PM+M welcomes ten new apprentices for 2025 intake Lucy Field, Kate Walsh, Ellie Fisher, Zainab Aswat, Reece Jones, Aisha Bibi Patel, Finley Vila, Uzair Zariwala, Richard Prest, and Charlie Harrison

PM+M welcomes ten new apprentices for 2025 intake

11 Sep 2025

2

ROCCIA strengthens commercial division with senior appointment Andrew Grove

ROCCIA strengthens commercial division with senior appointment

11 Sep 2025

3

Final call for investors: Rossendale community solar project must hit target by November Gary McEwan managing director of Interfloor

Final call for investors: Rossendale community solar project must hit target by November

10 Sep 2025

4

Lancashire Combined County Authority unveil plan to Get Lancashire Working Lancashire Combined Authority

Lancashire Combined County Authority unveil plan to Get Lancashire Working

10 Sep 2025

5

Lockheed Martin Skunk Works and BAE Systems’ FalconWorks announce strategic collaboration Collaboration between BAE Systems FalconWorks and Lockheed Martin Skunk Works

Lockheed Martin Skunk Works and BAE Systems’ FalconWorks announce strategic collaboration

09 Sep 2025

Background image for hub sign up block

LBV Hub

Leverage Lancashire Business View platforms

Post your news
Post your events
Post your offers
Build your network
Improve your SEO
Gain coverage in the magazine
Sign-up
Events
Sub36 Networking - Follow the signs
Sub36 Deaf Village Social1200
Networking
17 Sep 2025

Sub36 Networking - Follow the signs

The Deaf Village, Blackburn, BB2 5EN

10:00 - 12:00

LBV124 September/October Launch Event
MBP Arc Cinema Preston Opening 205
Networking
18 Sep 2025

LBV124 September/October Launch Event

The Arc Cinema, Preston, PR1 2BL

08:30 - 10:30

CMI Level 5 Management and Leadership Course
UCLanAerialCampus.jpg.jpg
LBV Hub Seminars
21 Feb 2025 - 21 Feb 2026

CMI Level 5 Management and Leadership Course

Preston Campus, Preston , PR1 2HE

09:00 - 17:00

CMI Level 5 Project Management Course
UCLanAerialCampus.jpg.jpg
LBV Hub Seminars
21 Feb 2025 - 21 Feb 2026

CMI Level 5 Project Management Course

Preston Campus, Preston, PR1 2HE

08:00 - 17:00

Longridge Soap Box Derby
Screenshot 2025-06-10 090035.png.png
LBV Hub Fundraisers
14 Sep 2025 - 14 Sep 2025

Longridge Soap Box Derby

Berry Lane, Longridge, PR3 3WH

10:00 - 16:30

Preston Tech Connection - The Ultimate Tech Quiz!
Preston Tech Connection Sept 25.png.png
LBV Hub Networking
16 Sep 2025 - 16 Sep 2025

Preston Tech Connection - The Ultimate Tech Quiz!

Society1, Coworking Space, Preston, PR1 3LT

18:00 - 19:00

The Business Network Central & East Lancashire
LBV Hub Networking
17 Sep 2025 - 17 Sep 2025

The Business Network Central & East Lancashire

Stanley House, Blackburn, BB2 7NP

11:30 - 14:15

Cumbria Business Expo 2025
https---cdn.evbuc.com-images-880461633-4862066883-1-original.20241022-110415.jpeg.jpg
LBV Hub Exhibitions
19 Sep 2025 - 19 Sep 2025

Cumbria Business Expo 2025

Carlisle Racecourse, Carlisle, CA2 4TS

09:00 - 15:00

Preston Freelancer Meet-Up: September
Sept Freelancer (1).png.png
LBV Hub Networking
23 Sep 2025 - 23 Sep 2025

Preston Freelancer Meet-Up: September

Society1, Coworking Space, Preston, PR1 3LT

10:00 - 11:30

Your Business, Your Region: Making sense of devolution and Local Government Reorganisation
Chorley Council breakfast event new
LBV Hub Networking
23 Sep 2025 - 23 Sep 2025

Your Business, Your Region: Making sense of devolution and Local Government Reorganisation

Worden Hall, Leyland, PR25 3DH

08:00 - 11:00

Speed Networking with BNI
2.png.png
LBV Hub Networking
24 Sep 2025 - 24 Sep 2025

Speed Networking with BNI

Chorley Football Club, Chorley, PR7 3DU

16:00 - 19:00

Making Tax Digital for Income Tax Self Assessment (MTD for ITSA) drop-in day
MTD drop in session.jpg.jpg
LBV Hub Seminars
25 Sep 2025 - 25 Sep 2025

Making Tax Digital for Income Tax Self Assessment (MTD for ITSA) drop-in day

Making Tax Digital for Income Tax Self Assessment (MTD for ITSA) drop-in day, Blackburn, BB1 5QB

10:00 - 16:00

Advertise with us

Reaching 50,000 members, our print, digital and event platforms offer a fantastic way to raise your business profile and help you grow.

Find out more LBV 123 Online Graphic
Subscribe now

Weekly news bulletin