Skip to main content

Working from Home Do’s for Employers

The Do’s and Do’s of Working from Home: How to respect employer responsibilities; protect personal data and secure confidential information. 

Almost overnight, the Coronavirus pandemic has transformed our personal and professional routines. Businesses both large and small have been required to enable working from home (or ‘wfh’) without much time to prepare for what this means in practice, nor to address the risks that necessarily arise when a company’s workforce is suddenly scattered across a city or country. Two important issues that employers need to consider are: (1) their legal obligations to facilitate working from home; and (2) how to protect personal data and other company confidential information handled on a large scale by employees who are offsite. Below is our list of “WFH Do’s” (no more “don’t’s”!) to help your teams get on with their jobs in maximum serenity.


1. Obligations to Facilitate Working from Home

DO check if your company already has a collective agreement or charter regarding working from home and if so, confirm that the measures you have put in place are compliant. If necessary, you may need to amend the relevant documentation.

DO inform employees, by all means possible (including email), of the conditions and procedures for working from home. This communication could be included in the company’s Business Continuity Plan and could cover topics such as:
  • Use by employees of their own devices (see below, also, regarding BYOD policies);
  • Tools for connecting to the office network from home; 
  • The right to disconnect;
  • Non-life insurance coverage of employees who are working from home (see below);
  • Applicable regulations regarding working time;
  • The terms and conditions for the use of videoconference (see paragraph below).

Check whether the company computer equipment used at home by employees is covered by a specific insurance policy of the company and, if so, request an extension of the coverage [If possible, do obtain from employees a certificate of coverage for risks related to their home-working situation, provided by their home insurance company (i.e. impact on personal or professional equipment used)].

DO remind employees that even when working from home they should respect the rules regarding working time, and particularly those concerning daily rest, weekly rest and the right to disconnect applicable to each category of employee.  For employees subject to collective working hours, remind them that they must not work overtime without informing management and receiving prior approval.

DO remind employees working from home that in the case of videoconference organised by the employer, they have the possibility to participate in this type of meeting by teleconference (without activating the video option).


2. Data Protection 

DO remember data protection issues when employees are using videoconferencing and teleconference services from home. Consider adopting the following measures:
  • Choose video and teleconferencing services that demonstrate their compliance with applicable laws and security standards (see below), and limit access to only those tools that employees really need, to avoid wide dissemination of data and information.
  • Remind participants in video and conference calls not to make sound recordings, take screen shots, or share captured images; we have seen many images on social media of people sharing images from their at-home work conferences, often with the names of their co-workers on display. This information constitutes personal data, and even confidential information.
  • In case of screen sharing, remind employees that they should close all other windows and tabs that are unrelated to the call, and to deactivate pop-ups, calendar reminders and chat that might appear, resulting in the accidental disclosure of company and individual data.
  • If employees are sharing devices with family members, they should be reminded to log out of confidential applications and/or the company VPN before allowing access. 
  • Remind employees of your company’s IT Security Policy, many elements of which will still be applicable to working from home. 


3.  Use of free communications software services

DO exercise caution before allowing employees to use free software services to communicate and share documents, such as Skype, Zoom, WeTransfer, and Dropbox. Not all services are equal in terms of the security they offer and it is important to ensure that the tools used by your company offer a level of protection aligned to the sensitivity of the data and information being communications. In particular:
  • Review the terms and conditions of each service provider, with a specific focus on: 
    • the security commitments made and data protection compliance;
    • the nature of the encryption of communications, documents and data, both in transit and when stored, in order to limit the risk that data may be accessible to unauthorised third parties;
    • the access rules to your content by the service provider, in particular if the exchanges are covered by professional secrecy; 
    • the rights reserved by the service provider to transfer data to third parties, in particular commercial partners, or to use such data in connection with other services offered by the service provider;
    • the location of the servers where your company data will be stored, which is of particular relevant is you process sensitive data (such as health data) to ensure that all transfers are secure and subject to appropriate legislative protection in the jurisdiction where they are stored.
  • Recommend to employees that they should enable privacy and security features of the software services, such as dual authentication and the sending alerts when new devices log into their account, to prevent unauthorised access by third parties to these accounts and associated data.
  • When using document sharing services, employees should be encouraged to password protect transferred documents and to send passwords to recipients via a separate email.

    4. Securing confidential information
      DO help employees ensure the security company confidential information by doing the following:
      • Be vigilant of phishing emails; there has been an increase in malicious emails designed to steal data and access protected networks. If you haven’t already trained your staff how to spot such emails, now would be a good time to send them some guidance. 
      • Make sure employees have access to your company’s “Bring Your Own Device” policy if they use their own devices to work remotely, addressing issues like what to do if their device is lost or damaged, and minimum password requirements. 
      • Remind employees to take steps to secure their home Wi-Fi to prevent unauthorised access by malicious users: use a strong password; make sure the router’s encryption setting is turned on; turn off network name broadcasting (name of your network); make sure the router’s firewall is turned on; use a virtual private network (VPN). Printers connected to home networks should also be protected from hackers, through use of strong passwords and ensuring the most recent version of the firmware has been installed.
      • Turn off home assistants (like Google Assistant and Amazon’s Alexa) in rooms where employees have work-related conversations and calls to avoid accidentally triggering the recording function.
      • If possible, use unique conferencing numbers for different meetings.
      • Remind employees to avoid disposing of documents as part of the household rubbish. Ensure that confidential information and documents containing personal data are destroyed (home shredders, or store in a secured location until they can be returned to the office).
      • Make sure that staff know how to report any issues and that your company’s IT security and personal data breach incident response teams are mobilized to react remotely.

          DO work with your IT system security managers to develop a home-working security policy that is adapted to the requirements of your organisation if you don’t already have such a policy.

          Comments

          Popular posts from this blog

          CNIL’s sanctions against Google LLC and Google Ireland Limited and against Amazon Europe Core: summary and main findings

           On 10 December 2020, the CNIL made public two decisions regarding the use of cookies in breach of Article 82 of the French Loi Informatique et Libertés (the “LIL”), which transposes the ePrivacy Directive 2002/58/EC (“ePrivacy Directive”). The first sanction, against a Google LLC and Google Ireland Limited (together “ Google ”) was for a total amount of €100 million (€60m for Google LLC and €40m for Google Ireland Limited, or “GIL”). The other sanction was imposed on Amazon Europe Core (“ Amazon ”) for €35m.  Set out below is a summary of both decisions, with a specific focus on the arguments and reasoning relating to the CNIL’s competence to enforce the provisions of the LIL against Google and Amazon, which is the subject of substantial and interesting developments. The two decisions have a number of points in common, although some of the interesting nuances are noted in our summary.  1. Background In relation to Google, the CNIL conducted an online audit of google.fr on 16 March 20

          Proposition de règlement sur les marchés numériques ou Digital Markets Act (« DMA ») et Proposition de règlement sur les services numériques ou Digital Services Act (« DSA ») : principales dispositions

          La publication des propositions de règlements DMA et DSA intervenue le 15 décembre 2020 constitue une étape importante de l’ambitieuse réforme de l'espace numérique envisagée par la Commission européenne. Dans le cadre du processus législatif européen, ces propositions doivent maintenant être soumises à l’approbation du Parlement et du Conseil qui leur apporteront probablement des amendements. Le délai moyen pour l’adoption d'un règlement est de 18 mois mais peut être significativement allongé pour des textes très discutés ou controversés ce qui sera vraisemblablement le cas du DMA et du DSA, compte tenu de leur vaste champ d’application, de l’importance des acteurs concernés ainsi que des pouvoirs conséquents qu’ils prévoient de conférer à la Commission.  La présente note donne un aperçu de la structure et des principales obligations applicables aux " gatekeepers ", dans le cas de la DMA (Partie I) et aux fournisseurs de " intermediary services " en ligne,

          CNIL’s decision against Google relating to the use of cookies: result of the appeal before the French Conseil d’Etat

          On 4 March 2021, the French Conseil d’Etat rendered its decision in the Google vs CNIL case. As a reminder, on 7 December 2020, the CNIL imposed a sanction on Google LLC and Google Ireland Limited (together “ Google ”) for a total amount of 100 million euros for breach of Article 82 of the French Loi Informatique et Libertés (the “ LIL ”) relating to the use of cookies and other tracking technologies (Article 82 transposes Article 5.3 of the ePrivacy Directive). The CNIL found in particular that Google failed to obtain proper consent from data subjects, breached its information obligation and did not provide an efficient objection mechanism, in relation to the use of cookies. The CNIL also issued an injunction ordering Google to comply with article 82 of the LIL within three months, the CNIL being able to impose a €100 000 daily fine in case of non-compliance with such injunction. Google appealed the CNIL’s decision, by way of interim proceedings, in order to obtain the suspension