Human error, working from home and data protection
Published: 13 August 2021
“Human error is one of the main causes of data breaches” according to www.gdpr.eu, the European Union’s web-guide to the GDPR.
In the old days confidential papers were sometimes left behind on trains, in taxis and in bars. These days most people who have been in employment for more than a few years have missent an email. Mistakes like this are arguably no more culpable than forgetting hard copy documents but the speed and reach of data circulation has changed beyond recognition, so that while the error may be similar the effect is vastly different. Particularly as a consequence of the ubiquity of mobile devices and social media, the impact of human error can be dramatic. British Airways can confirm this: in 2017 the airline suffered an IT meltdown that led to travel chaos for 75,000 passengers as a result of an engineer unplugging the wrong power supply.
The Data Protection (Jersey) Law 2018 (“DPJL”) came into force three years ago. Many businesses updated data policies at the time in order to meet the express requirements of the new law. However, no-one could have envisaged the extraordinary sea changes flowing from Covid-19, particularly the exponential rise in home working, which may have increased the risk of certain types of data breach.
It is impossible to remove all risk. As with health and safety in the workplace, however, the starting point is to acknowledge and assess risk in accordance with statutory requirements and guidance. In line with Article 25 of the EU General Data Protection Regulations (“GDPR”), Article 15 of the DPJL requires “data protection by design and by default”. This can be achieved, according to Jersey’s Office of the Information Commissioner, by “baking” data protection principles into a business – making those principles a fundamental part of what the business does, day in, day out.
Circumstances such as malfunctioning IT can lead to an increase in employees downloading sensitive business information onto personal devices. This can occur when people are working from home and IT issues cause well-intentioned but frustrated staff – particularly those who are under intense pressure – to download data onto unsecure home systems in order to carry on working. This exposes a business to an increased risk of hacks and breaches.
Bored and isolated home workers may be more likely to circulate or download amusing internet memes (e.g. an image with top and bottom text) and GIFs (an animated image, often circulated on social media). Everyone needs to have contact with others and forwarding jokey messages may help people keep in touch, but hackers know this and deliberately create malware, known as trojans, embedded within funny or cute images.
How do companies bake data protection into their business? Necessary steps include:
- Having clear and up-to-date data protection and cybersecurity policies which are read, understood and followed by staff as a consequence of regular training and ongoing communication, rather than simply referring colleagues to a hard-to-find staff handbook.
- Maintaining human contact, including varying means of communication (e.g. by phone, video-conferencing and post rather than purely by email) and communicating about light-hearted and personal matters, not just chargeable work – people miss those “water-cooler conversations”.
- Through that contact being aware of who is under pressure, both in terms of work and in their personal lives, so that additional support can be provided.
- Rolling investment in tech systems, staff and hardware to keep IT functioning at optimum levels and liaising quickly with staff when things go awry, as they almost certainly will from time to time.
- Monitoring IT use, so that the business understands what is working and what is not and tackles weaknesses proactively.
While “to err is human; to forgive divine”, biblical quotations may not satisfy the Information Commissioner. By contrast, measures such as those above, combined with appropriate IT management, data impact assessments and record keeping, will go some way towards keeping information safe and protecting a business.
Viberts has a team of data protection specialists who can advise on matters including:
- Privacy policies and IT policies
- Data management
- Data subject access requests
- Data breaches
- Regulatory investigations