Are your staff printing off documents at home? If they're working from home, and they can't get into the office, then perhaps they are - but what's the problem with that? We'll come onto why that's a problem shortly, but first the reason why this is in the news. This is new research, a nationwide poll, showing that 66% of UK adults working at home have printed confidential work documents on their personal printer. They include meeting agendas, payroll, CVs, contracts, commercial documents and everything in between. It is reported by The HR Director which runs the misleading headline 'Homeworkers face fines for printing out documents, under GDPR'. It's misleading because it's not the homeworkers who face the fines, it's the employer.
The findings from the poll are striking. The average home worker prints 5 documents at home per week. 20% of home workers that have printed at home admit to printing confidential employee information including payroll, addresses, medical information. 24% have not yet disposed of printed documents – that's because they say they plan to take them back to the office. 24% use a home shredding machine but then admit to disposing of the documents in their own waste bin. 12% admit they have absolutely no knowledge of the GDPR regulation.
So clearly this is a serious issue and, no doubt, it's one the ICO will have something to say about. So how serious is this for employers and what's our advice around this? I called data specialist Aisleen Pugh to find out – she joined me by video link from London:
Aisleen Pugh: “Printing off documents and storing them at an employee's home outside of their office working place and remains a processing activity for the purposes of the General Data Protection Regulation and the UK's data protection law requirements. That means that in printing off those documents employers and their employees are expected to continue to adhere to the data protection principles that are set out in the data protection legislation, principally that any document containing personal data or confidential information needs to be securely stored. Now, in the office, procedures for secure storage and destruction of documents are pretty well understood and easy to adhere to. So for example, maybe employers have industrial shredding machines and confidential waste bins. Those things are not going to be as accessible or available to people in their own homes and so employees are going to need to be thinking about how, in the absence of working from the office, they are securely storing confidential information that contains personal people's personal data and potentially also sensitive personal data."
Joe Glavina: "I can well imagine that a lot of employees printing off material at home will feel they have no choice because they can't get into the office."
Aisleen Pugh: "So some employers are actually implementing no print policies, so it's an absolute ban on printing from home, and that is basically to ensure that they are complying with their data protection compliance standards. That is not going to be possible for many employees, particularly those, perhaps, in the HR profession who are, on a daily basis, printing and dealing with a huge volume of documents that contain piece of people's personal data. So for those people it is going to be particularly important that employers are making sure that they have in place clearly drafted policies relating to data protection, security, information security, that are well communicated to all employees, or relevant employees, who are going to be potentially printing a large number of documents from home. Also, ensuring that people are aware of the standards of protection that they are expected to adhere to when printing those documents at home. One of the things that that we saw a lot of employers do following the implementation of the GDPR in May 2018 was prepare all-singing-all-dancing policy documents that dealt with compliance measures and information security measures and that's all well and good but the problem is at that point no one could have foreseen the circumstances of the coronavirus pandemic and the vast change to working arrangements that have been forced upon us as a result of that. For that reason employers need to think about dusting off those policies, keeping them under constant review, making sure that they are agile, dynamic, and are able to adapt to changing working arrangements, increasing working from home and a different landscape that has been created in terms of potential data breaches and security risks."
Joe Glavina: "What are the consequences for employers if these breaches are allowed to continue? Is the ICO really going to take action in the midst of a pandemic?"
Aisleen Pugh: "So the risks of failing to put in place adequate security measures and demonstrate to the ICO's satisfaction that an employer has taken appropriate steps to ensure that its data compliance standards are adhered to is enforcement action by the ICO and pretty hefty fines. Now, whilst the ICO is taking an empathetic approach towards potential data breaches given the ongoing coronavirus pandemic and the massive shift in working arrangements and policy provisions that employers have had to adapt to in a relatively short space of time, given that we have now been living with the coronavirus pandemic for almost a year, and we're now in our third national lockdown, you can see that the ICO might be starting to take a slightly less sympathetic view where employers haven't taken adequate steps or shown that they've been proactive about recognising the types of risks that come with home working arrangements and having adapted, and reacted, to those risks in in an appropriate way. Now, there are clear legal risks from an enforcement and financial perspective in terms of the steps the ICO can take in the event of a data breach and inadequate safeguards put in place by an employer but in addition, and this is something that is pretty hot in the media as well, so pretty much no week goes by where we don't hear another story of an employer who has fallen foul of information inadequately shredded, information contained on a USB stick left on a train, so there are, in addition, real reputational risks that go with failing to think about these things in a comprehensive and proactive way."
The ICO has some useful guidance for employers when it comes to destroying documents that are no longer needed - simple and practical methods which you might want to include in a data policy, or guidance to staff. We've put a link to that in the transcript of this programme.
- Link to ICO guidance on practical methods for destroying documents that are no longer needed