Hybrid working and data protection
Friday 18 Jun 21
New NCSC guidance on shadow IT
The National Cyber Security Centre has issued new guidance on managing ‘shadow IT’.
Shadow IT, sometimes called 'grey IT', is any unapproved tools and technologies used in an organisation for business tasks. These aren't managed by the official IT department or policies, so they pose a risk of data breaches and malware spread.
Shadow IT also encompasses cloud services – for instance, employees saving business data in their personal cloud accounts for convenience.
Practices like this challenge your business’s risk management because it's hard to protect what you don't know exists.
Mostly, shadow IT arises when employees try to work more efficiently by using tools they're familiar with, or when official tools fall short.
Common reasons for shadow IT use include:
- insufficient storage space;
- difficulty sharing data externally;
- lack of access to necessary tools or services;
- no official video chat or messaging solutions;
- slow or complex processes for requesting official resources;
- official tools lacking desired features; and
- unawareness of the risks from using personal devices or tools.
You can read the full guidance, including further examples of shadow IT and tips for mitigating the risks it poses, here.
ICO guidance for employers
The Information Commissioner's Office (ICO) has recently published and updated useful guidance for employers relevant to hybrid working arrangements.
New guidance on lawful monitoring of workers
The ICO has provided new direction on how employers can conduct monitoring fairly and in line with data protection law. The guidance also addresses specific monitoring practices, such as using biometric data to keep an eye on employee time-keeping and attendance. You can access the guidance here.
Updated guidance on handling workers' health data
The ICO has updated its guidelines on how to handle workers’ health data.
Health information is among the most sensitive types of data an employer might possess about their employees. And under the GDPR, it’s classified as ‘special category data’. This means there are stricter rules and requirements when it comes to collecting and processing it. So, for employers, handling health data with utmost care is not just a recommendation, but a must.
To help employers navigate this, the ICO’s guidance lays out their legal obligations clearly and also offers some handy best practice examples to consider. It's an invaluable resource to help employers stay compliant and respectful of their employees’ privacy.
The world of work has changed for many of us and for lots of industries, there’s no going back to the times where home working and absenteeism were synonymous. It’s extremely likely that even once the pandemic is a distant memory, home working won’t be a thing of the past.
Whilst we won’t be seeing a complete return to central working locations, it’s possible that many employees will choose to adopt ‘hybrid working’ where they work from home for a select few days in their week.
With this, comes data protection considerations that we’ve summarised in this guide to help employers manage their workforce and comply with their legal duties.
Employee monitoring
Collecting data on diversity
Data security
Video conferencing
How can employers mitigate risk?
Become a member
Farillio members have full unrestricted access to all our online content.
Achieve Business Objectives
Step-by-step instructions to guide you through everything you need to achieve your objective including a progress bar
Easy-read Guides
Knowledge when you need it, served up fast in plain English
Expert In-depth Videos
Expert Q&As with industry professionals to start you on the path
100s of Templates
Create, share, edit, e-sign, duplicate legal documents
Document Dashboard
Easily manage legal documents for your business
Rapid Legal Advice
Expert answers to legal questions without hefty fees
TRY FOR FREE
