The use of mobile phones, messaging platforms and social media sites

Use of phones for work purposes

It is not uncommon for employees to use their personal mobiles to check work emails or to continue working out of the office, either on work associated trips/meetings or at home. This brings with it the potential for employees to breach Data Legislation and is something that employers should be aware. Employers must ensure that they implement the appropriate mechanisms and procedures to safeguard all personal data. Personal devices should only be used if an employer can guarantee the security of the data.

Lost phones can be a problem – if a member of staff misplaces a phone, either work or personal containing personal data.This is likely to be a data breach.

The growing ability of hackers to get hold of a company’s data includes methods such as attacks via social engineering, including phishing and other email-based attack techniques.It has become more difficult for employees to spot whether an email has come from a hacker due to the level of sophistication used.

What should employers do?

Companies MUST limit the use of personal devices, and/or implement strict data access controls but if a personal phone must be used and a work phone cannot be supplied then:

• Liaise with your IT department to ensure that you have a suitable Mobile Device Management (MDM) solution and that any data stored on employees' personal mobiles that is work related is as secure as the data stored within the company’s own servers, including the use of data loss prevention software, and ensure that these systems are regularly tested and updated
• Roll out mandatory GDPR training to all staff, which is repeated and updated annually, to ensure an awareness of how to keep their own data and their clients' data safe and secure
• Consider the use of encryption technology to prevent the loss of data
• Carefully monitor and control any ‘bring your own device’ schemes or ‘corporately owned personally enabled’ strategies
• Ensure you have a mobile security policy in place, including good practices such a setting passwords

Use of phones for group chats

It is more common today for groups of employees to use instant messaging apps such as WhatsApp and Facebook Messenger to keep up to date with work related information and projects. This has become more prevalent with the advent of Covid 19 and whole teams/offices being required to work from home. However, although many of these apps use encryption, the messages and any documents shared will all still sit in a Facebook datacentre. If the datacentre is breached in any way, the business whose personal data has been leaked (the data controller) will remain liable to any data subjects and the regulator, as per your obligations as a Data Controller.

Businesses including pharmacies may be inclined to set up group chats for various departments, but they must be cognisant of the need to ensure that they have their employees’ permission to do so, as they are essentially sharing the personal details of their staff. Businesses should reserve the right to view business-related group chats on personal devices if required for business purposes – for example, if they need to investigate a complaint of misconduct.

It is also important to consider what happens when employees leave the business. Will employees still be able to access the group and any content shared within it? Even if the leaver is deleted from the group chat, their data may not be fully deleted as the other group members will still have a copy of all the messages sent by the data subject to them and vice versa. Exit procedures should require departing employees to confirm in writing that they have deleted all work-related data from their personal device, including colleagues’ contacts and group chats. Employers should, however, ensure that they can access, and store information exchanged via group chats, in case it is needed in future litigation.

Employees must be careful when holding sensitive or confidential conversations within the home environment; in particular, they should consider whether there any internet connected, and microphone enabled devices in the vicinity (such as Alexa). These devices should be considered compromised, and actions taken to limit any possible exposure.

What should employers do?

• Carry out audits to identify any communication channels/apps that do not comply with Data Legislation
• Use alternative communication methods
• Implement and establish data protection policies for communication channels
• Increase awareness across the business of how to appropriately use group chats and identify issues to ensure GDPR compliance

Accidental/malicious leaking of data via mobiles

Carelessness can cause a great deal of damage – many individuals find technology baffling, leading to them either ignore or defer security warnings or not having the correct security settings on their personal devices. In addition, they may unintentionally make ill-considered decisions when choosing apps, not knowing whether such apps are able to see and transfer their information. It is therefore important for employers to ensure, as above, that their staff have the correct level of security and awareness when processing personal data, and in these lockdown times, that will require additional attention in terms of keeping in contact with staff and providing sufficient ‘virtual’ support.

Companies can take all the necessary precautions to ensure that data is secure within their business, but malicious actions by employees / insider data breaches are, unfortunately, a threat that has become more prevalent over recent years.

In April 2020 the Supreme Court decision in the Morrisons’ ‘vicarious liability’  case found that the supermarket chain "Morrisons" was liable for the actions of a rogue employee who had leaked the payroll data of other employees online – criminally and without the knowledge of Morrisons - as an act of spite against the supermarket following his being disciplined and suspended. Thankfully, for companies, this far-reaching decision was overturned by the Supreme Court. Nonetheless, although this is a positive outcome for employers, it does not create a blanket exclusion of vicarious liability in all data cases and employers will still need to be vigilant in the extent of access to data that they give to employees and the protections in place to ensure that data is not misused.

However, innocent employees can cause just as much damage as those with malicious intentions. Human error comprises a significant chunk of data leaks, from employees losing their mobile phones, to pasting confidential information in the wrong place or inadvertently copying third parties into emails/texts or simply forwarding messages to the wrong recipient, through to transferring company files onto a public cloud storage service, or inadvertently downloading/retaining personal data onto personal devices. It is all too easy to take photos on mobiles and share them via a variety of different social media platforms – but what if a photo was taken at work and contained personal data in the background? The list of accidental leakage of personal data is endless.

What should employers do?

• Ensure that employee contracts cover data security obligations and sufficiently cover the consequences for any malicious actions by employees and disciplinary action for misconduct / breaching data security policies and procedures
• Ensure that there is a clear Data Protection Policy and that staff are all aware of it and of the business’ security and information management procedures
• Ensure that there is a suitable Acceptable Use Policy, in place and publicised
• Provide regular training and updates to staff on Data Legislation, which should cover the potential impact of their actions, and how they can avoid inadvertent data loss (eg. always double check emails before hitting send)
• Take out insurance to cover yourself in the case of data breaches/cyber attacks
• Invest in technology to minimise the risk of data breaches
• Insure against the cost of a data breach
• Appoint a dedicated Data Protection Office (DPO) or outsource the DPO role so that you have a specialist in this area to advise the business and its employees

Probably the easiest thing any business, including a community pharmacy, can do is provide a work phone / laptop etc that complies with all GDPR legislation (e.g. password protected, encrypted etc.) to those staff that require them. Only essential information is added to the devices and is removed when no longer needed.

Also all staff whether they have work devices or not are informed during their induction process that nothing work related should be added to their personal mobile phone / tablet / laptop / PC / Mac book etc. Not exclusive this could include work email accounts, patient sensitive information, posting sensitive information on social media sites and adding people into shared messaging groups e.g. WhatsApp without consent.

Staff sign a form during their induction process to confirm they will comply with these requirements. This reminds the employee what they should and should not be doing and protects both the employer and the employee from potential GDPR breaches.