Back in March 2020 when the first lockdown was introduced as a result of Coronavirus, the government instructed everyone to work from home. Travel to and from work was only permitted where absolutely necessary. This meant many businesses had to arrange remote working practices overnight or with very little notice.
Since then, employees have been allowed and encouraged back into work locations in between lockdowns, with a large proportion of employers opting to formally or informally move to what is commonly known as hybrid working, utilising both working from a site or office, mixed with other days working from home. At the time of writing this article, the advice to work from home where possible has been lifted but many companies are still taking a hybrid approach to work.
Given the swift introduction of the working from home instruction back in March 2020, employers may have been granted a period of grace whilst remote working practices were set up and any issues in process or procedure ironed out. However, as this is no longer a temporary measure and much time has passed since March 2020, it is very likely that employers will not be able to use Covid as a justification for any malpractice or procedural failings.
The Financial Conduct Authority
Take for example the Financial Conduct Authority (FCA), the conduct regulator for financial services firms and financial markets in the UK. The FCA have recently commented on their expectations for firms when it comes to remote or hybrid working. In a recent update to their website, the FCA have made it very clear that ‘Firms should be able to prove that the lack of a centralised location or remote working does not or is unlikely to affect[…] its ability to meet and continue to meet the threshold conditions for the regulated activities it has or will have permission for – or any equivalent requirements, where these do not apply’. This statement comes along with a list of other criteria that remote working should not impact. For example, there should be no increase of the risk of financial crime, no detriment to consumers, and remote working should not reduce the accuracy of the Financial Services (FS) Register.
FCA regulated companies must also ensure there is satisfactory planning in place so remote or hybrid working does not impact the business. The FCA summarises that ‘It’s important that any form of remote or hybrid working you adopt should not risk or compromise the firm’s ability to follow all rules, regulatory standards and obligations, or lead to a failure to meet them’. The FCA have also stated it may visit any place where regulated activity is carried out, including employees’ homes. For more on what the FCA have said regarding their expectations for firms when it comes to remote or hybrid working, please click here.
What does this mean if you are not a FCA regulated company?
You may well be regulated by another regulator or not regulated at all but all employers have an obligation to ensure that their processes and protocols are fit for purpose when it comes to whatever location employees work from. All employers need to comply with the Data Protection Act 2018 (DPA 2018), and the UK General Data Protection Regulation (UK GDPR). It is vital that employers take the time to consider how working from home could impact data security.
Just one instance to consider would be the following:
- If employees have a printer and are printing off data which contains employee or customer data, where do they store this?
- Do they have a locked cabinet?
- Do they have access to a shredder?
- Is any paper waste disposed of in a way that complies with GDPR?
Working from home also means employers must ensure IT provisions are robust, and regular training takes place to avoid any data breaches or cyber security threats. The British Chambers of Commerce (BCC) and Cisco conducted a poll of 1,000 firms, in which the majority responded they believe they are more exposed to cyber security threats as a result of employees working remotely.
We would recommend all employers take the time, whether regulated or not, to look at their current policies and practices to ensure they cover all of the eventualities of remote working. It is essential that the correct training is put into place, as far as reasonably practicable, in order to minimise risks, whether that be GDPR breaches, IT security or regulated activities. The stance the FCA and many other regulatory bodies have taken is very clear: after almost two years of work from home where possible instructions, remote or hybrid working arrangements will not be accepted as an excuse for regulatory failings.
Written by Jessica Hall, HR Consultant at advo