Working from home

Published: 20 June 2024

An employee sent work data to their personal email addresses so they could work from home.

Background 
An employee sent work data to their personal email addresses so they could work from home. The employer was unaware this was happening.

This was despite all employees having access to secure work systems outside the office. 

The employee left their job some time later and during routine housekeeping by their employer, following their departure, it became apparent that some of the information their former employee had sent to their personal email address contained highly sensitive information (known as ‘special category data’) about another employee. The organisation reported this data breach to the ODPA.

Learning points
  • The Law states that extra care must be taken with any ‘special category data’. This is any information revealing an individual’s racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, genetic data, biometric data, health data, data concerning an individual’s sex life or orientation, or criminal data. 
  • Employees are both the biggest asset and the biggest risk to the data an organisation is handling especially if those employees can place sensitive data outside usual business systems. 
  • Awareness is key – organisations must make all its employees aware of any policies around how personal data is handled. Hold regular awareness-raising exercises with new, and established, staff to ensure they understand how the policies work in practice, and the implications of ignoring them. 
  • The organisation took steps after this incident to strengthen restrictions on sending work-related information to employee personal email addresses to ensure that work data could not be emailed to personal email addresses. In addition to this, all employees were reminded of this obligation and additional data protection training was issued.