Protecting Privacy while working remotely
In an effort to combat the spread of COVID-19, remote working arrangements for employees have become the norm.
Initially, businesses did what they had to to make this happen, so compliance with privacy laws was not a priority. However, as working from home and other alternate working arrangements continue, businesses need to review their practices and ensure they’re operating lawfully.
While managing the many issues caused by COVID-19, a potentially overlooked issue is how businesses manage the heightened risk of cyber threats and potential exposure to a breach of privacy law.
Cyber criminals are using COVID-19 as an opportunity to exploit fear and uncertainty with people and businesses by sending coronavirus themed emails and setting up fake websites. Since early March 2020, there has been a significant increase in COVID-19 themed malicious cyber activity across Australia. The Australian Competition and Consumer Commissions’ Scamwatch received more than 100 reports of scams in the last three months and specifically between 10 and 26 March there were 45 cybercrime and cyber security incident reports.
It is essential that businesses who are required to comply with the Privacy Act 1988 (Cth) continue to meet their obligations and abide by the Australian Privacy Principles. With employees working remotely, there is a greater potential for unauthorised access to personal data held by your business and also the possibility for that same information to be susceptible to an attack.
The Office of the Australian Information Commissioner (OAIC), the independent national regulator for privacy, has recently published a resource about privacy risks in changed working environments – we break down the key risks that your business needs to be aware of below.
security concerns & risk of data breach
The use of remote access technology brings about a range of privacy and security risks. For example, cyber-attacks have increased, as privacy and security measures are sometimes relaxed to enable remote access.
To counteract this risk, it is crucial for businesses to implement information communication technology (ICT) security measures or make those measures it already has in place more robust. These measures may include:
- Adopting the same secure methods for staff to access the business’ internal network, as if they were at work;
- Requiring multifactor authentication for remote access by staff to internal systems;
- Monitoring the privacy risks associated with certain technology (e.g. videoconferencing facilities);
- Ensuring there are strong passwords in place and that are required to change frequently;
- Locking out users after a certain number of failed logins;
- Implementing systems to detect unauthorised access to files; and
- Changing staff access rights to “need to know” or “need to access”, rather than open systems (that may have been appropriate for staff in the same physical office).
It is equally important for businesses to ensure the physical security of personal information it holds.
Business should provide staff with clear guidance on steps they can take individually to uphold the physical security of this information (e.g. not working in public spaces, storing work devices in a safe location, and ensuring that a phone conversation where personal information is disclosed cannot be overheard by other members of the household who are outside of the business).
policies/protocols and training
The implementation of remote working arrangements are a first for a lot of businesses. As such, it is important to ensure that you have in place policies that outline expectations for how staff can uphold information security and safely utilise work devices when working remotely. This may include introducing a new company policy or updating an existing policy to include remote working.
These policies should address the security concerns presented in remote working environments, including:
- How employees should protect the physical security and the handling of personal information when working from home;
- How employees can uphold cyber security (e.g. identifying phishing emails and generally being more vigilant) when working from home; and
- How employees should use end-user devices (both those supplied by work, and those owned personally by a staff member) for work purposes when working from home.
For businesses that already had remote working arrangements in place, you may find that these arrangements have been expanded to new personnel in different parts of your business. It is important to consider whether any changes to working arrangements have impacted the handling of personal information collected by your business. If so, you must ensure that your privacy policy and other relevant documentation is updated to reflect this.
It is important to:
- Provide training to employees about new or even existing policies and protocols;
- Update privacy policies to reflect actual practices and working processes;
- Stay on top of how personal information is being collected, used, shared and processed during this time; and
- Provide frequent reminders to staff to remain vigilant for and cynical of email phishing and scams.
what can your business do to address privacy concerns?
If your business is concerned about mitigating the privacy risks associated with remote working arrangements, you may wish to perform a Privacy Impact Assessment (PIA). The scope of a PIA will depend upon the extent to which your working arrangements have changed, the size of your business, and the types of personal information you handle.
First, the OAIC recommends businesses undertake a threshold assessment. This will determine whether a PIA is necessary in the circumstances.
If you have questions about how your business can manage and mitigate any privacy risks going forward while your staff work remotely, or you require our assistance in carrying out a PIA or developing relevant policies and protocols, please contact one of our Privacy Law experts.
In addition to a change in working style, businesses across industries are facing unprecedented challenges. Our FAQ page deals with many different areas of law and we direct you to spend some time reviewing our COVID-19 FAQs for information that may assist your businesses during this difficult time.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
more
insights
stay up to date with our news & insights
Protecting Privacy while working remotely
In an effort to combat the spread of COVID-19, remote working arrangements for employees have become the norm.
Initially, businesses did what they had to to make this happen, so compliance with privacy laws was not a priority. However, as working from home and other alternate working arrangements continue, businesses need to review their practices and ensure they’re operating lawfully.
While managing the many issues caused by COVID-19, a potentially overlooked issue is how businesses manage the heightened risk of cyber threats and potential exposure to a breach of privacy law.
Cyber criminals are using COVID-19 as an opportunity to exploit fear and uncertainty with people and businesses by sending coronavirus themed emails and setting up fake websites. Since early March 2020, there has been a significant increase in COVID-19 themed malicious cyber activity across Australia. The Australian Competition and Consumer Commissions’ Scamwatch received more than 100 reports of scams in the last three months and specifically between 10 and 26 March there were 45 cybercrime and cyber security incident reports.
It is essential that businesses who are required to comply with the Privacy Act 1988 (Cth) continue to meet their obligations and abide by the Australian Privacy Principles. With employees working remotely, there is a greater potential for unauthorised access to personal data held by your business and also the possibility for that same information to be susceptible to an attack.
The Office of the Australian Information Commissioner (OAIC), the independent national regulator for privacy, has recently published a resource about privacy risks in changed working environments – we break down the key risks that your business needs to be aware of below.
security concerns & risk of data breach
The use of remote access technology brings about a range of privacy and security risks. For example, cyber-attacks have increased, as privacy and security measures are sometimes relaxed to enable remote access.
To counteract this risk, it is crucial for businesses to implement information communication technology (ICT) security measures or make those measures it already has in place more robust. These measures may include:
- Adopting the same secure methods for staff to access the business’ internal network, as if they were at work;
- Requiring multifactor authentication for remote access by staff to internal systems;
- Monitoring the privacy risks associated with certain technology (e.g. videoconferencing facilities);
- Ensuring there are strong passwords in place and that are required to change frequently;
- Locking out users after a certain number of failed logins;
- Implementing systems to detect unauthorised access to files; and
- Changing staff access rights to “need to know” or “need to access”, rather than open systems (that may have been appropriate for staff in the same physical office).
It is equally important for businesses to ensure the physical security of personal information it holds.
Business should provide staff with clear guidance on steps they can take individually to uphold the physical security of this information (e.g. not working in public spaces, storing work devices in a safe location, and ensuring that a phone conversation where personal information is disclosed cannot be overheard by other members of the household who are outside of the business).
policies/protocols and training
The implementation of remote working arrangements are a first for a lot of businesses. As such, it is important to ensure that you have in place policies that outline expectations for how staff can uphold information security and safely utilise work devices when working remotely. This may include introducing a new company policy or updating an existing policy to include remote working.
These policies should address the security concerns presented in remote working environments, including:
- How employees should protect the physical security and the handling of personal information when working from home;
- How employees can uphold cyber security (e.g. identifying phishing emails and generally being more vigilant) when working from home; and
- How employees should use end-user devices (both those supplied by work, and those owned personally by a staff member) for work purposes when working from home.
For businesses that already had remote working arrangements in place, you may find that these arrangements have been expanded to new personnel in different parts of your business. It is important to consider whether any changes to working arrangements have impacted the handling of personal information collected by your business. If so, you must ensure that your privacy policy and other relevant documentation is updated to reflect this.
It is important to:
- Provide training to employees about new or even existing policies and protocols;
- Update privacy policies to reflect actual practices and working processes;
- Stay on top of how personal information is being collected, used, shared and processed during this time; and
- Provide frequent reminders to staff to remain vigilant for and cynical of email phishing and scams.
what can your business do to address privacy concerns?
If your business is concerned about mitigating the privacy risks associated with remote working arrangements, you may wish to perform a Privacy Impact Assessment (PIA). The scope of a PIA will depend upon the extent to which your working arrangements have changed, the size of your business, and the types of personal information you handle.
First, the OAIC recommends businesses undertake a threshold assessment. This will determine whether a PIA is necessary in the circumstances.
If you have questions about how your business can manage and mitigate any privacy risks going forward while your staff work remotely, or you require our assistance in carrying out a PIA or developing relevant policies and protocols, please contact one of our Privacy Law experts.
In addition to a change in working style, businesses across industries are facing unprecedented challenges. Our FAQ page deals with many different areas of law and we direct you to spend some time reviewing our COVID-19 FAQs for information that may assist your businesses during this difficult time.