- Privacy Awareness Week – an opportunity for all organisations to ‘Reboot your privacy’
- Organisations are responsible for the actions of their employees – this calls for innovation when ensuring the security of personal and confidential information in the “home office”
- To be effective, privacy and security arrangements must include appropriate training, clear and documented policies and procedures and management oversight.
With working from home the new normal, and set to be that way for the foreseeable future, all Australian organisations (and their employees) are facing unfamiliar challenges and pressures as they manage and adapt their business operations in these unprecedented times. It is definitely not “business as usual”.
Today sees the launch of Privacy Awareness Week 2020 and in these challenging times it serves as an important reminder to ‘Reboot your privacy’ both at work and in the home.
It is important that organisations remember their privacy obligations when maintaining business operations during this pandemic. Remote working arrangements bring flexibility to workplaces and are proving necessary in combatting the spread of COVID-19.
With this flexibility comes the potential for organisations to lose some control over the personal information held by their business, and increased risk of data breaches, fraud and cybersecurity issues.
Be aware of the increased risk of privacy breaches
A data breach occurs when personal information that an organisation holds is subject to unauthorised access or disclosure or it is lost. While data breaches are often associated with malicious attacks, many are caused by human error or a failure in security systems. In some cases, a breach must be notified to the Office of the Australian Privacy Commissioner (OAIC) and all affected individuals.
With employees working remotely, there is greater potential for data breaches to occur, and maybe go unnoticed. The OAIC has identified the following examples of data breaches that may occur when staff are working remotely:
- an employee accessing systems or information they should not be accessing (the ‘trusted insider risk’);
- unauthorised disclosure of personal information through conversations being overhead or an unlocked computer or handwritten or printed document being seen by someone else; and
- loss or theft of phones, laptops or paper records that contain personal information.
Businesses must encourage their staff to think carefully about, and take ownership of, the privacy risks of their home-office set up – children using their devices, family members or visitors overhearing sensitive phone calls or misplaced documents due to the lack of proper storage, to name a few.
Staff must be aware of the organisation’s data breach response plan and know when to speak up (and to whom) if they are aware that a breach has, or may have, occurred.
Practically what does this mean for employees who are working remotely?
Employees must ensure that all confidential and personal information is kept confidential. The easiest way to do this is to make sure that the “home office”, wherever that may be, is as secure as possible. Phone calls should be taken in a private space and any notes must be safely stored (where possible, in an electronic format).
Printing documents when working from home can risk confidential information or personal data becoming inadvertently disclosed to parties who should not see it or simply picked up by outside parties through the documents being disposed of in the regular waste. In order to maintain the security of data, it is important that employees only print documents when essential to do so.
This leads to an obvious question; how do you dispose of any handwritten notes or printed files securely? The most obvious option is to shred them. However, there will be a significant number of employees whose home offices were put together hastily and who don’t have access to deal with their documents in the same way as if they were in the office.
If an employee does not have access to a shredder, then documents should be held securely in a box or envelope until such time as they can be disposed of correctly when back in the office.
Critically, businesses are responsible for the actions of their employees. Given businesses are somewhat reliant on their staff ensuring they are maintaining high standards of privacy in their homes, business should:
- ensure ICT and access security measures are adequate and robust
- document clear remote working policies and systems for staff to follow
- ensure staff are aware of their privacy and security obligations when working remotely by ensuring proper and ongoing training
- mitigate physical security issues in the home office by carrying out “spot checks” to inspect staff member’s individual working arrangements.
The OAIC has released guidance for businesses to assess their privacy risks in changed working environments. Some practical tips from a technology perspective include:
- Secure mobile phones, laptops, data storage devices and remote desktop
- Ensure all devices, Virtual Private Networks (VPNs) and firewalls have necessary updates, the most recent security patches (including to operating systems and antivirus software) and strong passwords
- Make sure devices are stored in a safe location when not in use
- Use work email accounts not personal accounts for all work-related emails that contain personal information (i.e., do not email work related material to a private email account)
- Implement multi-factor authentication for remote access systems and resources (including cloud services)
- Only access trusted networks or cloud services.
We’re here to help
We understand the pressures organisations are facing and are here to help you navigate and adapt in this difficult time.
No two businesses are the same, which means privacy compliance does not mean a “one size fits all” solution. The Privacy and Data Protection team can provide practical advice to help your business comply with its privacy obligations, without further worry and disruption to your business.
|Disclaimer: This publication contains comments of a general nature only and is provided as an information service. It is not intended to be relied upon as, nor is it a substitute for specific professional advice. No responsibility can be accepted by Rigby Cooke Lawyers or the authors for loss occasioned to any person doing anything as a result of any material in this publication.
Liability limited by a scheme approved under Professional Standards Legislation.
©2020 Rigby Cooke Lawyers