With the Delta variant renewing threats on our public health system and economy, it is a stark reminder to businesses that they need to revisit their cyber security, data protection and privacy policies and practices. Assessing the associated risks of employees working from home and setting new cyber security standards and best practices is critical to protect your customers’ interests and for business continuity.
The Office of the Australian Infomration Commissioner (OAIC) has issued some guidance to help entities regulated by the Privacy Act 1988 (Act) address their privacy obligations during the coronavirus pandemic.
OAIC recommendations
Australian Government agencies and private sector employers that are regulated entities under the Act (Australian Privacy Principles (APP) entities) need to:
- take reasonable steps to keep personal information secure;
- consider whether any changes to working arrangements will have an impact on the handling of personal information;
- consider taking steps to notify employees of how their personal information will be handled in responding to any potential or confirmed case of COVID-19;
- assess any potential privacy risks where employees are working remotely; and
- ensure reasonable protocols are followed to keep personal information secure where employees are working remotely.
APP entities need to consider implementing similar privacy and data security protocols for employees working from home to those that apply in an office environment.
Steps to protect personal information WHEN employees work remotely
The OAIC outlines steps to protect personal information when working from home (or anywhere other than the office), including:
- understanding the latest advice from the Australian Cyber Security Centre;
- ensuring continued compliance with the Protective Security Policy Framework requirements;
- securing mobile phones, laptops, data storage devices and remote desktop clients;
- increasing cyber security measures in anticipation of the higher numbers of employees working on remote access technologies, and testing them in advance;
- ensuring all devices, Virtual Private Networks and firewalls have necessary updates and the most recent security patches (including to operating systems and anti-virus software) and have strong passwords;
- ensuring employees only use work email accounts for work related emails that contain personal information;
- implementing multi-factor authentication for remote access systems and resources (including cloud services); and
- only accessing trusted networks or cloud services.
What else does your business need to consider?
If your business has a turnover of more than $3 million per annum, you will need to have a privacy policy and collection statement to comply with the Privacy Act, whether you are a proprietary limited company, trust, incorporated association or sole trader.
Understand your employee’s home network security and how well it would weather a cyber attack. This will indicate whether your business needs to provide anti-virus software and information technology support. Businesses that provide clear guidance and support to employees as well as employee training on how to deal with suspicious emails can mitigate any potential losses associated with cyber attacks.
Check whether your business has an up-to-date cyber security policy and whether the risks associated with employees working remotely are included.
Ensure that your business has a data breach response plan, a privacy officer or person appointed to deal with privacy matters and that your employees know what they need to do and who to contact in the event a data breach occurs.
Finally, ensure your business’s expectations have been communicated to employees around secure storage and how to dispose of confidential documents they have taken home for work.
Related Resources