Many businesses (including our own) have recently made a swift transition to a remote working model to comply with social distancing measures and government-mandated lockdowns.
What does this mean for compliance with privacy laws and data protection?
In Australia, the Australian Privacy Principles (APPs) still apply and regulate ‘APP entities’ even when the workers of that APP entity undertake their employment from home.
Generally speaking, APP entities are organisations (which may be an individual sole trader, body corporate, partnership, not-for-profit, unincorporated association, or trust, and some government agencies) that deal with Personal Information and have an annual turnover of more than AU$3 million. However, organisations with an annual turnover of less than AU$3 million are deemed APP entities if such organisations (i) provide a health service and hold health information, or (ii) deal with personal information about another individual for a benefit, service or advantage without the consent of the individual, or (iii) are contracted service providers for a Commonwealth contract.
An assessment of whether your staff or workers are accessing or using Personal Information, whilst WFH, first requires an examination of what constitutes Personal Information.
The Federal Privacy Act 1988 (Cth.) (the Privacy Act) defines ‘Personal Information’ as;
’Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
a. whether the information or opinion is true or not; and
b. whether the information or opinion is recorded in a material form or not.’
This definition is deliberately not dependent on the technology used or the means of information collection, storage or use. It is therefore very broad in the scope of its application.
Personal Information also specifically includes:
Sensitive information (including information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record, provided the information or opinion otherwise meets the definition of personal information)
Health information (which is also sensitive information)
Tax file number information.
Careful consideration therefore needs to be given to determine whether staff and workers are collecting, storing or using Personal Information whilst WFH . If they are, then the APP entity has an obligation to ensure that the Privacy Act is complied with.
Your business might also be subject to the European Union’s General Data Protection Regulation (GDPR). This could be the case if your business is a data processor or controller with an establishment in the EU, or offers goods or services to, or monitors the behaviour of, individuals in the EU. GDPR obligations also continue to apply when WFH.
The home office – a potential (computer) virus hotspot
Working from home may present additional data security risks or the potential for lapses in your business’s usual compliance processes.
Staff may be using their own hardware, PCs, laptops, and internet access, which might lack the level of security protections used at your regular place of work. There may be a higher chance of disclosing personal or confidential information to other members of the household or neighbours. The use of unsecure networks, sharing information on conference calls and file sharing sites has increased enormously over the last few weeks, all bringing a higher risk of a data breach.
The Australian Cyber Security Centre has warned that cyber-criminals are exploiting the rise in largescale online/remote working and heightened anxieties regarding COVID-19, with a particular increase in COVID-19 related malicious cyber activity reported (for instance, scammers are impersonating the World Health Organisation to carry out phishing attacks). The recent blog post from Zoom that acknowledges the safety, privacy, and security issues that have plagued it, particularly since it saw such massive growth in demand from people using the “product in a myriad of unexpected ways”, is but one example.
Your privacy and data protection obligations
Irrespective of where an employee carries out its duties, APP entities must ensure that they continue to collect, use, hold, and disclose personal information in accordance with the APPs and the Privacy Act.
This means that APP entities will need to ensure that, when their employees are working from home, they:
take reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure (APP 11.1);
only use and disclose an individual’s personal information in ways the individual would expect or where a specific exception applies (e.g. consent from the individual) (APP 6.1); and
comply with the Notifiable Data Breaches (NDB) scheme.
In relation to the NDB scheme, you are required to notify affected individuals and the Office of the Australian Information Commission (OAIC) in the case of an ‘eligible data breach’. An ‘eligible data breach’ means that:
there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that your organisation holds;
this unauthorised access is likely to result in serious harm to one or more individuals; and
your organisation hasn’t been able to prevent the likely risk of serious harm with remedial action.
Under the NDB Scheme, if your organisation is aware of reasonable grounds to believe that there has been an ‘eligible data breach’, then you must promptly notify the OAIC and the individuals at risk of serious harm.
If you simply ‘suspect’ that there has been a serious breach, then your organisation must take reasonable steps to complete an assessment of the breach within 30 days. If, during your assessment, it becomes clear that there has been an ‘eligible data breach’, you must promptly comply with the notification requirements.
If the GDPR applies to your organisation, there are stricter notification deadlines for responding to a data breach. A data breach under the GDPR is one that is “likely to result in a risk to the rights and freedoms of the affected individuals”.
Organisations that are ‘controllers’ of personal data under the GDPR must notify the relevant data protection authority (which are established in each EU member state) no later than 72 hours after having become aware of the breach. Choosing the relevant data protection authority will depend on the circumstances of the breach and the location of the individuals impacted. If the breach poses a high risk to the affected individuals, the ‘controller’ must notify the affected individuals immediately (with some exceptions). Organisations that are ‘processors’ must notify the breach to the ‘controller’ immediately (and in accordance with any contractual obligation to the controller).
Penalties for non-compliance with the Privacy Act take the form of civil penalties (fines) to be paid to the Commonwealth. Fines can be severe and can range from a few thousand dollars to millions of dollars for serious and repeated breaches. Indeed, the average cost to a business in Australia of a data breach is estimated to be US$2.13million[i]. Under the GDPR, the fines for non-compliance can be much higher (up to €20 million or 4% of annual worldwide turnover, whichever is greater).
As many businesses review their economic prospects for the coming months, and even years, reducing the risk of further financial losses due to an avoidable data breach should be on the agenda.
Practical steps to comply with your obligations when working from home
You should look again to determine whether your business is an ‘APP entity’. Has your turnover fallen below the threshold? Are you now dealing in health information when previously you were not? Update your Data Breach Response Plans and Privacy Impact Assessments to ensure such documents reflect any material changes to the business’s working environment and ensure that staff are aware of the business’s privacy and data protection policies.
Ensure all devices, operating systems, remote access technologies, Virtual Private Networks, antivirus software, and firewalls are up to date and have strong passwords and, where possible, more than one-step authentication.
Where possible, staff should avoid using work-related email accounts and software (such as customer relationship management software) on personal devices.
When using video calling platforms and conferencing software such as Zoom, Slack, and Houseparty, the business should adopt a policy to use private or ‘locked’ lines that can only be accessed by using a randomly generated meeting ID, and check the terms of service of these platforms for their own privacy policies (for example, are calls recorded as a matter of course?).
Staff should carefully consider the sender, subject lines and attachment descriptions of all emails and text messages before opening and should not open attachments or click on links in unsolicited emails or messages.
Check government websites for the latest phishing scams and ensure your staff are kept aware of them.
Review the ‘Privacy’ section of our Working From Home Checklist for other tips for maintaining confidentiality and privacy when working from home.
The principles outlined in this information sheet are for guidance only and specific responses and advice will vary depending on the particular facts and circumstances.
If you need any advice or assistance or suspect that a data breach may have occurred, please get in touch with us via our website or give us a call on +61 (2) 9300 3100.
[i] IBM Security & Ponemon Institute, ‘Cost of a Data Breach Report 2019’, p 21.