Working remotely: Complying with privacy legislation and preventing data breaches

To prevent the spread of COVID-19, many organisations have implemented or expanded remote working arrangements for employees. Working from home presents unique data breach risks which may be caused by malicious attacks, human error, or failure of information handling or security systems.

Organisations need to take proactive steps to protect themselves, their employees and clients and to minimise risk.

Privacy legislation

While only certain entities (including those with an annual turnover of more than $3 million) have obligations under the Privacy Act 1998 (Cth) and Australian Privacy Principles, it is best practice for all businesses to comply.

Under Australian Privacy Principle 11, entities must take active measures to protect personal information from misuse, interference and loss, as well as unauthorised modification or disclosure. Personal information includes identifying information about clients, customers and any other stakeholder.

Given the increased risk of unauthorised access to personal information when employees are working remotely, it is particularly important that organisations actively mitigate the risk of data breaches.

What to do? 

We recommend that all employers:

  • conduct a risk assessment to identify potential threats;
  • review their privacy policy to ensure compliance with the Privacy Act when dealing with personal information;
  • implement a secure method for staff to access networks and systems from home;
  • ensure staff use employer supplied devices rather than personal devices;
  • implement multi-factor authentication for remote access systems and resources (including cloud services);
  • only allow the use of vetted collaboration and videoconferencing tools;
  • educate staff on ICT and cyber security practices; and
  • update their data breach response plan.

Please note that under the Notifiable Data Breach amendments to the Privacy Act, in the event of certain eligible data breaches, entities covered by the Privacy Act must notify the Office of the Australian Information Commissioner and the individuals affected by the data breach.  Financial and other penalties apply to non-compliance with the Privacy Act and the Notifiable Data Breach provisions.

More information

If you have any queries or would like further information about this article, please contact:

Kathryn Speed
Principal
M: 0408 446 013
E: kspeed@pageseager.com.au

Ella Wade
Law Graduate
T: (03) 6235 5161
E: ewade@pageseager.com.au

Published: 22 April 2020

Copyright © 2020 Page Seager. Privacy Statement Privacy Policy