Cyber security: Data protection and working remotely

With the outbreak of COVID-19, all of a sudden, to keep businesses afloat, employers and employees are having to work from home in unprecedented numbers. This presents numerous challenges for businesses when it comes to cyber security, data protection and compliance with privacy laws. 

More so than ever, businesses need to be proactive in setting new best practices with respect to the protection of their intellectual property, confidential documents and any personal information they collect while employees are working remotely and looking at business continuity measures.

The Office of the Australian Information Commissioner (OAIC) has issued some guidance to help entities regulated by the Privacy Act 1988 (Cth) (Privacy Act) address their privacy obligations in the context of the pandemic.
 
OAIC recommendations
Agencies and private sector employees should aim to limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19.

Regulated entities need to:

• take reasonable steps to keep personal information secure;
• consider whether any changes to working arrangements will impact on the handling of personal information;
• consider taking steps to notify staff of how their personal information will be handled in responding to any potential or confirmed case of COVID-19;
• assess any potential privacy risks where employees are working remotely; and
• ensure reasonable protocols are followed to keep personal information secure where employees are working remotely.

Agencies and employers will need to consider similar security measures for employees working remotely as those that apply in normal circumstances.

Steps to put in place to protect personal information when employees work remotely
Steps from the OAIC for protecting personal information when working from home (or anywhere other than the office) include:

• ensuring you are across the latest advice from the Australian Cyber Security Centre;
• ensuring continued compliance with the Protective Security Policy Framework requirements;
• securing mobile phones, laptops, data storage devices and remote desktop clients;
• increasing cyber security measures in anticipation of the higher numbers of employees working on remote access technologies, and testing them in advance;
• ensuring all devices, Virtual Private Networks and firewalls have necessary updates and the most recent security patches (including to operating systems and antivirus software) and have strong passwords;
• ensuring employees only use work email accounts for work related emails that contain personal information;
• implementing multi-factor authentication for remote access systems and resources (including cloud services); and
• only accessing trusted networks or cloud services.

What else does your business need to consider?

• Does your business have a turnover of more than $3 million?  If so, whether you are proprietary limited company, trust, incorporated association or sole trader, you will need to have a privacy policy and collection statement to comply with the Privacy Act.
• Are employees using their personal computers?  If so, what protections do their personal computers have against cyber threats and does your business need to invest in providing appropriate antiviral software and I.T. support to such employees working remotely on personal computers?  Have you provided clear guidance and support to your employees?  Have you provided training to your employees on how to deal with suspicious emails?
• Do you have a cyber security policy? If so, are your cyber security protocols up to date and have you covered off on the risks associated with employees working remotely?
• Are employees aware of what they have to do and who they have to contact in the event of a data breach?  Do you have a data breach response plan and a privacy officer or person specifically appointed to deal with privacy matters related to your business?
• Have your employees been told what the expectations of the business are when it comes to secure storage and destruction of confidential documents where they have taken physical documents home for work purposes?

How can we help you?
Australian Business Lawyers & Advisors can assist you with a range of cyber security and data privacy legal services including:

• Cyber security, data protection and privacy audits;
• Advice on eligible data breaches and cyber security incidents;
• Data breach response plans;
• Privacy policies; and
• Data retention, de-identification and destruction policies.

For more information see our Cyber Security Checklist here.

If you would like to discuss your concerns about cyber security and data protection in the context of working remotely or want to put in place appropriate mitigation strategies, please contact our Corporate and Commercial team on 1300 565 846 or email us at [email protected].

Kate Mansfield is an Associate from Australian Business Lawyers and Advisors (ABLA)