A guide for businesses to protect personal information and maintain data security during COVID-19
Drumroll please… welcome to Privacy Awareness Week (4 May to 10 May 2020), a yearly initiative of the Office of the Australian Information Commissioner. We’ve always been supporters of PAW, but certainly now – whether by pure coincidence or a sign from the universe – Privacy Awareness Week is a welcome gift in the midst of COVID-19 upheaval.
There’s been a lot of (sometimes controversial) discussion about individual privacy following the global introduction of disease tracing software, such as the Australian government’s COVIDSafe app. But what about privacy and business?
Privacy handling, protection of personal information, data and cyber security are all bricks in the pillars of society that are our workplaces, our economy and our health system. In Australia we have a regulatory regime in the Privacy Act 1988 (Cth) and Australian Privacy Principles that requires holders of personal information to follow procedures for the collection, use, disclosure and security of that information. Following in the footsteps of the European-led General Data Protection Regulation (GDPR), we have the Notifiable Data Breach Scheme, designed to lower the risks (and detrimental impact) of data breaches within organisations.
But as countries around the world try to stem the spread of COVID-19, all businesses are experiencing change at an astronomical pace and new ways of working remotely / online / from home are being adopted everywhere. “Unprecedented” is the buzz word, right? In our efforts to combat priority number one – public health – it means those vital pillars are at risk of crumbling if we cannot guarantee protection of personal information and data security amid the coronavirus crisis.
In support of Privacy Awareness Week, we guide you through the 2 most pressing privacy issues businesses are facing during the pandemic – protection of personal information and data security – and what you must do to tackle them. Think of this as your business’ own personal PPE: Privacy Protection Equipment.
In PPE Part One, we take you through the protection of Personal Information, COVID-style. You will learn 2 things:
- Understand what your obligations are to protect Personal Information about individuals that you collect, use and hold during the pandemic. This includes knowledge of the Privacy Act 1988, Australian Privacy Principle 11: Security of Personal Information and Australian Privacy Principle 6: Use or Disclosure of Personal Information. We will look at how these laws will guide your organisation through the new challenges to Privacy brought on by COVID19, including:
a) Employees working from home and the risks to the security of Personal Information such as video conferencing platforms, less secure staff equipment, improper storage of Personal Information and unintentional sharing of Personal Information; and
b) Sharing health information, such as managing requests for disclosure of Personal Information and informing your staff about health situations.
2. You will also know how to protect Personal Information with active, practical steps to take.
PPE Part 1 – Protection of Personal Information during COVID-19
Everything in a COVID world looks and feels different. Your office may be empty, but privacy (and specifically the handling of personal information) is still necessary. Your organisation still collects personal information in new customer information sheets and commercial credit applications. You still use that personal information for things like providing your goods or services, invoice and account management, and keeping your customers updated on industry news. You’re still holding that personal information in systems, software and procedures built for your office which could well be empty right now. Part One of this PPE Series will help you understand your organisation’s obligations in protecting personal information throughout the pandemic, identifying the specific risks to the security of personal information in a changed working environment, and what strategies you can use to ensure personal information is still protected.
Understanding Your Obligations to Protect Personal Information
Employees working from home:
Many entities regulated by the Privacy Act 1988 will have moved to support remote working arrangements during the pandemic. Which is great – staff can spend less time commuting to the office, more time in their PJ’s surrounded by family. But you need to consider whether this is putting the security and privacy of themselves, and your clients or customers, at risk. And by extension, whether your business is still complying with the need to protect personal information.
Under APP11 (security of personal information), applicable organisations must take active steps to protect personal information that they hold from misuse, loss, interference, and unauthorised disclosure. An applicable organisation must also destroy or de-identify personal information that is no longer needed for the purpose that it was used or disclosed. The Privacy Act 1988 does not stop employees from working at home, but APP11 certainly still applies.
Ways that remote work could be risking your organisation’s compliance with the APP’s include:
- New or increased use of online collaboration tools such as Slack, Zoom, Microsoft Teams and HouseParty. These platforms can do a host of things which are likely to be stress-inducing for your Privacy Officer, such as collect user location data and IP addresses, monitor user activity, access the contents of a recorded call and retain messages between users. This could be both a means of losing personal information held by your organisation (APP11), or receiving unsolicited personal information (APP4) that you will need to deal with.
- Less secure staff equipment. The types of devices, software, internet network, electronic security, and protocols for employees working at home could be vastly different – and potentially inferior – to those built into business networks and office set ups. This leaves remote-working staff vulnerable to loss of personal information held by your organisation (APP11), data breaches or even receiving unsolicited personal information (APP4) without the proper measures to identify the privacy breach or deal with the consequences.
- Improper storage of personal information or documents containing personal information. Many workers could be forced to use personal devices to work remotely, which will lack the appropriate tools, protocols and security needed for saving documents, storing files, automatically backing up files, and deleting or de-identifying information where necessary. Again, this puts your organisation at risk of losing personal information (APP11).
- Unintentional sharing and exposure of personal information. No matter what age your staff, the chances are that they have some form of social media. If those staff are celebrating their #newnormal by posting photos online of home office set ups, or if they live (and now work with) a spouse, 3 kids and a dog, or if they are screenshotting the virtual Friday drinks sessions, then you could have a very big privacy problem on your hands. Things like this could lead to unintentional publicising of staff home addresses or even possible hints to passwords through names of family members. Even more alarming is the difficulty of maintaining security of your client’s personal (and confidential) information when staff are working right next to their husbands, wives, kids and dogs. Yikes!
Sharing health information:
Similarly, public health has taken an understandable precedence due to COVID-19. When that is front-of-mind, it can be easy to forget that information about an individual that relates to infection and risk of exposure to COVID19, such as symptoms, treatment and general health status, will be sensitive personal information under the Privacy Act. Consequently, businesses must be prepared to manage the sharing of health information.
For example, have your employees recently travelled overseas and to which countries? Have your employees or visitors shown symptoms of COVID19 or have they/ a close contact been exposed to a known case of COVID19? Can you tell your staff that a colleague or visitor has contracted the virus?
Under APP6 (use or disclosure of personal information), there are limited circumstances in which an organisation can use or disclose personal information that it holds. For the most part, an organisation can only use or disclose that information for the main purpose it was collected. But if an exception to the primary purpose applies, an organisation may be able to use or disclose personal information for a secondary purpose. For example, you have consent for a secondary use or disclose, it’s required under law or court order, or you “reasonably believe” that use or disclosure of the personal information is necessary for health and safety.
So how is your organisation going to handle:
- Requests for personal information held about your staff during the pandemic?
- Informing your staff about COVID19-related information and updates?
- Making sure your staff do not share personal information you hold about others in a health situation?
On the face of it, a request for personal information by a government authority in relation to COVID19 is likely to be covered by the public health exemption. Likewise, the ‘employee records exemption’ is likely to cover you for handling staff personal information for a purpose directly related to their employment. But privacy concerns cannot be hastily dismissed or assumed due to COVID19 – each request for, or disclosure of, personal information (health related or not) must be assessed properly and on a case-by-case basis.
PPE: How to Protect Personal Information Amid the Pandemic
The OAIC is recommending a raft of strategies to deal with COVID19-related privacy issues, along with a number of our suggestions:
- Be guided by good privacy practice by re-familiarising yourself with the APPs here;
- Undertake a privacy impact assessment, a useful tool to evaluate and mitigate risks to personal information;
- Secure devices as much as possible, such as laptops, mobile phones, remote desktops and data storage devices. This includes ensuring that all employee devices and networks have proper firewalls, updates, strong passwords and security software. Your IT provider should be able to assist you;
- Have a protocol for safe locking and storage of devices when staff are not using them;
- Ensure that staff are using work email accounts for all work-related emails that contain personal information;
- Only access trusted networks or cloud services;
- Check recent security and privacy reports about online collaboration platforms before using them;
- Educate staff on the dangers of collaboration tools such as video conferencing platforms and using social media while working at home. Perhaps even develop a protocol for the use of this technology during the pandemic, or update your existing Privacy Procedure;
- Implement a procedure for dealing with requests for personal information, particularly around health information during the pandemic. Train frontline staff about how to deal with these requests;
- Cooperate promptly with public health authorities if you receive a request for personal information, but do so by asking for proper identification and authority to require the information being requested;
- If a third-party requests personal information, assess these on a case-by-case basis in accordance with the APP’s and seek proper legal advice if you are unsure;
- Only collect the minimum amount of personal information reasonably necessary to prevent or manage COVID19;
- Only use or disclose personal information on a ‘need-to-know’ basis; and
- Keep a record of all requests for personal information during this time.
Stay tuned for Part Two PPE where we guide you through cyber security during the pandemic and how to prepare to respond to COVID19 related data breaches.
For more information, contact Holly Jackson