About Us

We work collaboratively with our clients to build strong, sustainable relationships. Our team is committed to delivering consistent high standards of service, and we understand the importance of accessibility. Working with us, you'll enjoy open communication, meaning well scoped, properly resourced and effectively managed matters.

Learn More

Latest Case

Providing strategic advice on expansion structures November 16, 2018

Founded in Bondi Beach in 2012, Bailey Nelson has rapidly grown into a global eyewear retailer and service provider with boutiques in Australia, London, Canada and New Zealand. The strong demand for their products and … Continued

Latest News

Maddocks appoints next CEO March 31, 2020

Tuesday 31 March 2020  Maddocks has appointed David Newman as the firm’s next Chief Executive Officer. David is a partner in the firm’s Restructuring & Insolvency team and is based in Melbourne. David brings significant … Continued

Latest Article

COVID-19 – The impact on commercial and retail tenancies April 6, 2020

COVID-19 has, and will continue to have, significant impacts on commercial and retail leases for both landlords and tenants. Proposed Government Mandatory Code The Prime Minister has announced that the National Cabinet will this week … Continued

Three major privacy developments your COVID-19 response team must consider

Recently, our privacy experts published practical guidance on managing personal information requests from health authorities and other third parties during the COVID-19 crisis. Our privacy experts return to share three major privacy developments your COVID-19 response team should be across. From breaking regulatory guidance, to increased security threats, this quick read will bring you up to speed on the latest privacy developments in this rapidly evolving space.

Editor’s note: This Article is based on the COVID-19 situation as of 24 March 2020. The situation may change over time.

Development 1 – The OAIC Publishes COVID-19 Guidance

Following the release by the Information Commissioner’s Office in the UK on dealing with privacy issues during the COVID-19 crisis our own regulator, the Office of the Australian Information Commissioner (OAIC), has followed suit with its own privacy guidance published late last week (OAIC COVID-19 Guidance).

The OAIC COVID-19 Guidance is largely aimed at employers collecting personal information about their employees and under what circumstances they can share it, but it helps clarify the OAIC’s position on the operation of key exceptions under the Privacy Act 1988 (Cth) (Privacy Act).

The key takeaways from the OAIC COVID-19 Guidance are:

  • as we made clear in our original article, the Privacy Act will not stop critical information sharing with health authorities or other stakeholders necessary to prevent or lessen the spread of COVID-19
  • organisations should only collect, use or disclose the minimum information reasonably necessary to prevent or manage the spread of COVID-19
  • organisations should clearly communicate with staff, visitors and other individuals about how their personal information will be handled (by the organisation itself and any other entities involved) in responding to any potential or confirmed case of COVID-19
  • organisations still need to take reasonable steps to keep personal information secure, including where employees are working remotely

Best practice for pre-emptively managing the risks of data breach or non-compliance with privacy laws would be to run revised privacy impact assessments in relation to any COVID-19 related changes to how your organisation operates.

Development 2 – Security risks when working remotely

In a short space of time we have seen entire workforces rapidly move toward a remote working model as corporates and organisations of all shapes and sizes (Maddocks included) implement social distancing measures with staff encouraged or required to work away from the office to help slow the spread of COVID-19.

Australian Privacy Principle (APP) 11.1 requires an entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. There are no exemptions from this requirement.

As employers increasingly direct their employees to work away from the office to curb the spread of COVID-19, the approach to managing risks that may compromise the personal information held by an entity may also need to change.

Employers directing their employees to work remotely must ensure that their employees are appropriately equipped to deal with any personal information the employer holds, including by ensuring that employees continue to only access and handle personal information from authorised, controlled and secure devices when working remotely.

What are the risks associated with remote working arrangements?

The OAIC COVID-19 Guidance reiterates that employers should be careful about:

  • Employees using their personal devices – if employees who are working remotely download personal information held by their employer (for example, a database containing the personal information of customers or other employees), unless appropriate security protections have been applied to the personal device, and appropriate training and policies are in place, the nature of the information downloaded and how the employee deals with the information could constitute a notifiable data breach under the Privacy Act. Employers who permit information to be downloaded to employees’ personal devices may not have control over employees’ personal devices and without taking reasonable steps to secure any personal information on those devices will face an increased risk of data breach.
  • Employees connecting to unsecured Wi-Fi connections – employers must take steps to ensure that their employees are not connecting to public and unsecured Wi-Fi connections, as hackers may be able to access and download personal information held on those devices. As a minimum requirement, organisations should ensure that their internal technology terms of use prohibit staff from connecting to public Wi-Fi and should ensure the restriction is clearly and widely communicated to employees. Acceptable alternatives are available for example, providing portable Wi-Fi modems or internet dongles, or instructing employees to use password protected personal hotspots off their mobile phones if no secure Wi-Fi option is available.
  • Employees losing hardcopy documents containing personal information or unsecured devices – while not specifically emphasised in the OAIC’s COVID-19 Guidance, it is worth remembering that physical security remains as important as digital security. Employees who are directed to work remotely may need to take physical documents home which record personal information of individuals to allow them to perform their duties. There is therefore a greater risk of the loss or theft of these documents. Employers should take steps to ensure that their employees are taking appropriate precautions (such as locking their cars or homes in which the documents are kept), keeping documents in safe locations and limiting the instances in which they are left unattended. The same can be said for electronic devices, which should be password protected (preferably with multi-factor authentication) to minimise the risk of unauthorised access in case of their loss or theft.

The OAIC COVID-19 Guidance provides additional tips for protecting personal information when working remotely, including keeping up to date with the Australian Cyber Security Centre and updating firewalls and software. For agencies the recommendation is to continue to comply with the Protective Security Policy Framework requirements.

Your COVID-19 response team should consider how you address these security issues and whether you have communicated clearly to staff what your expectations are.

Development 3 – A heightened risk of phishing scams and notifiable data breaches

Quite predictably (but still disappointingly), we have seen an increase in phishing scams capitalising on the heightened anxieties and uncertainty surrounding COVID-19. These scams usually involve an electronic communication (text message or email) being sent to an individual which:

  1. purports to be from a government or health authority (often using official logos and disguised email addresses)
  2. contains a fraudulent claim that it seeks to provide information about testing, symptoms and other measures being taken in response to COVID-19
  3. contains a link ‘for more information’.

We are also seeing newer types of scams such as ‘voice message’ phishing scam emails.

In the midst of the COVID-19 crisis, the pool of people who might be tricked into clicking on a malicious link is much greater than in ordinary circumstances. According to the OAIC’s own reports as well as Maddocks experience acting on large scale data breaches, phishing scams are the number one cause of notifiable data breaches under the Privacy Act.

It is important for organisations to be proactive about monitoring for these risks and educating staff about the emerging types of phishing scams. It can be helpful to provide staff with details about where to access the latest and most accurate information concerning COVID-19.

We strongly encourage a proactive approach because the risks are very real and steps should be taken to reduce the possibility of a further crisis event such as a notifiable data breach (which can naturally be a stressful and resource intensive exercise) on top of dealing with COVID-19 crisis planning.

If you would like to discuss any of the information in this article or if you would like further advice, please contact a member of our privacy and cybersecurity team.

Maddocks has produced guides to a range of legal issues raised by the coronavirus (COVID-19). You can access these guides here.

AUTHORS
Sonia Sharma | Special Counsel
T+61 2 9291 6143
sonia.sharma@maddocks.com.au
Jordano Vasquez | Lawyer 
+61 2 9291 6222
jordano.vasquez@maddocks.com.au

Recently, our privacy experts published practical guidance on managing personal information requests from health authorities and other third parties during the COVID-19 crisis. Our privacy experts return to share three major privacy developments your COVID-19 response team should be across. From breaking regulatory guidance, to increased security threats, this quick read will bring you up to speed on the latest privacy developments in this rapidly evolving space.

Editor’s note: This Article is based on the COVID-19 situation as of 24 March 2020. The situation may change over time.

Development 1 – The OAIC Publishes COVID-19 Guidance

Following the release by the Information Commissioner’s Office in the UK on dealing with privacy issues during the COVID-19 crisis our own regulator, the Office of the Australian Information Commissioner (OAIC), has followed suit with its own privacy guidance published late last week (OAIC COVID-19 Guidance).

The OAIC COVID-19 Guidance is largely aimed at employers collecting personal information about their employees and under what circumstances they can share it, but it helps clarify the OAIC’s position on the operation of key exceptions under the Privacy Act 1988 (Cth) (Privacy Act).

The key takeaways from the OAIC COVID-19 Guidance are:

  • as we made clear in our original article, the Privacy Act will not stop critical information sharing with health authorities or other stakeholders necessary to prevent or lessen the spread of COVID-19
  • organisations should only collect, use or disclose the minimum information reasonably necessary to prevent or manage the spread of COVID-19
  • organisations should clearly communicate with staff, visitors and other individuals about how their personal information will be handled (by the organisation itself and any other entities involved) in responding to any potential or confirmed case of COVID-19
  • organisations still need to take reasonable steps to keep personal information secure, including where employees are working remotely

Best practice for pre-emptively managing the risks of data breach or non-compliance with privacy laws would be to run revised privacy impact assessments in relation to any COVID-19 related changes to how your organisation operates.

Development 2 – Security risks when working remotely

In a short space of time we have seen entire workforces rapidly move toward a remote working model as corporates and organisations of all shapes and sizes (Maddocks included) implement social distancing measures with staff encouraged or required to work away from the office to help slow the spread of COVID-19.

Australian Privacy Principle (APP) 11.1 requires an entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. There are no exemptions from this requirement.

As employers increasingly direct their employees to work away from the office to curb the spread of COVID-19, the approach to managing risks that may compromise the personal information held by an entity may also need to change.

Employers directing their employees to work remotely must ensure that their employees are appropriately equipped to deal with any personal information the employer holds, including by ensuring that employees continue to only access and handle personal information from authorised, controlled and secure devices when working remotely.

What are the risks associated with remote working arrangements?

The OAIC COVID-19 Guidance reiterates that employers should be careful about:

  • Employees using their personal devices – if employees who are working remotely download personal information held by their employer (for example, a database containing the personal information of customers or other employees), unless appropriate security protections have been applied to the personal device, and appropriate training and policies are in place, the nature of the information downloaded and how the employee deals with the information could constitute a notifiable data breach under the Privacy Act. Employers who permit information to be downloaded to employees’ personal devices may not have control over employees’ personal devices and without taking reasonable steps to secure any personal information on those devices will face an increased risk of data breach.
  • Employees connecting to unsecured Wi-Fi connections – employers must take steps to ensure that their employees are not connecting to public and unsecured Wi-Fi connections, as hackers may be able to access and download personal information held on those devices. As a minimum requirement, organisations should ensure that their internal technology terms of use prohibit staff from connecting to public Wi-Fi and should ensure the restriction is clearly and widely communicated to employees. Acceptable alternatives are available for example, providing portable Wi-Fi modems or internet dongles, or instructing employees to use password protected personal hotspots off their mobile phones if no secure Wi-Fi option is available.
  • Employees losing hardcopy documents containing personal information or unsecured devices – while not specifically emphasised in the OAIC’s COVID-19 Guidance, it is worth remembering that physical security remains as important as digital security. Employees who are directed to work remotely may need to take physical documents home which record personal information of individuals to allow them to perform their duties. There is therefore a greater risk of the loss or theft of these documents. Employers should take steps to ensure that their employees are taking appropriate precautions (such as locking their cars or homes in which the documents are kept), keeping documents in safe locations and limiting the instances in which they are left unattended. The same can be said for electronic devices, which should be password protected (preferably with multi-factor authentication) to minimise the risk of unauthorised access in case of their loss or theft.

The OAIC COVID-19 Guidance provides additional tips for protecting personal information when working remotely, including keeping up to date with the Australian Cyber Security Centre and updating firewalls and software. For agencies the recommendation is to continue to comply with the Protective Security Policy Framework requirements.

Your COVID-19 response team should consider how you address these security issues and whether you have communicated clearly to staff what your expectations are.

Development 3 – A heightened risk of phishing scams and notifiable data breaches

Quite predictably (but still disappointingly), we have seen an increase in phishing scams capitalising on the heightened anxieties and uncertainty surrounding COVID-19. These scams usually involve an electronic communication (text message or email) being sent to an individual which:

  1. purports to be from a government or health authority (often using official logos and disguised email addresses)
  2. contains a fraudulent claim that it seeks to provide information about testing, symptoms and other measures being taken in response to COVID-19
  3. contains a link ‘for more information’.

We are also seeing newer types of scams such as ‘voice message’ phishing scam emails.

In the midst of the COVID-19 crisis, the pool of people who might be tricked into clicking on a malicious link is much greater than in ordinary circumstances. According to the OAIC’s own reports as well as Maddocks experience acting on large scale data breaches, phishing scams are the number one cause of notifiable data breaches under the Privacy Act.

It is important for organisations to be proactive about monitoring for these risks and educating staff about the emerging types of phishing scams. It can be helpful to provide staff with details about where to access the latest and most accurate information concerning COVID-19.

We strongly encourage a proactive approach because the risks are very real and steps should be taken to reduce the possibility of a further crisis event such as a notifiable data breach (which can naturally be a stressful and resource intensive exercise) on top of dealing with COVID-19 crisis planning.

If you would like to discuss any of the information in this article or if you would like further advice, please contact a member of our privacy and cybersecurity team.

Maddocks has produced guides to a range of legal issues raised by the coronavirus (COVID-19). You can access these guides here.

AUTHORS
Sonia Sharma | Special Counsel
T+61 2 9291 6143
sonia.sharma@maddocks.com.au
Jordano Vasquez | Lawyer 
+61 2 9291 6222
jordano.vasquez@maddocks.com.au