Recently, our privacy experts published practical guidance on managing personal information requests from health authorities and other third parties during the COVID-19 crisis. Our privacy experts return to share three major privacy developments your COVID-19 response team should be across. From breaking regulatory guidance, to increased security threats, this quick read will bring you up to speed on the latest privacy developments in this rapidly evolving space.
Editor’s note: This Article is based on the COVID-19 situation as of 24 March 2020. The situation may change over time.
Development 1 – The OAIC Publishes COVID-19 Guidance
Following the release by the Information Commissioner’s Office in the UK on dealing with privacy issues during the COVID-19 crisis our own regulator, the Office of the Australian Information Commissioner (OAIC), has followed suit with its own privacy guidance published late last week (OAIC COVID-19 Guidance).
The OAIC COVID-19 Guidance is largely aimed at employers collecting personal information about their employees and under what circumstances they can share it, but it helps clarify the OAIC’s position on the operation of key exceptions under the Privacy Act 1988 (Cth) (Privacy Act).
The key takeaways from the OAIC COVID-19 Guidance are:
- as we made clear in our original article, the Privacy Act will not stop critical information sharing with health authorities or other stakeholders necessary to prevent or lessen the spread of COVID-19
- organisations should only collect, use or disclose the minimum information reasonably necessary to prevent or manage the spread of COVID-19
- organisations should clearly communicate with staff, visitors and other individuals about how their personal information will be handled (by the organisation itself and any other entities involved) in responding to any potential or confirmed case of COVID-19
- organisations still need to take reasonable steps to keep personal information secure, including where employees are working remotely
Best practice for pre-emptively managing the risks of data breach or non-compliance with privacy laws would be to run revised privacy impact assessments in relation to any COVID-19 related changes to how your organisation operates.
Development 2 – Security risks when working remotely
In a short space of time we have seen entire workforces rapidly move toward a remote working model as corporates and organisations of all shapes and sizes (Maddocks included) implement social distancing measures with staff encouraged or required to work away from the office to help slow the spread of COVID-19.
Australian Privacy Principle (APP) 11.1 requires an entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. There are no exemptions from this requirement.
As employers increasingly direct their employees to work away from the office to curb the spread of COVID-19, the approach to managing risks that may compromise the personal information held by an entity may also need to change.
Employers directing their employees to work remotely must ensure that their employees are appropriately equipped to deal with any personal information the employer holds, including by ensuring that employees continue to only access and handle personal information from authorised, controlled and secure devices when working remotely.
What are the risks associated with remote working arrangements?
The OAIC COVID-19 Guidance reiterates that employers should be careful about:
- Employees using their personal devices – if employees who are working remotely download personal information held by their employer (for example, a database containing the personal information of customers or other employees), unless appropriate security protections have been applied to the personal device, and appropriate training and policies are in place, the nature of the information downloaded and how the employee deals with the information could constitute a notifiable data breach under the Privacy Act. Employers who permit information to be downloaded to employees’ personal devices may not have control over employees’ personal devices and without taking reasonable steps to secure any personal information on those devices will face an increased risk of data breach.
- Employees losing hardcopy documents containing personal information or unsecured devices – while not specifically emphasised in the OAIC’s COVID-19 Guidance, it is worth remembering that physical security remains as important as digital security. Employees who are directed to work remotely may need to take physical documents home which record personal information of individuals to allow them to perform their duties. There is therefore a greater risk of the loss or theft of these documents. Employers should take steps to ensure that their employees are taking appropriate precautions (such as locking their cars or homes in which the documents are kept), keeping documents in safe locations and limiting the instances in which they are left unattended. The same can be said for electronic devices, which should be password protected (preferably with multi-factor authentication) to minimise the risk of unauthorised access in case of their loss or theft.
The OAIC COVID-19 Guidance provides additional tips for protecting personal information when working remotely, including keeping up to date with the Australian Cyber Security Centre and updating firewalls and software. For agencies the recommendation is to continue to comply with the Protective Security Policy Framework requirements.
Your COVID-19 response team should consider how you address these security issues and whether you have communicated clearly to staff what your expectations are.
Development 3 – A heightened risk of phishing scams and notifiable data breaches
Quite predictably (but still disappointingly), we have seen an increase in phishing scams capitalising on the heightened anxieties and uncertainty surrounding COVID-19. These scams usually involve an electronic communication (text message or email) being sent to an individual which:
- purports to be from a government or health authority (often using official logos and disguised email addresses)
- contains a fraudulent claim that it seeks to provide information about testing, symptoms and other measures being taken in response to COVID-19
- contains a link ‘for more information’.
We are also seeing newer types of scams such as ‘voice message’ phishing scam emails.
In the midst of the COVID-19 crisis, the pool of people who might be tricked into clicking on a malicious link is much greater than in ordinary circumstances. According to the OAIC’s own reports as well as Maddocks experience acting on large scale data breaches, phishing scams are the number one cause of notifiable data breaches under the Privacy Act.
It is important for organisations to be proactive about monitoring for these risks and educating staff about the emerging types of phishing scams. It can be helpful to provide staff with details about where to access the latest and most accurate information concerning COVID-19.
We strongly encourage a proactive approach because the risks are very real and steps should be taken to reduce the possibility of a further crisis event such as a notifiable data breach (which can naturally be a stressful and resource intensive exercise) on top of dealing with COVID-19 crisis planning.
If you would like to discuss any of the information in this article or if you would like further advice, please contact a member of our privacy and cybersecurity team.
Maddocks has produced guides to a range of legal issues raised by the coronavirus (COVID-19). You can access these guides here.