Please change your location to view this page.
This page contains content that does not match your current location
What are the key privacy considerations relevant to the COVID-19 outbreak?
- effectively managing your response to an employee’s report that they have tested positive to COVID-19, without breaching the employee's privacy, while also providing a safe workplace, and
- making sure personal information collected in the ordinary course of business (for example, customer and employee data) remains secure in an increased risk environment while employees work remotely
- What do you need to do to manage privacy risk?
- If an employee or volunteer tells me they have tested positive to COVID-19, how do I treat this information? Do I need to disclose this information to anyone?
- What privacy and cyber-security considerations do I need to think about with my workforce working from home?
- My organisation is speaking to clients through Zoom, Skype, WhatsApp and similar video conferencing software. Is communication through these programs secure, private and confidential?
- What should I do if I suspect that I have been the subject of a phishing attack?
- limit the collection, use, storage and disclosure of personal information to what is necessary only (on a 'need-to-know' basis and only the minimum amount of information necessary). This applies particularly when communicating with employees about a staff member who has tested positive to COVID-19
- tell employees how the organisation will handle their personal and health information in responding to any potential or actual case of COVID-19 in the workplace, and
- take measures to secure personal information in an increased risk environment. This includes increasing staff awareness of cyber risk, developing robust procedures around sharing personal information and conducting financial transactions, and enforcing increased security controls on systems to prevent data breaches occurring
2. If an employee or volunteer tells me they have tested positive to COVID-19, how do I treat this information? Do I need to disclose this information to anyone?
If an employee tests positive to COVID-19, the employer and employee must follow the latest government-issued guidance, including any exclusion or self-isolation requirements, to limit the spread.
- take steps to get consent from the affected employee before disclosing that they are positive for COVID-19 to others. Generally, you don’t need to get consent if it is unreasonable or impractical for you to do this. Seek advice if this applies to you, as this scenario needs to be carefully managed
- only reveal the name of the affected employee if necessary, and consider whether naming the person can be restricted to a limited number of people on a need-to-know basis, and
- only collect, use, store or disclose the minimum amount of the affected person's personal information that is required to prevent the risk of COVID-19
Examples of how to appropriately manage the disclosure of a positively tested employee.
- informs all employees that the staff member has not come into contact with the office or any other employees in the 24 hours before the staff member showed symptoms, thereby lowering the risk of transmission
- reminds all employees to continue to follow best practice Government advice to slow the spread of Coronavirus through social distancing, and
- encourages all employees to work from home where possible
3. What privacy and cyber-security considerations do I need to think about with my workforce working from home?
There are increased risks associated with remote working. These include:
- increased risk of cyber-crime, where criminals will look to exploit changes to business environments to extract funds or personal information from employees, and
- risk of employees inadvertently disclosing personal information through using unfamiliar document storage and conference platforms
- enforce complex password requirements for all email accounts and other systems used to hold sensitive data (such as payroll systems, HR systems or client management systems)
- implement multi-factor authentication to put added security in place to prevent unauthorised systems access, in addition to complex password requirements
- limit access to particular systems and restrict privileges on those accounts to only those who require it to perform their role
- educate employees about the risk of phishing emails especially while working from home. Encourage employees to call the sender if they have the slightest doubt about the authenticity of an email, and
- if appropriate, buy cyber insurance to help address the potential costs of responding to a cyber incident
4. My organisation is speaking to clients through Zoom, Skype, WhatsApp and similar video conferencing software. Is communication through these programs secure, private and confidential?
- Check what security is offered by the application provider – is multi-factor authentication offered? Is end-to-end encryption offered? Does the provider keep any metadata from your conferences (or other data)? If data is collected, how is it used?
- Read the provider's terms and conditions to check your rights and the provider's obligations.
- Make sure you have the latest security and software updates installed for the teleconferencing facility you use.
- Hold teleconferences in private rooms, not shared spaces. Use headphones rather than speaker to prevent others listening in.
- Password protect access to video and teleconferences.
- Only allow invited participants to join the teleconference and make sure you send invitations to the right people.
- Isolate: if you have clicked or opened a malicious attachment or link – isolate affected machines from the network to prevent the spread of unauthorised access or malware in your organisation's systems. Assess the scope of the impact on your network including what information may be at risk.
- Missing funds: if you have paid funds, contact your bank to put a freeze on the funds and to trace the funds. This needs to be done as quickly as possible because there is often a time delay between funds being paid and users becoming aware of the fraudulent activity, which reduces the prospects of recovery.
- Personal Data Protection: if personal information has been provided, consider what steps you can take to prevent misuse of that information. This includes taking steps to protect against identity theft and account takeover, such as changing passwords to online accounts if credentials were provided, and implementing multi-factor authentication where possible on critical applications (such as online banking) to prevent unauthorised access.
- Consider your regulatory obligations: while the focus is on containment and remediation, at the same time, you should assess whether the incident is an 'Eligible Data Breach' under the Privacy Act. Statutory investigation and notification timeframes apply, so you need to do this expeditiously.
- If you have cyber insurance: contact your insurer for assistance from expert vendors to support your response capabilities.