In 2021, remote working is not a foreign concept to any of us. To stop the spread of COVID-19 many offices across Australia and the world have had to adapt and ask their employees to work from home. In the beginning, working from home (WFH) meant sleep-ins and attending zoom meetings in your pyjamas but as the OAIC has pointed out, it also means tangible privacy risks.
Whenever you undertake a new project or drastically change your internal processes in a way that involves the collection, use or storage of personal information, you should consider whether a privacy impact assessment (PIA) is needed.
What is a PIA?
A PIA is an assessment of the inherent privacy risks associated with a new project, process or endeavour. It involves identifying privacy risks which you may not have even realised existed and designing practical steps and structures to mitigate those risks.
What are the privacy risks of WFH?
While your office may be well-equipped to handle personal information, the home environment is very different. There are a number of privacy risks that WFH exposes, including:
- Access to secure, private networks and data storing technology
- Employees using their own devices
- Employees working or attending meetings in public spaces such as cafes or parks
- Ability of phone conversations concerning the disclosure of personal information to be overheard by other members of the employee’s household
- Lack of multifactor authentication for remote systems and cloud services
- Out of date training for staff on phishing and scam emails
- Storing customer or client information on personal servers, devices, USBs or other storage mediums
- Video conferencing software (Teams, Zoom etc.) and potential for unregulated backgrounds and exposure of personal information
- Storage of confidential documents at home
- Data Breach Response Plans being incompatible with or not able to account for WFH arrangements
- Lack of clear line of internal reporting for potential data breaches (access to privacy officers)
- Physical storage and care of work devices
Do I need a PIA?
Griffin Legal recommends conducting a PIA for every new project involving the handling of personal information. If this is the first time your employees are working from home or they are accessing personal information they would otherwise not have accessed at home, a PIA should be conducted.
Privacy breaches can ensue when a PIA is not conducted, causing businesses to lose more than just their reputation. Privacy breaches attract harsh penalties under the Privacy Act and if serious enough, invoke mandatory notification requirements under the Notifiable Data Breach Scheme.
Contact Griffin Legal today for an assessment of your WFH arrangements, advice on whether a PIA is required or assistance undertaking an assessment. Griffin Legal can also assist in preparing a Remote Working Policy, tailored to your organisation.