The world is taking a step inside, employees are putting pens to paper in their home offices and individuals are acquainting themselves with “Zoom parties”. As we manage these new challenges, business will go on and critical issues of confidentiality and privacy must not be forgotten. At the heart of maintaining confidentiality and ensuring a high level of compliance with privacy obligations is cyber security and fostering an organisational culture where there is awareness and respect of privacy and security.
We summarise the simple steps your business should take now.
Key points
- Implement updates to existing privacy documents to permit collection of necessary personal information;
- Review and revise your organisation’s security practices and educate staff on best practices when it comes to working from home; and
- Actively manage any suspected data breach to ensure compliance with reporting obligations under the relevant legislation.
Transparency around personal information
Critical information sharing will not be stopped by the Privacy Act 1988 (Cth) (Privacy Act). In present circumstances where businesses might be collecting additional personal information (including sensitive information), their practices must be open and transparent. In order to comply with the Australian Privacy Principles (APPs), businesses must:
- adequately address such collections, uses and disclosures in their Privacy Policy;
- supply a Collection Notice complaint with privacy requirements prior to collection of such personal information;
- ensure personal information is collected only when reasonably necessary to do so. This might include, collections upon entry to your business premises;
- ensure personal information is used for the specific function or purpose (or a related secondary purpose) for which it was collected for. This might include, for the purposes of determining likely risk factors for transmission of COVID-19;
- ensure personal information is only disclosed on a ‘need to know’ basis. This might include, for the purposes of informing colleagues or visitors that an individual may have contracted COVID-19 and entered the premises and directing further action on this basis. In these circumstances, identifying the person may not be necessary and it may instead be appropriate to refer to the individual via a pseudonym or on a de-identified basis; and
- keeping colleagues updated on how an individual’s personal information will be handled in responding to any potential or confirmed cases of COVID-19 in the workplace.
Exemptions – employers and permitted situations
There are two relevant legislative exemptions in these times that may provide a partial exemption to an organisation’s compliance obligations concerning personal information. The first being the “employee records exemption” and the second, the concept of a “permitted general situation”.
A private sector employer’s handling of employee records is exempt from complying with the Privacy Act. The exemption applies if an act done, or a practice engaged in, by an organisation is directly related to:
- a current or former employment relationship between the employer and individual; and
- an employee record held by the organisation and relating to the individual. An “employee record” is a “record or personal information relating to the employment of [an] employee” and specifically includes “health information about the employee”.
When purporting to rely on this exemption in dealing with personal information without compliance with the APPs, employers should note the personal information must be of an employee (not a contractor or third party) and must be directly related to one of the above matters. In two recent decisions, the limits of the employee records exemption was made clear:
- ‘QF’ & Others and Spotless Group Limited (Privacy) where the Privacy Commissioner found that for the employee record exemption to apply in respect of disclosures, there must be an ‘absolute, exact and precise connection’ to the employment relationship; and
- Lee v Superior Wood where the Full Bench of the Fair Work Commission found that until a record concerning the employee is created, the employee records exemption does not apply – meaning, practically, this exemption from employers complying with the APPs applies to the use of information after collection as comprised in a record, but not the initial collection. In this case a direction by an employer to an employee to supply biometric information (fingerprint scan), to which the employee refused and therefore could not be created as part of a record, was personal information not subject to the employee records exemption and as such had to be treated in accordance with the APPs.
Under the Privacy Act, partial exemptions exist where a “permitted general situation” has arisen. There are a variety of circumstances which will equate to a “permitted general situation”, which relevantly include ‘lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety’. Where such circumstances arise, this lessens or varies the obligations on an organisation to comply with certain obligations under the APPs such as seeking an individual’s consent to collection, use or disclosure of personal information where it is impractical or unreasonable to do so. This is by no means a “hall-pass” for an organisation to freely collect, use and disclose such information, but it may provide a necessary degree of flexibility in the current climate of the coronavirus crisis.
Confidentiality and privacy when working remotely
.JPG)
Looking at this from a visual perspective we see the foundation to maintaining the integrity of valuable client information and ensuring your employee’s personal information is kept private are strong cyber security practices and fostering an organisational culture where there is awareness and respect of privacy and security. Here are some of the ways you can achieve this.
An organisation is required to take reasonable steps to implement practices, procedures and systems relating to the organisation’s functions or activities that will ensure it continues to comply with the requirements under the APPs and Privacy Act. The Office of the Australian Information Commissioner (OAIC) recently recommended organisations undertake a privacy impact assessment and implement measures to protect personal information. Some of the OAIC’s recommendations are:
- ensuring employees are authorised to work remotely, have secure mobile phones, laptops and data storage devices;
- increase cyber security measures in anticipation of the higher demand on remote access technologies including pre-emptive testing;
- ensure all approved devices have up to date security patches, firewalls and passwords;
- use only work emails, not personal emails which may have lesser security measures in place;
- if possible, implement multi-factor authentication for remote access systems and resources;
- only use trusted networks or cloud services;
- ensure “critical” or “high value” data (such as information for financial reporting, or litigation) is preserved and securely stored (including copies generated); and
- foster a culture of vigilance concerning phishing emails and other scams.
Many private sector organisations will receive highly confidential information from their clients, customers or from potential business partners on a regular basis, which may relate to business viability and profitability, business ventures, business continuity plans and proposed actions with respect to redundancies or downsizing.
The nature of confidential information is that it must be kept confidential. A complication that working from home introduces is that an individual may find themselves working in the proximity of others who are not approved to be privy to such confidential information. The measures listed above concerning personal information are an excellent starting point, and the following behavioural shifts will also assist in maintaining confidentiality:
- ensure phone calls are not on loudspeaker, and taken where possible in a closed room;
- safely store notes taken during the course of an exchange, and where possible create an electronic version; and
- securely de-identify (where possible), and then destroy such material.
In commercial relationships, failure to take these precautions may result in a prohibited disclosure of confidential information in breach of any contractual obligations to maintain strict confidentiality of the other party’s confidential information. This may, in turn, give rise to a right of suspension or termination of the contract, depending on the terms, and a claim for compensation arising from such breach.
It will be beneficial for organisations to set out their expectations of employees in a policy, and if already in place, remind their employees of the requirements with respect to confidentiality under that policy.
Data breaches
As we write this article, we have seen some temporary leniencies implemented concerning critical matters such as the duty of directors to avoid trading whilst insolvent. However, there has not yet been a move to afford the same leniencies for data breach response timeframes in Australia.
Accordingly, organisations covered by the Privacy Act must assess and notify customers and other individuals if their personal information has been disclosed or accessed in a way likely to cause serious harm. If so, organisations must notify both the affected individuals about steps they can take to reduce the risk of serious harm and also the Australian Information and Privacy Commissioner of the data breach. These steps must be taken as soon as possible, and usually within 30 days of becoming aware of the breach.
The best way to respond efficiently and effectively, whilst reducing the risk of litigation arising out of a data breach, is to regularly brief your senior managers and expert advisors on such matters and ensure that your organisation has a data breach response plan in place.
If your organisation would like our assistance in managing the privacy and confidentiality challenges they are now faced with, please contact Partner, Hayden Delaney.