A Melbourne lawyer is warning businesses to prepare for potential privacy issues that may already be arising from current remote working conditions.
Rigby Cooke Lawyers Senior Associate Emma Simpson said while business owners were currently focussed on doing what they could to remain afloat, a significant privacy breach could seriously impede their recovery.
“Many businesses are operating in survival mode and they may not be aware of the breaches which may currently be happening,” Ms Simpson said.
“Employees may not have thought very carefully about the privacy risks of their home-office set up – children using their devices, family members or visitors overhearing sensitive phone calls or misplaced documents due to the lack of proper storage to name a few.
“Employers are reliant on their staff ensuring the privacy and confidentiality of the information they have access to in their work.
“However, employers need to ask themselves if they have done what they can to ensure they have adequate policies and procedures in place, and their staff have been properly trained to know what it means for them.
“Do your staff understand what their obligations are under the business’ privacy policies and procedures in a remote working context?
“Ultimately, employers will bear the reputational costs of a Notifiable Data Breach, which by law must be reported to the Australian Information Commissioner and affected individuals.
“This reputational damage could prevent a business from fully recovering when the economy begins to open up again.”
Businesses with a turnover of $3 million or more, and some smaller businesses (including those which handle health and medical information), are required to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
This requires businesses to maintain and enforce a Privacy Policy which addresses the specific practices of their business. Perhaps even more critical is having internal procedures and systems in place internally to ensure staff actually do what the policy says. Serious breaches of the act can result in fines of up to $2.1 million.
“Businesses should perhaps take the opportunity of a reduced workload to look at addressing their Privacy Policy and internal procedures and ensuring they are robust,” Ms Simpson said.
“In my experience, many businesses simply copy a Privacy Policy from the internet – an approach which means their policy will not address the specific needs of their business.
“The privacy principles require businesses to have a Privacy Policy which takes into account the specific privacy concerns their operations generate. Unfortunately this is not something for which a cookie cutter approach will work.
“Whether that is in the collection of sales and marketing information, information about contractors or consultant or from a finance perspective, all of these specific concerns need to be addressed.
“Many of the clients I have worked with lack coordination between the departments of their business when it comes to privacy matters.
“This lack of coordination will only be exacerbated by remote working arrangements, so businesses need to think about how they can develop and enforce a robust Privacy Policy and internal practices which are implemented across all aspects of their business to back it up.
“Employers cannot entirely eliminate the possibility of a privacy breach.
“However, with an effective training regime, complemented by even some specific remote working policies and systems, businesses can significantly minimise the risk.
“For example, at Rigby Cooke, we have policies in place around printing and destroying hard copy documents that contain personal or confidential information, restrictions around device usage and access, an understanding around how to conduct confidential phone calls in the home environment.
“We also have regular training on cyber security and identifying and responding to data breaches.
“The right approach needs to be unique for your business, however all approaches start with a robust and specific privacy policy.”
3 steps to reduce your risk of a privacy breach
- Develop remote working policies to reinforce the privacy and confidentiality requirements of employees while working from home.
- Review your Privacy Policy to ensure it addresses the specific practices of your business.
- Train employees in implementing the company’s Privacy Policy and remote working policy to ensure they are consistently enforced.
Keep up to date with our stories LinkedIn, Twitter, Facebook and Instagram.