Working remotely? Don’t abandon privacy for the sake of convenience
Social distancing, with staff working remotely has led organisations to rapidly procure new online collaboration and remote working tools. With new ways of working potential privacy risks and breaches must be carefully considered and managed.
The use of online collaboration tools is rapidly growing and with some companies reportedly sharing conversations with fourth parties, including social media platforms strong privacy settings are vital.
Cyber security risks are one aspect of this (and organisations need to be aware of these) but privacy obligations extend beyond security and govern the entire lifecycle of personal information.
Remote Working Risks
Privacy compliance requires appropriate handling of personal information throughout the information lifecycle – collection, storage, use and disclosure, and disposal. These obligations are given force by the Australian Privacy Principles (APPs), contained in the Australian Privacy Act 1988 (Cth). While organisation may have processes in place to address these requirements under normal circumstances, remote working introduces new compliance challenges.
- Risks of collecting too much, or the wrong kind of information e.g. where an employee uses a personal device to work remotely and the organisation inadvertently collects non-work-related information such as websites the employee visits outside of work.
- Risks that employees will, due to remote working, not handle personal information in accordance with policy e.g. by saving files to unapproved cloud services
- Risks around sharing data with third party collaboration platforms e.g. videoconferencing, which might not offer adequate protections of privacy
- Risks the organisation is not complying with State and Territory surveillance legislation, which may place limits on the use of audio, video, computer and tracking technologies.
Remote working can blur the boundary between their employees’ work and personal lives. This may cause some employees to feel their privacy is at risk even if the organisation is compliant with legislation. Transparency and awareness are important steps to ensure employees’ privacy expectations are respected.
Finally, working remotely draws attention to the way companies use and disclose information with service providers. Conversations, documents and chats may be saved by the online service provider and shared with third parties such as social media platforms and overseas data centres. When entering into new agreements with service providers careful consideration is required to how and what type of customer personal information is being shared on the online platform and to the protections offered by the service provider to protect the company’s personal information.
Key privacy consideration when enabling your workforce to work remotely:
- Ensure applications are properly configured to protect conversations and personal information e.g. where videoconferencing is used.
- Establish strong cyber-security controls.
- Ensure a robust processing agreement is in place regulating how third and fourth party providers handle and protect personal information.
- Provide clear guidelines to staff around how online platforms handle personal information e.g. whether the information is encrypted or transferred overseas, and provide guidance about what types of personal information should, and should not, be shared through online platforms.
- Consider carefully if moving processes to new platforms would increase the risk of privacy incidents and breaches. Conducting a Privacy Impact Assessment may be helpful to understand what risks you are facing and what controls are required to mitigate the risk.
At all times be mindful that privacy is important for your organisation, your clients and your people. Just because our working locations have changed your privacy setting should not. Once privacy is breeched it is very hard to take it back.
Additional work by Kelly Henney, Partner, National Leader Data Privacy Services