Privacy experts warn: Don’t let your data and privacy safeguards slip during coronavirus (COVID-19)

While most organisations are busy dealing with the immediate impact of coronavirus (COVID-19), privacy experts have warned against letting privacy and data safeguards slip during the lockdown.

With many workforces now operating remotely, and employees working from their home offices (or loungerooms or bedrooms), a host of new privacy concerns are emerging.

In our feature article we hear from two privacy experts – General Counsel at national law firm Holding Redlich, Lyn Nicholson and Founding Scientific Director of the Optus Macquarie University Cyber Security Hub, Professor Michael Johnson – about the latest risks and what your organisation can do to help minimise them.

Working from home: Some unique privacy challenges

Holding Redlich’s Lyn Nicholson said the removal of the formal office structure can lead to unique challenges for organisations that have employees working remotely.

“When people work from home the structure of an office is absent and if systems are not robust there may be a temptation to use devices or software for email accounts that are not secure for work materials that should be kept confidential and private,” Lyn said.

She emphasises that it is important to review systems and reinforce physical and cyber security when staff are working remotely.

Despite the lockdown currently in place, a “great deal” of daily work continues thanks to the relatively advanced state of technology across many industries and the fact that many employees are able to work remotely, Macquarie University’s Michael Johnson, who is also Board Director for Professional Standards for the Australian Computer Society, said.

However, the speed of the transition to working from home may prompt some unique risks.

“The very sudden onset of this period of working from home means that some organisations are adjusting to that mode of work without the planning and governance that would normally have been in place before such a change. Privacy matters are a good example of the kinds of things that might, in our urgency to maintain operations, suffer new risks,” Michael said.

He said that organisations used to having staff working flexibly are likely to already have good systems, but for others, there is likely to be a certain amount of improvisation taking place.

“We are fortunate that the growth of flexible work practices has led some organisations to already have in place rules around off-site work. Where those rules have been practised already, there are usually good structures in place such as strong virtual private networks (VPNs); dedicated computer hardware for work activities kept separate from privately owned and often jointly used domestic computer hardware; practised activities for transferring confidential information; and structured workflows taking into account remote work environments.  

“But in many cases at present people are having to improvise, and use shared resources for a variety of normally distinct personal and business uses, and often for more than one business, and information transfer and processing practices are being developed on-the-fly and with pressure to deliver quickly. All of this raises great risks for what would normally be well-managed privacy standards.”

An increase in notifiable data breaches

The number of notifiable data breaches increased by 19 per cent in the second half of 2019 compared to the first half of the year, the latest figures from the Office of the Australian Information Commissioner (OAIC) show. The majority of the 537 notifications related to a breach caused by malicious or criminal attack (64 per cent), with human error continuing to feature heavily as the cause of a breach (32 per cent).

Lyn said the latest report is a reminder that continuous data security training – and reinforcement of that training – is essential for organisations.

“Human error and cyber-crime, often facilitated by social engineering, or manipulating humans into error, continue to be major sources of breach so as well as investing in systems, constant training and reinforcement is the key to minimising breaches,” Lyn said.

The use and misuse of email

Michael says the latest Notifiable Data Breaches Report highlights the use and misuse of email – something that has increased significantly in the last month – as a “major concern”.

“This includes the use of unencrypted email to send confidential information, the (often unknown or un-reflected upon) storage of emails, even long after they were needed, in a variety of compromisable servers or end-user devices, and the continuing high rate of successful use of email for phishing, and for the development of more specific targeted attacks,” Michael said.

“People often worry about ransomware or hacking but the great bulk of breaches arise from email phishing (don't click on that link!!), compromised credentials (don't tell anyone your password, don't record your password anywhere, don't have guessable passwords.) or malware (don't install that app! (at least not unless your IT people have analysed it extremely carefully)). These make up 78 per cent of cases - and those 78 per cent are things we can and should be doing all we can to manage better.” 

Safeguarding your business in a changed environment: Key privacy steps

  • Data handling

Michael recommends organisations clearly identify data owners and the responsibility of data users when handling data.

“Of course the data handlers are working in new environments, so we need to have governance oversight, but it's hard to enforce that governance when employees are handling data suddenly in their own homes and often on their own hardware. Nevertheless, we need to support them by providing clear guidance as to appropriate data-handling practices (how and where data may be stored, the appropriate (and inappropriate!) use of email for transferring and  storing data, data deletion practices, data quarantining (keeping data locations known and separated from other activities), the appropriate use of encryption, VPNs, avoidance of downloading data if it can be kept, managed and manipulated on corporate machines from remote locations, and of course clear policies for access (what, by whom, in what role, under what circumstances, and in what way),” Michael said.

  • Ensuring good data processes at home

“Stop and think about what data are really required to be used, and in what ways, to continue effective business operations. If those business processes are really required, then the support to ensure good data practices can be used at home needs to be provided,” Michael recommends.

  • Prioritising privacy risk

It is important that privacy risk is seen as equally as important as health and safety risk. Lyn says: “If organisations treat privacy and cyber security risk in the same way they treat health and safety compliance and training they will be in a good place.”

She suggests organisations assess their privacy risk by undertaking a short form privacy impact assessment (PIA) to evaluate and mitigate risks arising from the challenges of working from home. More information from the OAIC on this can be accessed here.

Further information and resources

A range of official guides have been compiled to assist organisations dealing with privacy risks during COVID-19, including resources from the Commonwealth office of the Australian Information Commissioner here, and some tips from the Australian Cyber Security Centre here. And in a bid to ensure a coordinated response to the impact of COVID-19, state and commonwealth privacy regulators convened a National COVID-19 Privacy Team in late March.

Return to Newsletter