The Office of the Australian Information Commissioner (OAIC) has issued a reminder to organisations that despite extraordinary circumstances, they still have an obligation to handle personally identifiable information (PII) with the utmost care.
The OAIC wrote that while they “appreciate the unprecedented challenges Australian Government agencies and private sector employers are facing to address the spread of COVID-19,” organisations must still adhere to the Privacy Act 1988.
While the Privacy Act allows for employees to operate on a remote basis, the Information Commissioner reiterated that the Australian Privacy Principles (APPs) still apply. “Agencies and employers will need to consider similar security measures for employees working remotely as those that apply in normal circumstances,” it writes. “A Privacy Impact Assessment is a useful tool for evaluating and mitigating risks to personal information. Agencies are required to undertake a Privacy Impact Assessment for all high privacy risk projects or initiatives that involve new or changed ways of handling information.”
The OAIC has released a set of guidelines regarding the best practices surrounding the APPs of information security:
Keep up to date with the latest advice from the Australian Cyber Security Centre
Agencies should ensure continued compliance with Protective Security Policy Framework requirements
Secure mobile phones, laptops, data storage devices and remote desktop clients
Increase cyber security measures in anticipation of the higher demand on remote access technologies, and test them ahead of time
Ensure all devices, Virtual Private Networks and firewalls have necessary updates and the most recent security patches (including to operating systems and antivirus software) and have strong passwords
Make sure devices are stored in a safe location when not in use
Use work email accounts not personal accounts for all work-related emails that contain personal information
Implement multi-factor authentication for remote access systems and resources (including cloud services)
Only access trusted networks or cloud services.
The media release is addressing agencies and organisation that could potentially help inform relevant authorities about a coronavirus case in their operations, but that organisation is still required to maintain an information release policy in line with the Privacy Act; this should be conducted on a need-to-know basis, at the discretion of that organisation.
“In order to manage the pandemic while respecting privacy, agencies and private sector employees should aim to limit the collection, use, and disclosure of personal information to what is necessary to prevent and manage COVID-19, and take reasonable steps to keep personal information secure,” the Office wrote.
“You may inform staff that a colleague or visitor has or may have contracted COVID-19 but you should only use or disclose personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace,” stating that revealing the name or further information about an individual may not be necessary to mitigate the risk of COVID-19 spreading.
The office has called for organisations to inform their staff and even relevant supply chain and client parties of how their information could be used in response to the threat of COVID-19, and to ensure that the organisation has an information security policy in place to keep the information secure, particularly with an increase in the number of remote workers.
According to ZDNET, “on consent, the OAIC said it is not necessary if the collection is required or authorised under an Australian law, or where a ‘permitted general situation’ exists. The OAIC said this includes where the collection is undertaken to lessen or prevent a serious threat to the life, health, or safety of any individual, or to public health or safety.”