As the world continues to deal with the economic and operational challenges from the global COVID-19 pandemic, cyber criminals are seeking to exploit new work practices and capitalise on uncertainty. Organisations should be conscious of the general data, privacy and business risks associated with COVID-19.
In response to multiple requests from clients for guidance, the Australian cyber team have prepared a two part series of updates which provide a comprehensive roadmap of responses to frequently asked questions about how organisations should respond to COVID-19 from a privacy and cyber perspective.
If you have any questions or issues that you would like us to address in further updates, please get in touch with one of the team. In particular, future updates will be focussed on "the road to recovery" with a focus on assisting organisations endure these challenging times.
Australian organisations are facing many new challenges in the fight to prevent the spread of COVID-19. While there are unprecedented risks to navigate, organisations should still remember their privacy obligations underpinning how they handle personal information.
What are the key considerations?
Many organisations will be aware of their obligations under the Privacy Act 1988 (Cth) (Privacy Act) and other State and Territory privacy laws that may apply. Generally speaking, these laws govern the handling of personal information including its collection, use, disclosure and destruction.
In responding to COVID-19, the key privacy considerations will relate to:
The Office of the Australian Information Commissioner (OAIC) has prepared some helpful guidance on how to manage privacy risk while responding to COVID-19 (see here).
How can an organisation manage privacy risk?
As a general comment, to minimise privacy risk to employees' and individuals' data while managing the pandemic response and working remotely, consistent with privacy best practice, organisations should:
The above steps are especially important given the increased pressure to respond quickly to prevent the spread of Coronavirus, and increased risks that come with working remotely as a result of limited face to face interaction between staff and clients, and use of new and unfamiliar technologies to do business.
If an employee tests positive to COVID-19, the employer and employee must follow the latest Government-issued guidance, including any exclusion/self-isolation requirements, to limit the spread.
This includes contact tracing to identify who might have passed on the illness to any 'confirmed case', and to understand who the 'confirmed case' was in contact with while infectious. QLD Health has provided a resource (here) for how this is to be approached.
For more information, visit the Australian Government's Department of Health website (here), or call the National Coronavirus Health Information Line on 1800 020 080 for general advice or healthdirect on 1800 022 222 if a person has symptoms. Each State and Territory Government health agency has their own website for localised information.
Safe Work Australia has recently provided a 7 step guide about how to respond to a suspected or confirmed case of COVID-19 depending on whether the individual was diagnosed while at work or elsewhere (see here). Employers should review this guide for how to respond.
What are your organisation's privacy obligations?
There are strict privacy obligations that apply when handling employee data especially sensitive information such as health information. Although these requirements are balanced against the need to provide a safe workplace, care should be taken to protect the affected employee's privacy while notifying others of the risk of transmission.
Importantly, the Privacy Act is not intended to prevent critical information sharing and with some simple steps organisations can remain compliant with their privacy obligations whilst effectively managing the response.
When notifying employees, an organisation should only disclose information that is reasonably necessary in order to prevent or manage the spread of COVID-19 in the workplace. This may or may not include the name of the affected employee, depending on the circumstances.
When notifying employees or other persons who may have had contact with an affected employee, an organisation should:
The above scenarios are intended to be practical guidance only. Appropriate advice should be obtained on a case by case basis, and in consultation with Government agencies and health authorities.
Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team have dealt with over 700 data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.
From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients in Asia Pacific across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:
We thank Chris Chivers, Chloe Sevil, Gary Bayarsaikhan and Emily Wood for their contributions towards this series of updates.