Assessing privacy risks in changed working environments: Privacy Impact Assessments
The OAIC appreciates the unprecedented challenges Australian government agencies and private sector employers are facing in combating the spread of COVID-19. To prevent or manage the risk of COVID-19, you may have implemented, or are considering, remote working arrangements for employees or are expanding existing arrangements.
The purpose of this resource is to provide tips on key issues that entities regulated by the Privacy Act 1988 (Cth) (Privacy Act) should consider when assessing the privacy impacts of a remote working arrangement. This resource should be read in conjunction with the additional resources listed below.
The Privacy Act does not prevent employees from working remotely as a response to COVID-19, however, the Australian Privacy Principles (APPs) will continue to apply. You should consider whether any changes to working arrangements will impact on the handling of personal information, assess any potential privacy risks, and put in place appropriate mitigation strategies. Assessing potential privacy risks will also help you reduce the risk of a data breach, which occurs when personal information is subject to unauthorised access or disclosure or is lost.
A privacy impact assessment (PIA) is a useful tool for evaluating and mitigating risks to personal information. The scale and scope of your PIA will depend on the extent of the change to your working arrangements and other factors such as the size of your entity, its resources, and the types of personal information that you handle.
Agencies should also consider their obligations under the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Code) to undertake a PIA for all high privacy risk projects.
Why assess privacy risks through a PIA?
The OAIC acknowledges that, given the urgent circumstances surrounding the COVID-19 pandemic, you may have already implemented or expanded existing remote working arrangements for your employees. Business Continuity Plans and risk assessments will have guided your decisions.
Under APP 11 (security of personal information), entities must take active measures to protect personal information they hold from misuse, interference and loss, as well as unauthorised modification or disclosure. In addition, the Notifiable Data Breach (NDB) scheme applies to all entities with existing personal information security obligations under the Privacy Act. The NDB scheme requires entities to notify affected individuals and the OAIC in the event of an ‘eligible data breach’. These obligations continue to apply to your remote working arrangements.
A PIA provides a useful framework to screen for unexpected privacy issues and may help to further mitigate any privacy risks associated with the remote working arrangements that have been implemented. Mitigating privacy issues will also help reduce the risk of experiencing a data breach, which could trigger your notification obligations under the NDB scheme.
It is never too late to conduct a PIA. A PIA should also be an iterative process during the life of any project, being updated to take account of changes to working arrangements as they evolve. The checklist below is intended to help you consider and assess common privacy issues that may arise in a remote working arrangement.
Is a PIA necessary?
While you may have had remote working arrangements in place for some staff previously, the current situation in relation to COVID-19 has likely resulted in a substantial increase to the numbers of employees working from home and/or an expansion to types of work tasks that have traditionally been performed remotely. Changes to the way personal information is handled may also be required as a result of a shift to a remote working arrangement.
You should undertake a threshold assessment to establish whether a PIA of your remote working arrangements is necessary. For more information about undertaking a threshold assessment, see the OAIC’s PIA Guide.
A PIA may not be necessary if your remote working arrangements do not change existing information handling practices, the privacy implications of these practices have been assessed previously (whether as part of a threshold assessment, a PIA or other risk-assessment process) and controls are current and working well. You may have considered the privacy issues through other mechanisms, like a risk assessment as part of your Business Continuity Plan. Regardless of whether you proceed to a PIA, you should keep a record of your threshold assessment.
How detailed does a PIA need to be?
There is no single way of doing a PIA and entities are encouraged to take a flexible approach. The scale and scope of a PIA will depend on the scale and scope of a particular project.
For example, if you have had remote working arrangements in place for some time and only minor adjustments are being made to the types of work that can be performed from home, a PIA may end up only a couple of pages long. If remote working arrangements will result in a significant change to your business-as-usual practices, including changes to the way personal information is handled, then the PIA may need to consider a broader range of issues.
A PIA doesn’t set out to identify and eliminate every possible privacy risk, however, it should identify any genuine risks that may be associated with your remote working arrangements, assess how serious those risks are, and consider ways that those risks can be mitigated.
Things to consider in a PIA of remote working arrangements
This section outlines key factors that you should consider in assessing personal information handling in remote working arrangements including:
- Governance, culture and training
- ICT security
- Access security
- Data breaches
- Physical security
This is not an exhaustive list and does not cover the entirety of an entity’s obligations under the APPs. You should read this section in conjunction with the list of additional resources below.
Governance, culture and training
Your privacy and security governance arrangements should include appropriate training, resourcing, documented policies and procedures, and management oversight to ensure you foster a culture of privacy and staff are aware of their privacy and security obligations when working remotely.
Questions to consider:
- What governance arrangements do you have in place around remote working arrangements?
- do you have a documented process for reviewing and approving applications to work remotely?
- how often are remote working arrangements reviewed to ensure they are still appropriate and effective for each staff member?
Are staff members educated on physical security and the handling of personal information when working from home?
Are staff members educated on ICT and cyber security practices, such as identifying phishing or spear-phishing emails?
Is there a policy that covers information security when staff members work offsite, such as from home, a secondary site office or a temporary office?
Are there clear polices governing the use of end-user devices, including use of staff’s own devices (known as ‘Bring Your Own Device (BYOD)’) and procedures for taking work home?
As more staff work from home, and the use of remote technology increases, adversaries may attempt to take advantage of any real or perceived vulnerabilities introduced as a result of that change. ICT security measures help mitigate the risks of internal and external attackers and the damage caused by malicious software such as malware, computer viruses and other harmful programs.
Questions to consider:
Do all devices, Virtual Private Networks and firewalls have necessary updates and the most recent security patches (including to operating systems and antivirus software) and have strong passwords?
Have you considered increasing cyber security measures in anticipation of the higher demand on remote access technologies and tested them ahead of time?
Have you implemented a secure method for staff to access your network and systems (eg. a secure remote desktop client)?
Do you use multifactor authentication for remote access to systems and resources (including cloud services)?
Are staff able to remotely access systems with their personal devices? What technical and procedural controls do you have in place to mitigate security risks associated with personal devices?
Have you assessed the privacy and security controls of any new technology, such as videoconferencing facilities, that you are using?
Are there strong minimum standards for security of end-user devices (such as password protection, encryption)?
Have technical solutions which block or mitigate the effects of phishing, spear-phishing and social-engineering attacks been applied (eg. are email attachments received from an external source scanned before they are open)?
Remote working arrangements may give rise to the ‘trusted insider risk’, particularly in circumstances where staff members are not subject to the same level of supervision and oversight as they would be in a traditional office environment. Access security and monitoring controls help you protect against internal and external risks by ensuring that personal information is only accessed by authorised persons.
Questions to consider:
Do you limit access to personal information to those staff necessary to enable your entity to carry out its functions and activities?
Have you considered employing remote wiping software to allow for the deletion of personal information stored on end-user devices which have been lost or stolen?
- Is password or passphrase complexity enforced? For example, including uppercase characters, lowercase characters, punctuation, symbols and/or numbers?
- Are there mechanisms for changing them regularly?
- Is reuse of passwords or passphrases blocked?
- Is there a minimum length requirement? Is sharing of passwords or passphrases forbidden?
Do accounts lock the user out after a specified number of failed logins?
- What methods do you use to identify inappropriate access of files or databases containing personal information?
Do you use audit logs and audit trails?
Is access by both internal and external persons monitored? Is there a method for identifying anomalous behaviour?
Do you have the capability to proactively monitor access to systems to identify potential instances of unauthorised access or misuse? Have you considered whether to increase the use of that capability because of the change to the working environment?
Are these measures mainly reactive (review of logs, responding to incidents) or do they also involve real time or close to real time monitoring or access activity?
If anomalous behaviour is detected, what processes are used to immediately remove or reduce any risk, and then determine whether such behaviour amounts to unauthorised access, including any processes in place to assess whether the access might give rise to an eligible data breach for the purposes of the NDB scheme?
A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure or is lost. A data breach may be caused by malicious action (by an external or internal party), human error, or a failure in information handling or security systems. Examples of data breaches that could occur when staff are working remotely include:
unauthorised access to systems containing personal information by an employee (the ‘trusted insider risk’)
unauthorised disclosure of personal information where a staff member discusses the personal information of another individual where it can be overheard by a third party (such as another member of the household), or enables a record of personal information to be seen by someone else (such as by leaving a computer screen unlocked or by making notes that are obtained or viewed by a third party), or
loss or theft of physical devices (such as a phone or laptop) or paper records that contain personal information.
Where personal information is compromised and is likely to result in serious harm to any of the individuals to whom the information relates, it must be notified to the OAIC and affected individuals in accordance with the NDB scheme.
In the event of a data breach, having a response plan that includes procedures and clear lines of authority can assist you to contain the breach and manage your response, including whether notification is necessary under the NDB scheme. Ensuring that staff (including contractors) are aware of the plan and understand the importance of reporting breaches is essential for the plan to be effective.
Questions to consider:
Are staff aware of the agency’s data breach response plan and arrangements? Is it easily accessible by staff working from home?
Do changes need to be made to the method for notifying actual or suspected incidents if data breach response staff are working from home?
Does the data breach response team have the appropriate capacity under the new working arrangements to respond quickly to actual or suspected incidents? Do changes need to be made to the team to account for work from home arrangements?
Has the agency data breach response plan been tested via a simulated exercise involving a working from home arrangement to identifying whether any modifications are required strengthen to the plan?
Physical security is an important part of ensuring that personal information held on your network is secure when accessed by staff working remotely. While it may not be possible to assess the individual physical security arrangements of each staff member’s workspace, agencies should consider other ways of facilitating good privacy and security practices.
Questions to consider:
Have you considered whether there are certain work tasks that should not be performed from home where the privacy risks can’t be mitigated?
Have you considered how the risk of unauthorised disclosure can be further mitigated by modifying work tasks that are able to be performed from home (eg. increasing communication over email rather than the phone (if there is a risk of being overheard), re-allocation of matters to staff with a private home office, or nominating times where staff may come into the office to carry out certain essential tasks)?
- Have you provided clear guidance regarding physical security measures that all staff working remotely are required to take? This should include directions around:
- working only from the home authorised and not in public spaces
- ensuring screens are angled so they cannot be viewed by anyone else and locked when not in use
- ensuring that no other member of the household uses work devices
- ensuring that phone conversations where personal information is disclosed cannot be overheard by other members of the household
- using generic terms (such as customer, client or complainant) on phone calls or in videoconferencing so that an individual is not reasonably identifiable
- storing devices (particularly work devices) in a safe location when not in use
- not making any hard copies of documents containing personal information
- not emailing any agency information including personal information to their personal email accounts
- not discussing or transmitting agency information, including personal information with colleagues, or third parties, via personal chat groups.
Have you considered proactive measures to ensure staff have adequate physical security measures in their home? (eg. consider implementing an ongoing program of ‘spot checks’, which could be carried out through virtual or remote methods, to inspect staff members individual working arrangements)
Where staff do not have a private home office, consider what steps could be taken to enable a temporary workspace to be established in a separate room of the home, or redesign work tasks to remove the need to handle personal information.
You should also refer to the resources listed below where relevant to your entity.
- Guide to undertaking privacy impact assessments
- PIA e-Learning course
- Guide to securing personal information
- Data breach preparation and response guide
- Coronavirus (COVID-19): Understanding your privacy obligations to your staff
Keep up to date with the latest advice from the Australian Cyber Security Centre
Agencies should ensure continued compliance with Protective Security Policy Framework requirements
 For the purposes of Part 3 of the Code, a project may be a high privacy risk project if the agency reasonably considers that the project involves any new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals. The term ‘project’ covers the full range of activities and initiatives undertaken by agencies that may have privacy implications, including increased remote working arrangements.
 A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates. Entities must conduct a prompt and reasonable assessment if they suspect that they may have experienced an eligible data breach. For more information, see Notifiable Data Breaches.