The Office of the Australian Information Commissioner (OAIC) has published new COVID-19 guidance to manage the privacy impacts of remote working arrangements for Australian Public Service (APS) staff.
In a statement, the OAIC said the Privacy Act did not prevent APS employees from working remotely as a response to COVID-19, however the Australian Privacy Principles (APPs) would still apply.
“You should consider whether any changes to working arrangements will impact on the handling of personal information, assess any potential privacy risks, and put in place appropriate mitigation strategies,” the Office said.
“Assessing potential privacy risks will also help you reduce the risk of a data breach, which occurs when personal information is subject to unauthorised access or disclosure or is lost.”
It said Agencies should consider a privacy impact assessment (PIA) as part of their risk management procedures.
“A privacy impact assessment is a useful tool for evaluating and mitigating risks to personal information,” the OAIC said.
“The scale and scope of your PIA will depend on the extent of the change to your working arrangements and other factors such as the size of your entity, its resources, and the types of personal information that you handle.”
It said a PIA provided a useful framework to screen for unexpected privacy issues and may help to further mitigate any privacy risks associated with the remote working arrangements that have been implemented.
“Mitigating privacy issues will also help reduce the risk of experiencing a data breach, which could trigger your notification obligations under the Notifiable Data Breach scheme.”
It said Agencies should also consider their obligations under the Privacy (Australian Government Agencies – Governance) APP Code 2017 to undertake a PIA for all high privacy risk projects.
A guide to undertaking a PIA is available on the OAIC website at this PS News link.
