When it comes to collecting personal information from staff, take only what is essential, employers have been warned. 

Know exactly what data you have and get rid of what you don't need as soon as possible, Ai Group experts said at a member briefing on data privacy. 

Minimising risk and exposure before a breach occurs is best practice. 

“You need to be ready for that breach because it’s not a matter of if — but when,” Ai Group Special Counsel Susan Reece Jones said. 

“Get your house in order. This means collecting only the personal information you need to collect — no more, no less.” 

Sparked by recent high-profile data breaches which have resulted in the loss of significant amounts of personal data, the online briefing explored the obligations companies face in relation to employee personal data.  

Under current laws, certain entities, such as employers with an annual turnover of more than $3 million, are required to take “reasonable steps to protect employees’ personal information from misuse, interference and loss, unauthorised access, modification or disclosure”.  

They also have an obligation to destroy or de-identify personal information in certain circumstances. 

Types of personal information 

Personal information is any information that makes someone identifiable. 

This includes:   

  • sensitive information (such as health information, criminal records and sexual orientation);   
  • address and contact details; 
  • credit information; 
  • employee record information and 
  • tax file number information. 

What data needs to be kept?  

Information should be retained if it needs to be relied on and accessed to ensure compliance with things like: 

  • work health and safety (WHS) obligations, 
  • licensing requirements, 
  • Fair Work Act and Fair Work regulations, 
  • superannuation and 
  • tax. 

Depending on the business, employers might need to consider several types of legislation to ensure they meet their data privacy obligations. 

“You're not just dealing with the Privacy Act,” Ms Reece Jones said. 

“In some instances, you're dealing with multiple types of legislation and there are significant consequences of getting it wrong, such as fines and penalties.  

“Changes to the Act are coming as early as next year. There will be increased penalties for serious and repeated contraventions and greater enforcement paths.” 

The consequences are not only financial. 

“In some cases, the law is going to be the least of your problems,” Ms Reece Jones said. 

“The damage to your reputation, brand or image can be huge. The media and the court of social media are completely unforgiving.  

“So, getting your communications and responses right from the minute you become aware of a breach is totally critical.”

How to handle a data breach    

Have a clear definition of what a breach is to help your team identify when one has occurred and when you trigger your plan.  

“Initial communication is key,” Ms Reece Jones said. 

“Assess and contain. What are your top priorities? Who is in your data breach response team? What kind of roles and skills do you require? What is the strategy for documenting the breach? Do a dry run practice.” 

Businesses currently have 30 days to report a notifiable data breach to the relevant authority, the Office of Australian Information Commissioner (OAIC), but this is likely to change next year to perhaps just 72 hours. 

Practical tips 

There are three equally important aspects to keeping data private and secure: 

  • cyber security, 
  • information security and  
  • a security culture. 

Cyber security 

“Cyber security is like making sure your house has doors and windows and they're locked,” Ai Group’s IT Director Mark Schmidt said. 

“In terms of business, you’re making sure your systems are well protected.” 

Head to the Australian Cyber Security Centre (ACSC) for a wide range of free and helpful resources.  

Following the Essential Eight Maturity Model will eliminate most attacks or limit their impact and help with recovery from an attack. There are three levels of maturity, so it’s important to work through them progressively to increase protection. 

Prevent an attack 

  • Restrict Office macros 

Macros are commands that can be used to run code on opening an Office document and are a common way for cybercriminals to gain access or deploy malware or ransomware. Aim to block macros completely. 

  • Patch application software 

Keep software versions up to date for software applications such as Adobe Reader, Chrome and Nitro Pro. 

  • Application control/allow-listing 

This is security functionality that reduces harmful attacks by allowing only trusted files, applications and processes to run on a computer. 

  • User application hardening 

This prevents legacy or unnecessary software such as Internet Explorer, Java or Flash from running on computers. Also configure the system settings to lock down features unnecessary for your business. 

Limit an attack 

  • Multi-factor authentication (MFA) 

Ensure every user account, not just the admins, have MFA enabled.   

“If staff are using the same password to log in to a number of sites such as Facebook and MyGov, as well as your organisation, this is setting themselves and your organisation up for a compromise. If one of those logins is compromised and out on the internet, then threat actors using ‘bots’ will be testing those credentials against dozens of different online sites,” Mr Schmidt said. 

“Then the only thing stopping a threat actor getting into your environment is through MFA, which requires a code or confirmation, to approve access.  

“MFA is your last line of defence; it’s the security door at your house in case someone does find the key to your main front door.”  

  • Restrict admin privileges 

Don't let your standard users be admins on their machines. Restrict their access down to a standard user account, despite potential pushback. 

  • Patch operating systems 

Patch your Windows or Mac operating systems with updates as soon as they are released. This will block the security vulnerabilities that are regularly found and then often exploited to gain access.  

Recover from an attack 

  • Regular back-ups 

If you need to recover from a ransomware attack, an unaffected back-up will be key. Ideally ensure they are not stored in the same network, as attackers will be aiming to delete them if they can.  

Information security  

Information security relates to how you handle the information.  

It’s a people issue, not a technical issue. 

“It's wonderful to have locks on the doors, but if you've got a teenage son who leaves the front door wide open, they’re of little value,” Mr Schmidt said. 

“It’s the same with information being mishandled.  

“Problems arise when employees fail to follow best practice with information and how they handle it. 

“For example, if they’re emailing sensitive information, you'll have data stored in places you don't want it stored. It will be unseen, vulnerable and easily lost. 

“It’s very important to look at the full Data Management Lifecycle. 

“Remember the ‘CIA’ of data . . . you want to protect the Confidentiality of your data, its Integrity to make sure it's accurate and undamaged and the Availability so it doesn't go offline when you need it.”  

Aim to internally classify your data, such as Sensitive, Public or Commercial. This helps staff handle it appropriately guided by a data protection policy. Microsoft Office has features around this, but it may depend on your licensing. 

Security culture 

Finally, develop a culture where everyone across the business is on the same page when it comes to handling information securely.  

Executive-led employee security awareness training is crucial. Explain “why” and ask employees to help each other to work securely.  

It’s also important to consider the potential risks that come with third parties (such as suppliers and vendors) holding your data. 

To help manage these risks, build good relationships from the outset. Be upfront about your concerns and ask third parties to complete a security questionnaire so you get an understanding of how they're meeting basic security requirements.  

Vendor Risk Management services such as SecurityScorecard, UpGuard and BitSight can help you understand the potential risk in partnering with a particular organisation. 

Should you need any assistance with the drafting of your company’s privacy policies or with managing privacy-related employment matters, contact Ai Group Workplace Lawyers on 1300 55 66 77.  

 

Wendy Larter

Wendy Larter is Communications Manager at the Australian Industry Group. She has more than 20 years’ experience as a reporter, features writer, contributor and sub-editor for newspapers and magazines including The Courier-Mail in Brisbane and Metro, the News of the World, The Times and Elle in the UK.