Business guide to Coronavirus

Cyber security while working from home

Since the outbreak of COVID-19, companies and other organisations have been compelled to adjust their policies on working from home to adapt to the new and ever-changing COVID-19 circumstances.  This, in turn, has presented numerous challenges for these employers in terms of cyber security, data protection and compliance with privacy laws. 

The impacts of the Delta variant has been a stark reminder to businesses for the need to revisit cyber security, data protection and privacy policies and practices. Assessing the associated risks of employees working from home and setting new cyber security standards and best practices is critical to protect your customers’ interests and for business continuity.

The Office of the Australian Information Commissioner (OAIC) has issued some guidance to help entities regulated by the Privacy Act 1988 address their privacy obligations during the coronavirus pandemic.

OAIC recommendations

Australian Government agencies and private sector employers that are regulated entities under the Act (Australian Privacy Principles (APP) entities) need to:

  • take reasonable steps to keep personal information secure
  • consider whether any changes to working arrangements will have an impact on the handling of personal information
  • consider taking steps to notify employees of how their personal information will be handled in responding to any potential or confirmed case of COVID-19
  • assess any potential privacy risks where employees are working remotely, and
  • ensure reasonable protocols are followed to keep personal information secure where employees are working remotely.

APP entities need to consider implementing similar privacy and data security protocols for employees working from home to those that apply in an office environment.

Steps to protect personal information when employees work remotely 

The OAIC outlines steps to protect personal information when working from home (or anywhere other than the office), including:

  • understanding the latest advice from the Australian Cyber Security Centre
  • ensuring continued compliance with the Protective Security Policy Framework requirements
  • securing mobile phones, laptops, data storage devices and remote desktop clients
  • increasing cyber security measures in anticipation of the higher numbers of employees working on remote access technologies, and testing them in advance
  • ensuring all devices, Virtual Private Networks and firewalls have necessary updates and the most recent security patches (including to operating systems and anti-virus software) and have strong passwords
  • ensuring employees only use work email accounts for work related emails that contain personal information
  • implementing multi-factor authentication for remote access systems and resources (including cloud services), and
  • only accessing trusted networks or cloud services.

What else does your business need to consider?

If your business has a turnover of more than $3 million per annum, you will need to have a privacy policy and collection statement to comply with the Privacy Act, whether you are a proprietary limited company, trust, incorporated association or sole trader.

Understand your employee’s home network security and how well it would weather a cyber attack. This will indicate whether your business needs to provide anti-virus software and information technology support. Businesses that provide clear guidance and support to employees, as well as employee training on how to deal with suspicious emails, can mitigate any potential losses associated with cyber attacks.

Check whether your business has an up-to-date cyber security policy and whether the risks associated with employees working remotely are included.

Ensure that your business has a data breach response plan, a privacy officer or person appointed to deal with privacy matters and that your employees know what they need to do and who to contact in the event a data breach occurs.  

Finally, ensure your business’s expectations have been communicated to employees around secure storage and how to dispose of confidential documents they have taken home for work.

For specific legal advice about data protection and privacy-related matters, and to minimise the risk associated with working remotely, we recommend you contact Australian Business Lawyers & Advisors.


Explore our next-gen cyber training and resources to defend against online threats to your business. Plans start from only $10/month.