On Wednesday 25 March 2020, New Zealand moved to Level 4 on the COVID-19 alert system.\u00a0\nThat means that \u2014 where they can \u2014 they will be working from home for the foreseeable future. While for many people it may already be something with which they are comfortable, for others the challenges of setting up and working from the \u2018home office\u2019 for the next four weeks may be somewhat daunting.\nOn top of juggling childcare commitments (how many times can a three year old watch Finding Nemo?) or getting overly accustomed to spending time in close company with flatmates, the last thing we all need is a privacy breach to test everyone\u2019s patience.\nBut there are also privacy law implications of working from home, so we set out some practical tips to help employers and employees ensure that they reduce the risk of exacerbating an already difficult situation.\nWhat NZ law says about work-at-home privacy\nNot surprisingly, the Privacy Act 1993 does not expressly address whether employees can work remotely and\/or how to deal with personal information in the working from home environment. That being the case, the Information Privacy Principles (\u2018IPPs\u2019) set out in the Privacy Act apply.\n\nWe are operating in unchartered territory. In many circumstances, what is reasonable in normal times might well be unreasonable in the current situation.\n\nIPP 5 is key. It requires an agency that holds personal information to ensure that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against:\n\nloss\naccess, use, modification, or disclosure, except with the authority of the agency that holds the information\nother misuse\n\nAgencies are effectively responsible for all personal information held by an employee in that employee\u2019s capacity as an employee. So, when an employee starts working from home, it remains the employer\u2019s responsibility to ensure that the personal information used by the employee remains protected.\nWhat security safeguards are \u2018reasonable in the circumstances\u2019 for work-at-home privacy\nWe are operating in unchartered territory. In many circumstances, what is reasonable in normal times might well be unreasonable in the current situation.\nHowever, when it comes to the transmission of information online and the use of personal devices at home, the technology is already there to ensure the safety and security of personal information. Employees who can use work-issued devices and connect securely to their employer\u2019s secure servers should be able to manage the security risk as they would in the ordinary course of business.\nWhat is \u2018reasonable\u2019 in the context of IPP 5 therefore depends on factors such as:\u00a0\nThe nature of the personal information (the more sensitive it is, or the more harmful it would be if it falls into the wrong hands, the stronger the protection that is needed).\nThe ease with which it can be protected (it is not difficult to set a strong password).\nThe cost of protecting it (encryption is now fairly accessible and affordable).\nWhat technical measures employers can take on work-at-home privacy\n Getty Images\n\nTake reasonable steps to ensure that your self-isolation \u2018buddies\u2019 don\u2019t gain unauthorised access to personal information\u00a0\n\n\nEmployers should ensure that all work-issued technology used by employees to connect remotely is, to the extent possible, running of the latest versions and up-to-date with all security patches.\nEmployees should already be encouraged to have strong passwords, and in an ideal world, multi-factor authentication for remote access systems and resources (including cloud services) will have been deployed. If not, and to the extent these can be deployed remotely without disrupting employees\u2019 ability to work from home, employers should consider implementing stronger measures.\nEmployees using their own devices should be reminded of their obligations to comply with the relevant bring-your own-device policy and remote-working policy. Even though they might only be bringing their device from the bedroom to the kitchen table, by using the device to access an employer\u2019s networks, this puts the network at risk \u2014 unless the policy is complied with.\nIf, as an employer, you don\u2019t have such a policy, it\u2019s never too late to implement one.\nWhat other practical steps employees should be required to take\nIPP 5 is not all about technological safeguards. Indeed, many of the worst privacy breaches have been caused by human error \u2014 a failure of a human being to follow organisational measures that help protect personal information from authorised use or disclosure.\nWhen working in an alien environment, in difficult circumstances and faced with unfamiliar pressures, mistakes happen. Now is the time to remind employees who deal with personal information that it\u2019s OK to take a deep breath, relax, and re-familiarise themselves with best practice to avoid a slip up that might lead to a serious privacy breach.\nThese include:\n\nEnsuring that attachments containing personal information are password-protected.\nChecking (and double-checking) that email recipients have been correctly identified, before hitting Send.\nUsing employer-approved secure file sharing services rather than email, if possible, to avoid personal information being inadvertently sent to the wrong place.\nEncrypting laptops and USB sticks to ensure that if hardware is lost, the information on it is protected.\nTaking care when disposing of hard copy documents \u2014 it won\u2019t be appropriate to dispose of them in domestic rubbish or recycling, so if at all possible they should be retained in a safe place and ultimately securely disposed of when circumstances return to normal.\nTaking reasonable steps to ensure that your self-isolation \u2018buddies\u2019 don\u2019t gain unauthorised access to personal information \u2014 this means not leaving documents containing personal information lying on the couch for flatmates to find, and continuing to follow good workplace privacy practice (like locking your computer when you step away from your desk for a moment).\nNot using personal email accounts to receive or send personal information (but, if you absolutely have to, consider sending the information in a password-protected attachment \u2014 and send the password by a different means).\n\nWhile, hopefully, most employers will have already undertaken a privacy impact assessment to fully understand the risks of allowing employees to work from home, it\u2019s not too late to do so.\u00a0\n\nThe inevitable may occur. All businesses should ensure that they have policies and procedures in place in case of a privacy breach, and that employees understand them.\n\nBy working through and assessing the risks, employers can ensure some \u2018easy wins\u2019 (especially when it comes to practical tips for employees) to mitigate the inherent risks we will all face working in the home office environment over the next few weeks.\nPrepare for the worst to come\nWe\u2019ve probably already all experienced some form of network or systems degradation over the past couple of days, as more and more businesses in New Zealand prepare themselves for the period of self-isolation. Employees need to know what to do in such situations \u2014 what is acceptable practice, and what alternative means of accessing networks and doing their jobs are suitable when the usual means of connecting are unavailable. While your remote-working policy might cover this, now is the time to remind employees of how far they can go with a \u2018number 8 wire\u2019 solution.\nFinally, it is worth remembering that \u2014 even with the best intentions \u2014 the inevitable may occur. The effect of a privacy breach is almost always exacerbated if it is not dealt with promptly, and with a plan. All businesses should ensure that they have policies and procedures in place in case of a privacy breach, and that employees understand them.\nWhile reporting privacy breaches is not (yet) mandatory under New Zealand law, the Privacy Commissioner is there to help \u2014 and any organisation that does find itself the subject of a breach is more likely to win the sympathy and win back the trust of the already frazzled public if it takes a front-foot and transparent approach to dealing with it.\nHayley Miller and Campbell Featherstone\u00a0 practice law at Dentons Kensington Swan.