by Hayley Miller and Campbell Featherstone

What New Zealanders need to know about work from home

Mar 25, 2020

Beyond the human issues are privacy concerns CIOs and their companies should understandrn

work from home
Credit: Divina Paredes

On Wednesday 25 March 2020, New Zealand moved to Level 4 on the COVID-19 alert system. 

That means that — where they can — they will be working from home for the foreseeable future. While for many people it may already be something with which they are comfortable, for others the challenges of setting up and working from the ‘home office’ for the next four weeks may be somewhat daunting.

On top of juggling childcare commitments (how many times can a three year old watch Finding Nemo?) or getting overly accustomed to spending time in close company with flatmates, the last thing we all need is a privacy breach to test everyone’s patience.

But there are also privacy law implications of working from home, so we set out some practical tips to help employers and employees ensure that they reduce the risk of exacerbating an already difficult situation.

What NZ law says about work-at-home privacy

Not surprisingly, the Privacy Act 1993 does not expressly address whether employees can work remotely and/or how to deal with personal information in the working from home environment. That being the case, the Information Privacy Principles (‘IPPs’) set out in the Privacy Act apply.

We are operating in unchartered territory. In many circumstances, what is reasonable in normal times might well be unreasonable in the current situation.

IPP 5 is key. It requires an agency that holds personal information to ensure that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against:

  • loss
  • access, use, modification, or disclosure, except with the authority of the agency that holds the information
  • other misuse

Agencies are effectively responsible for all personal information held by an employee in that employee’s capacity as an employee. So, when an employee starts working from home, it remains the employer’s responsibility to ensure that the personal information used by the employee remains protected.

What security safeguards are ‘reasonable in the circumstances’ for work-at-home privacy

We are operating in unchartered territory. In many circumstances, what is reasonable in normal times might well be unreasonable in the current situation.

However, when it comes to the transmission of information online and the use of personal devices at home, the technology is already there to ensure the safety and security of personal information. Employees who can use work-issued devices and connect securely to their employer’s secure servers should be able to manage the security risk as they would in the ordinary course of business.

What is ‘reasonable’ in the context of IPP 5 therefore depends on factors such as: 

The nature of the personal information (the more sensitive it is, or the more harmful it would be if it falls into the wrong hands, the stronger the protection that is needed).

The ease with which it can be protected (it is not difficult to set a strong password).

The cost of protecting it (encryption is now fairly accessible and affordable).

What technical measures employers can take on work-at-home privacy

1 volume of data breach pile of paper confidential documents Getty Images

Take reasonable steps to ensure that your self-isolation ‘buddies’ don’t gain unauthorised access to personal information 

Employers should ensure that all work-issued technology used by employees to connect remotely is, to the extent possible, running of the latest versions and up-to-date with all security patches.

Employees should already be encouraged to have strong passwords, and in an ideal world, multi-factor authentication for remote access systems and resources (including cloud services) will have been deployed. If not, and to the extent these can be deployed remotely without disrupting employees’ ability to work from home, employers should consider implementing stronger measures.

Employees using their own devices should be reminded of their obligations to comply with the relevant bring-your own-device policy and remote-working policy. Even though they might only be bringing their device from the bedroom to the kitchen table, by using the device to access an employer’s networks, this puts the network at risk — unless the policy is complied with.

If, as an employer, you don’t have such a policy, it’s never too late to implement one.

What other practical steps employees should be required to take

IPP 5 is not all about technological safeguards. Indeed, many of the worst privacy breaches have been caused by human error — a failure of a human being to follow organisational measures that help protect personal information from authorised use or disclosure.

When working in an alien environment, in difficult circumstances and faced with unfamiliar pressures, mistakes happen. Now is the time to remind employees who deal with personal information that it’s OK to take a deep breath, relax, and re-familiarise themselves with best practice to avoid a slip up that might lead to a serious privacy breach.

These include:

  • Ensuring that attachments containing personal information are password-protected.
  • Checking (and double-checking) that email recipients have been correctly identified, before hitting Send.
  • Using employer-approved secure file sharing services rather than email, if possible, to avoid personal information being inadvertently sent to the wrong place.
  • Encrypting laptops and USB sticks to ensure that if hardware is lost, the information on it is protected.
  • Taking care when disposing of hard copy documents — it won’t be appropriate to dispose of them in domestic rubbish or recycling, so if at all possible they should be retained in a safe place and ultimately securely disposed of when circumstances return to normal.
  • Taking reasonable steps to ensure that your self-isolation ‘buddies’ don’t gain unauthorised access to personal information — this means not leaving documents containing personal information lying on the couch for flatmates to find, and continuing to follow good workplace privacy practice (like locking your computer when you step away from your desk for a moment).
  • Not using personal email accounts to receive or send personal information (but, if you absolutely have to, consider sending the information in a password-protected attachment — and send the password by a different means).

While, hopefully, most employers will have already undertaken a privacy impact assessment to fully understand the risks of allowing employees to work from home, it’s not too late to do so. 

The inevitable may occur. All businesses should ensure that they have policies and procedures in place in case of a privacy breach, and that employees understand them.

By working through and assessing the risks, employers can ensure some ‘easy wins’ (especially when it comes to practical tips for employees) to mitigate the inherent risks we will all face working in the home office environment over the next few weeks.

Prepare for the worst to come

We’ve probably already all experienced some form of network or systems degradation over the past couple of days, as more and more businesses in New Zealand prepare themselves for the period of self-isolation. Employees need to know what to do in such situations — what is acceptable practice, and what alternative means of accessing networks and doing their jobs are suitable when the usual means of connecting are unavailable. While your remote-working policy might cover this, now is the time to remind employees of how far they can go with a ‘number 8 wire’ solution.

Finally, it is worth remembering that — even with the best intentions — the inevitable may occur. The effect of a privacy breach is almost always exacerbated if it is not dealt with promptly, and with a plan. All businesses should ensure that they have policies and procedures in place in case of a privacy breach, and that employees understand them.

While reporting privacy breaches is not (yet) mandatory under New Zealand law, the Privacy Commissioner is there to help — and any organisation that does find itself the subject of a breach is more likely to win the sympathy and win back the trust of the already frazzled public if it takes a front-foot and transparent approach to dealing with it.

Hayley Miller and Campbell Featherstone  practice law at Dentons Kensington Swan.