The COVID-19 pandemic has had a profound impact on many aspects of our lives. In particular, it has forced us to change many of our workplace practices and the way we structure our working day. This has been seen in the increase in people working from home and the exponential increase in ‘virtual’ meetings staged on platforms such as ‘Microsoft Teams’ and ‘Zoom’ just to name a few. Whilst Virtual Meetings are very simple to stage, convenient and cost efficient, it is fair to say that they do not necessarily have the same level of information security as a ‘traditional’ face-to-face meeting.
One of the benefits of ‘traditional’ face-to-face meetings is the ability to control where the meeting takes place and who attends. Of course in this setting, the security of information is far greater. Attendees know that the meeting room is secure and they can physically see the attendees. In most situations, they also have far greater control over sound. Conversely, the ability to control where a Virtual Meeting takes place is not as easy as in reality, a Virtual Meeting can occur anywhere – in a work office, at home, in a café or even on public transport. In addition, an accidental incorrect ‘invitation’ may see someone invited to a Virtual Meeting who is not authorised to be in the meeting, or, given the virtual nature of the meeting, attendees may forget who is present and discuss information that some people in the meeting are not authorised to hear.
Workplace Meetings and Information
Workplace meetings discuss ‘information’. Information can take many forms with some being general information in nature that does not carry with it any real level of confidentiality or security. However, meetings from time-to-time will discuss information that maybe referred to as ‘confidential information’ or even a ‘trade secret’ in a Business Contract or Employment Contract. Workplace Meetings may also discuss information that fits the definition of ‘personal information’ or ‘sensitive information’ as set out in the Privacy Act 1988 (Cth).
The Privacy Act and Security of Information
The Privacy Act 1988 (Cth) (the Act) regulates how personal information and sensitive information are managed in Australia. The Act contains the 13 Australian Privacy Principles (the APP’s). Specifically in relation to security, APP 11 states:
“An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.” (emphasis added)
Whilst the word ‘disclosure’ is not defined in the Act, Chapter B of the APP Guidelines states that:
“An APP entity discloses personal information when it makes it accessible or visible to others outside the entity and releases the subsequent handling of the personal information from its effective control.”
The release of information can be accidental and it can occur even when the personal information is already known by the recipient. Putting this in context, participating in a Virtual Meeting in a place where security of information is poor would place you in a situation where you could fall foul of APP 11 or the provisions of a Business Contract or Employment Contract.
What Should Businesses Do?
APP 11 makes it clear that an APP entity (which is an individual, a body corporate, partnership, unincorporated association or a trust) must take reasonable steps to protect personal information from disclosure. Further, Business Contracts and Employment Contracts ordinarily contain ‘damages’ clauses for breaches of confidential information. In light of these requirements, businesses should develop procedures and processes to ensure that when conducting a Virtual Meeting, that they have taken reasonable steps to ensure that the participants in the meeting are:
- in a ‘physical’ place that ensures that the information that is being discussed is secure; and
- aware who is also present in the meeting.
These two very simple measures can easily be discharged by a quick ‘security of information’ check at the beginning of each Virtual Meeting and a meeting minute taken to prove that reasonable steps were taken to protect disclosure of personal or sensitive information under the Act and ‘confidential information’ relevant to a Business Contract or Employment Contract.
For further information please contact Danny Clifford, Director.