On this page
Introduction
Remote work or ‘working from home’ can be a useful tool for maintaining continuity and productivity during a disaster, especially when physical access to offices or meeting spaces is limited or unsafe.
In a disaster, the reasons why a not-for-profit organisation may need to implement remote work arrangements for its employees and volunteers include:
- damage to the workplace – if the organisation's physical workspace is damaged or destroyed, employees and volunteers may need to work from home or other remote locations until repairs can be made and the workplace is safe
- disruption of transport – if transport infrastructure is damaged or disrupted, it may be difficult or unsafe for employees and volunteers to commute to the workplace
- government mandates – governments may mandate remote work arrangements in response to disasters to help contain the spread of disease or protect public safety
- lack of essential services – if essential services, such as electricity or internet, are disrupted, it may be difficult or impossible for the organisation to operate from its physical location
In these circumstance, implementing remote work arrangements can support the safety and well-being of employees and volunteers, allow the organisation to continue and promote greater flexibility and adaptability in the face of changing circumstances.
Key legal implications your organisation should consider when employees or volunteers work remotely include work, health and safety laws, employee entitlements under the Fair Work system, privacy and data security and insurance.
For more information, see our webpage ‘Working from home’.
Safety considerations
Working alone or remotely can increase the health and safety risks of any job. Workers may be isolated from support and assistance because of where or when they’re working, or the nature of their work they are doing.
An organisation has a duty under model WHS laws to protect workers’ health and safety. This includes managing the risks associated with remote and isolated work.
An organisation must, so far as is reasonably practicable:
- provide and maintain a work environment that is without risk to health and safety
- provide adequate and accessible facilities for the welfare of workers
- monitor workers’ health and safety and workplace conditions to prevent work-related illness and injury
- give workers the necessary information, instruction, training or supervision to do their job without risks to health and safety
- consult with workers, and health and safety representatives (HSRs) if the organisation has them, about health and safety issues that may directly affect them
The model WHS Regulations (regulation 48) specifically addresses remote or isolated work. This includes the requirement for organisations to:
- manage the health and safety risks to remote or isolated workers, and
- have systems in place to effectively communicate with workers
Insurance considerations
Review your organisation’s insurance policies to determine whether the policies cover the risk of loss or damage that may occur in circumstances where volunteers, employees or officers are working remotely.
In conducting this review, consider the risks that might arise from remote work to confirm whether the policies cover these risks and that any risks are not the subject of an exception. For example, there may be specific notification requirements in insurance policies that require your organisation to notify the insurer of remote work arrangements.
Make sure your organisation complies with these notification obligations so that it can make a claim against the policy if necessary.
Workers' Compensation Insurance
Your organisation must have workers' compensation insurance that covers your workers (including employees and volunteers) wherever they are working, including if they are working from home. This is required by law in each state and territory.
Make sure that your organisation’s workers' compensation insurance meets the requirements of the states and territories in which the workers are working.
Property and equipment insurance
Many not-for-profit organisations allow employees and volunteers to use property or equipment owned by the organisation while they work remotely. This often includes expensive items such as phones or laptops. If your organisation allows this, make sure such property is covered by property and equipment insurance regardless of the location in which the property is used.
Also ensure that employees are using technology and hardware provided by the organisation while working remotely.
If your organisation operates a ‘bring your own device’ model and employees and volunteers use their own technology and devices for work purposes, it is important to have an accompanying ‘bring your own device’ policy which regulates things like security settings on the device, how the device can be used for work purposes, how files can be stored and used on personal devices, who is responsible for insuring the device, and what will happen if the device is lost or stolen.
This is important for:
- compliance - as it ensures that any documents or records created by the employee are accessible by the organisation on its services, and
- security - as it allows the organisation to control firewalls and other security measures in circumstances where individual employees may not have sufficient safeguards in place
It is also important from an insurance perspective. If an employee works or stores documents on a personal device that is damaged, the organisation's property and equipment insurance policy may not respond to cover such a loss.
Public liability insurance
Public liability insurance protects organisations from legal claims arising from accidents or injuries that occur as a result of their activities. This can include damage to property or bodily harm. For not-for-profit organisations, this might involve incidents related to the services they provide.
The risk profile of an organisation’s operations may change if some or all its operations are conducted remotely.
If it is likely that members of the public, including recipients of services or representatives of partner organisations, are likely to engage with your organisation’s employees, volunteers or members while they are working from home, your organisation should ensure that its public liability insurance policy covers claims that might arise from these circumstances.
For more information, see our resources on insurance.
Privacy and data security
When an organisation’s employees or volunteers work remotely, the organisation must consider the privacy and data security implications.
Case study – cybercrime and personal information
A global pandemic forces Equity Now, a community legal centre, to implement mandatory remote work arrangements for its employees and volunteers.
As the community legal centre’s employees and volunteers working remotely become more reliant on digital communication and online tools, there is an increased risk of:
- cybercrime such as phishing attacks (where attackers try to deceive individuals into revealing personal or confidential information like passwords or credit card numbers by posing as a trusted entity like a bank, government agency or another trusted party)
- remote access exploits (where attackers attempt to exploit the widespread use of remote access tools to gain unauthorised access to an organisation's systems and data), and
- staff inadvertently disclosing personal information (through using unfamiliar document storage and conference platforms or while working in a shared remote location such as a communal space in a share house)
While technology controls can help to mitigate risks, it's critical to increase staff awareness around cyber risk and develop procedures for securely sharing personal information and conducting financial transactions.
To manage the increased risks, organisations should:
- enforce complex password requirements for all email accounts and other systems used to hold sensitive data (such as payroll systems, HR systems or client management systems)
- implement robust remote access solutions with multi-factor authentication and encryption to protect against unauthorized access, in addition to complex password requirements
- develop and enforce strict data security policies, including guidelines for handling sensitive information, using secure document storage platforms, and protecting devices from unauthorized access
- conduct regular security audits to identify and address vulnerabilities in the organisation's IT infrastructure
- limit access to systems and restrict privileges on those accounts to only those who require it to perform their role
- conduct privacy impact assessments to identify and mitigate potential privacy risks associated with remote work arrangement
- provide regular cybersecurity training to employees and volunteers, emphasizing the importance of recognising and avoiding phishing attacks (encouraging staff to call the sender if they have the slightest doubt about the authenticity of an email), using strong passwords, and practicing safe online behaviours
- educate employees and volunteers about the risks of working in shared remote locations and encourage them to be mindful of their surroundings and to avoid discussing sensitive information in public areas
- if appropriate, purchase cyber insurance to help address the potential costs of responding to a cyber incident
For more information, see:
- The Australian Signals Directorate (Australian Government) webpage ‘keeping your small business secure’
- The Office of the Australian Information Commissioner (Australian Government) webpage ‘Assessing privacy risks in changed working environments’
Is communication through video conferencing software like Zoom and WhatsApp secure and confidential?
Video conferencing is a useful way to remain in contact when working from home. However, video conferencing software must be used with care, as these tools increase exposure to cybercrime and inadvertent disclosure of data.
In general:
- check what security is offered by the application provider – is multi-factor authentication offered? Is end-to-end encryption offered? Does the provider keep any metadata from your conferences (or other data)? If data is collected, how is it used?
- read the provider's terms and conditions to check your rights and the provider's obligations
- make sure you have the latest security and software updates installed for the teleconferencing facility you use
- hold teleconferences in private rooms, not shared spaces. Use headphones to prevent others listening in
- password protect access to video and teleconferences
- only allow invited participants to join the teleconference and ensure invitations are sent to the right people
- notify participants if the video conference is being recorded
For more information, see:
- the Australian Signals Directorate (Australian Government) webpage ‘web conferencing security’
- our resources on privacy laws and cyber security
Disclaimer: These resources provide general information about legal issues that may arise for not-for-profit organisations in managing disasters. This information is a guide only and is not legal advice. If you or your organisation has a specific legal issue, you should seek legal advice before deciding what to do. See full disclaimer and copyright notice.
The content on this webpage was last updated in December 2024.