From 22 February 2018, the Notifiable Data Breaches (NDB) scheme will apply to all agencies and organisations with existing personal information security obligations under the Privacy Act 1988 (Privacy Act). All private sector health and aged care organisations are affected by the scheme requiring them to notify the Information Commissioner and any individuals likely to be at risk of serious harm in the event of an eligible data breach.
What is an eligible data breach?
The NDB scheme applies in relation to any confidential information specific to an individual or a company, including personal information, financial or credit information and tax file number information.
In the context of a health or aged care organisation, a potential data breach could include a security breach of cloud-based practice software, an employee accessing patient or client records without authorisation or the loss of medical records or client notes.
A data breach is only considered an eligible data breach if a reasonable person would conclude it sufficiently serious, so that it is likely that the affected individual would suffer serious harm as a result of the breach.
Protecting against data breaches:
Organisations should consider the following recommendations:
- Familiarisation with the Privacy Act and the APPs;
- Appointment of a privacy officer or internal advisor;
- Undertake an information security audit to identify organisation specific risks;
- Update internal policies and procedures specific to cyber security and privacy;
- Employee training on privacy and confidentiality, particularly in the context of cyber threats;
- Ensuring a data breach response plan is in place; and
- Give consideration to contracts where third parties store or have access to data.
Notification requirements in the event of a data breach:
If it is suspected that a data breach has occurred:
- Immediately take all necessary steps to contain the suspected or confirmed breach.
- Assess the situation to determine that a data breach has actually occurred, and if so, whether or not it is an eligible breach. This assessment must be conducted expeditiously and where possible within 30 days.
- If you have reasonable grounds to believe that an eligible data breach has occurred, the organisation must notify individuals and the Office of the Australian Information Commissioner about the breach as soon as possible.
- The Office of the Australian Information Commissioner provides guidance on how to notify individuals without causing further harm. Direct communication in the form of a telephone call, a letter, an email or in person is preferred.
- Organisations should keep contemporaneous records in relation to any breach including:
- The process of assessing and identifying the breach;
- If the assessment was unable to be completed within 30 days, the reasons for this;
- The notification process for affected individuals; and
- Evaluation of the data breach and the remedy implemented.
My Health Records Act 2012
Section 75 of the My Health Records Act 2012 provides that organisations using the My Health Records system must notify the Information Commissioner and or the System Operator if they become aware that the My Health Records system has or may have been compromised by unauthorised access. In the event that a data breach is related to the My Health Records system, notification must be made whether or not the matter is assessed as being an eligible data breach.
Further considerations
Privacy and confidentiality is not just a matter of ensuring minimum compliance with the legislated obligations, but is essential in ensuring ethical practice and effective business risk management.
As well as the statutory obligations imposed, health practitioners have a professional and ethical obligation to ensure that all patient information remains confidential. A failure to ensure the confidentiality of personal patient information may not just give rise to the potential for legal action against the practitioner and the organisation or financial penalties being imposed, but could also result in disciplinary action being brought against you.
If you experience a data breach and are unsure of how to best deal with it or if notification is required, please do not hesitate to contact our office for more specific advice on your particular circumstances.