In part one of exploring best practice in note-taking and record-keeping, we explored the importance of record-keeping, current laws and codes relevant to note-taking, using and disclosing records, how notes should be taken and whether they can be altered and the length of time records should be kept.
In part two we look at:
- Electronic versus paper records - pros and cons;
- Electronic records and 'the cloud';
- Risk management when keeping records in 'the cloud'; and
- Notifiable data breaches
Electronic versus paper records
|Electronic records||Paper records|
Electronic records and 'the cloud'
When entering into a contract with a cloud service provider (provider) it is important the risks of using the provider are identified and assessed. Due diligence about the provider and the security measures in place must be performed and you must be satisfied that they comply with legislation relevant to your records. You should ensure that contractual arrangements are established to manage known risks and monitoring arrangements are put into place.
'The cloud' and risk management
Storage and maintenance of records with providers can have a variety of business and legal risks. As noted above, a thorough risk assessment should be conducted before entering into an arrangement with a provider. This is particularly important because of practical difficulties in establishing relationships with global providers and making site inspections of remote facilities.
Some risk management considerations include:
Sending or storing records
It is important to note the act of sending or storing records outside a State, Territory or Country might be a breach of local laws. Before entering into an arrangement with a provider, an organisation should investigate any legislative impediments to the transfer or storage of records outside the applicable physical boundaries of the State, Territory or Country where it resides.
Compliance with legislation and standards of the record creating jurisdiction
There is a risk where providers send records outside the geographic boundaries of the record-creating jurisdiction they might fail to comply with the legislative or regulatory requirements of the creating jurisdiction. For example, not all jurisdictions internationally have legislation governing the protection and management of private or personal information that are of equivalent strength to Australian laws.
Records may be subject to legislation and other requirements of the storage jurisdiction
If your records will be stored on a 'cloud' located in another jurisdiction, advice should be sought on whether there is any legislation in the relevant interstate or overseas jurisdiction that will apply to the storage and maintenance of your records. For example, it is likely that privacy laws of an overseas jurisdiction will apply to any information stored within the jurisdiction, even if the information did not originate in that jurisdiction. Other laws may permit access to information by investigative or watchdog bodies in the jurisdiction in which the information is stored and there is a possibility that, if an overseas law enforcement agency subpoenas a provider for access to records, there may not be any consultation or notification.
Risks associated with unauthorised access to records
Another risk is unauthorised access to records which may result in breaches to privacy or other laws. This risk can be increased where providers subcontract parts of their operations to other companies. It is also likely that the provider will co-locate your records with another organisation’s – so proper partitioning and security controls need to be put in place.
Risk of a loss of access to records
Due to the provision of cloud computing services over the internet, it is potentially more likely that there may be some periods of disruption to service where records may be inaccessible. For business activities in which continuous access to information is imperative, the impact of a loss of access may be severe.
Digital records stored as part of cloud computing arrangements are subject to all the same threats and risks as records stored anywhere, for example records being destroyed as a result of a disaster or records being compromised or destroyed as a result of cyber-attack.
In cloud computing situations, however, there are additional risks including:
- Loss of access to records because the service provider has gone out of business or has been taken over by another company, which may not choose to honour your contract or to provide the agreed level of service.
- A person in another State or country accessing, claiming ownership or taking control of the records.
- Records not being returned upon request or at conclusion of the contract or returned only on payment of a large fee.
- Inadequate backup and restoration arrangements as a result of cost cutting by the service provider.
- Storage providers may upgrade hardware and/or software which is not compatible with the organisation’s, meaning there is a risk of data loss or of records not being readable upon return.
- Service provider disposes of digital records without the approval of the client organisation.
There can also be a risk of records not being disposed of in a timely way, once authorised by the organisation, because it is common for service providers to replicate records for multiple backup, sending copies to sites in different locations or even different jurisdictions. This can mean that time-expired records are not properly deleted from every server held in every site. This can be a serious risk where there is a specific requirement for information to be destroyed, such as personal or sensitive information in records.
The evidential value of records may be damaged
Records need to be managed in such a way that can be shown to be authentic and reliable. If an organisation is not able to prove that records could not or have not been altered or tampered with in any way, this will reduce or negate their value as evidence. In addition, the evidential value of records may be affected if appropriate audit trails and descriptions of management processes performed on records while they are kept in cloud computing systems are not maintained.
Notifiable data breaches
Under the Notifiable Data Breaches (NDB) scheme, any organisation or agency the Privacy Act 1998 covers, must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved.
When does a data breach occur?
A data breach occurs when personal information an organisation or agency holds is lost or subjected to an unauthorised access or disclosure. For example, when a device with a customer's personal information is lost or stolen, a database with personal information is hacked or personal information is mistakenly given to the wrong person.
What needs to happen if there's a My Health Record data breach?
Health providers are required to report potential or confirmed data breaches involving the My Health Record system to the System Operator, the Australian Digital Health Agency (ADHA). My Health Record data breaches must also be reported to the OAIC except where the health care organisation is a State or Territory authority or instrumentality.
If you would like further information on this topic, or if you would like to review your policies, procedures or training requirements, please contact Gemma McGrath.