Doctors and practice managers have until early next year to review and update privacy policies and procedures before notification of serious data breaches becomes mandatory.
The Australian Government passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 in February to establish a mandatory data breach notification scheme. The legislation covers private sector health providers.
Purpose of the notification requirement
The intention of this amendment to the Privacy Act 1988 is to make sure individuals affected by data breaches are aware of the breach so they can take action to protect themselves from harm. Doctors should already have processes in place to notify affected patients in these circumstances.
Mandatory notification was introduced because of concerns that under the current voluntary notification system data breaches are being under-reported or notifications to affected individuals delayed, affecting their ability to take steps to prevent or reduce possible harm associated with the breach.
Avant had argued that the legislation was not necessary for health providers because doctors already had ethical obligations to inform patients about adverse events, including breaches of privacy and confidentiality. The final legislation reflects recommendations from Avant and others that only serious data breaches that expose individuals to the real risk of serious harm be notified.
Notification requirement applies to ‘eligible data breaches’
The mandatory notification requirement will apply to ‘eligible data breaches’, described as where ‘a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure’ of personal data.
‘Serious harm’ could include serious physical, psychological, emotional, economic and financial harm, and serious harm to reputation.
The new legislation does not mean every data breach is subject to mandatory notification. Minor breaches that are quickly rectified and where the individual affected suffered no serious harm will not require notification (see Scenario 1).
However, if there is an eligible data breach the doctor or medical practice must notify all individuals whose data were affected by the breach and the Officer of the Australian Information Commissioner (OAIC) (see Scenario 2).
The OAIC can impose penalties, such as public or personal apologies, compensation payments or enforceable undertakings. Serious or repeated breaches can be referred to the Federal Court, which can impose financial penalties. Some media reports about these penalties have been based on a worst-case scenario.
Mandatory data breach notification requirements already apply for unauthorised access to certain eHealth information under the My Health Records Act 2012.
The OAIC will guide a transition process from voluntary to mandatory notification during the next 12 months, working with government agencies, business, the health sector and consumers to make sure all personal information is held securely and responses to serious data breaches are transparent.
We advise medical practitioners and practice managers to use this opportunity to review their privacy policies and procedures, and ensure a detailed data breach response plan is in place. The OAIC provides guidelines to help, including Data breach notification - A guide to handling personal information security breaches and Guide to developing a data breach response plan.
Avant is also developing information to help members during the transition period, including a guide to assist practices in identifying eligible data breaches and help them work through the notification process.
A large medical clinic introduces a new reminder system for appointments that includes sending a short text message to patients.
The clinic has two patients with the same name and an appointment reminder is sent to the wrong patient.
The patient’s GP contacts Avant and is advised to let the patient know that a reminder was sent to the wrong number and that this was an administrative error.
This data breach does not require notification to the OAIC.
A GP downloads patient data to a laptop computer ready for a visit to a nursing home the following morning. The data includes personal information about each patient including identification details such as Medicare numbers, contact details of family members, and personal medical details.
The GP makes a stop on the way to the nursing home and leaves the laptop locked in the car, however the laptop is not password protected. The car is broken into and the laptop stolen.
Mandatory notification is required by the GP to the nursing home and all patients whose details were downloaded to the laptop about the theft.
This data breach would also require notification to the OAIC.
Change to cover for privacy breaches from 1 July
The updated Avant Practitioner Indemnity Insurance Policy will provide cover up to $250,000 for fines and penalties for unintentional privacy breaches. The cover includes defence for any unintentional privacy breaches in relation to your provision of healthcare (subject to the terms, conditions and exclusions of the policy).
Cover for fines and penalties for privacy breaches apply to existing financial-year members from 1 July 2017. For calendar-year members, this cover applies from 1 January 2018.
Share your view
We welcome your feedback on this article – email the Editor at: firstname.lastname@example.org