New privacy laws coming into force – are you ready?

Oct 23, 2017

In February this year, the Federal government passed legislation that amended the Privacy Act 1988, moving from a voluntary to mandatory data breach notification scheme.

In the lead up to the introduction of the new laws from 22 February 2018, we have developed the hypothetical scenario and short confidential survey below, to help us clarify our members’ understanding of their obligations under the legislation.We plan to use the responses to support the development of tools and resources to help you comply with the new privacy laws.

Hypothetical scenario: how would you respond to this privacy breach?

You are the treating doctor for a female patient and her two children. The patient is separated from her partner and she has taken an Apprehended Violence Order (AVO) out against him due to allegations of domestic violence.

The father has contacted your practice to request a copy of the children’s medical records. As there is no parenting order in place, the parents have joint custody of the children and the father has a right to access his children’s records. Your practice manager sends the children’s medical records to the father, but does not redact the patient’s contact details.

Your practice manager realises the error after she has sent the records. How would you respond to this privacy breach? Provide your answer in the survey below.

Member survey: how well do you understand the new privacy laws?

Privacy laws member survey

Answer our short confidential survey to help us understand our members’ understanding of their obligations under the legislation in relation to the scenario above.

Your obligations

Under the mandatory data breach notification scheme, individuals affected by a data breach must be made aware of the breach so they can take action to protect themselves from harm. The legislation covers the private sector including healthcare providers.

Doctors and medical practices should already have processes in place to respond to privacy breaches. However, from 22 February 2018, if there is a ‘notifiable data breach’ the doctor or medical practice has a legal obligation to notify both the individuals whose data were affected by the data breach, and the Office of the Australian Information Commissioner (OAIC).  

'Notifiable data breaches'

A data breach will be a ‘notifiable data breach’ where there is an unauthorised access to, or unauthorised disclosure, or loss of, personal information held at your practice and ‘a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result’.

‘Serious harm’ could include serious physical, psychological, emotional, economic and financial harm, and serious harm to reputation.

The new legislation does not require every data breach to be notified. Breaches that are quickly rectified, so that the affected individuals are not at risk of serious harm, will not require notification.

Avant resources to help you prepare

During this transition period, doctors and medical practices should take the opportunity to review their current privacy policies and procedures, ensure a detailed data breach response plan is in place and that staff receive training about their privacy obligations.

We have begun developing tailored educational resources to help you comply with the new privacy laws. Download our decision-making flowchart and privacy basics factsheet below and look out for further resources in your future Avant newsletters.

Don’t forget to answer our short confidential survey to help us understand your knowledge of the new privacy laws, so we can assist our members by developing future resources.

More information

Are you ready? Mandatory data breach notification

Avant notifiable data breach scheme decision-making flowchart

Avant privacy basics factsheet

Guide to developing a data breach response plan

Data breach notification — A guide to handling personal information security breaches

The Australian Digital Health Agency’s Information Security Guide for small healthcare businesses

If you require advice on your obligations relating to privacy, visit our website or for immediate advice, call our Medico-legal Advisory Service (MLAS), 24/7 in emergencies on 1800 128 268.

Share your view

We welcome your feedback on this article – email the Editor at: editor@avant.org.au