In February this year, the Federal government passed legislation
that amended the Privacy Act 1988, moving from a
voluntary to mandatory data breach notification scheme.
In the lead up to the introduction of the new laws from 22
February 2018, we have developed the hypothetical scenario and short confidential
survey below, to help us clarify our members’ understanding of their obligations
under the legislation.We plan to
use the responses to support the development of tools and resources to help you
comply with the new privacy laws.
scenario: how would you respond to this privacy breach?
You are the treating
doctor for a female patient and her two children.
The patient is separated from her partner and she has taken an Apprehended
Violence Order (AVO) out against him due to allegations of domestic violence.
The father has contacted
your practice to request a copy of the children’s medical records. As there is
no parenting order in place, the parents have joint custody of the children and
the father has a right to access his children’s records. Your practice manager
sends the children’s medical records to the father, but does not redact the patient’s
Your practice manager
realises the error after she has sent the records. How would you respond to
this privacy breach? Provide your answer in the survey below.
Member survey: how well do you understand
the new privacy laws?
Answer our short
confidential survey to help us understand our members’ understanding
of their obligations under the legislation in relation to the scenario above.
Under the mandatory data breach notification scheme, individuals
affected by a data breach must be made aware of the breach so they can take
action to protect themselves from harm. The legislation covers the private
sector including healthcare providers.
Doctors and medical practices should already have processes
in place to respond to privacy breaches. However, from 22 February 2018, if
there is a ‘notifiable data breach’ the doctor or medical practice has a legal
obligation to notify both the individuals whose data were affected by the data breach,
and the Office of the Australian Information Commissioner (OAIC).
A data breach will be a ‘notifiable data breach’ where there
is an unauthorised access to, or unauthorised disclosure, or loss of, personal
information held at your practice and ‘a reasonable person would conclude that
there is a likely risk of serious harm to any of the affected individuals as a
‘Serious harm’ could include serious physical,
psychological, emotional, economic and financial harm, and serious harm to
The new legislation does not require every data breach to be
notified. Breaches that are quickly rectified, so that the affected individuals
are not at risk of serious harm, will not require notification.
Avant resources to
help you prepare
During this transition period, doctors and medical practices
should take the opportunity to review their current privacy policies and
procedures, ensure a detailed data
breach response plan is in place and that staff receive training about
their privacy obligations.
We have begun developing tailored educational resources to help you comply with the new privacy laws. Download our decision-making flowchart and privacy basics factsheet below and look out for further resources in your future Avant newsletters.
Don’t forget to
answer our short confidential survey to help us understand your knowledge of
the new privacy laws, so we can assist our members by developing future
ready? Mandatory data breach notification
Avant notifiable data breach scheme decision-making flowchart
Avant privacy basics factsheet
to developing a data breach response plan
breach notification — A guide to handling personal information security
The Australian Digital Health Agency’s Information Security Guide for small healthcare businesses
If you require advice on your obligations relating to
privacy, visit our website or for immediate advice, call our Medico-legal Advisory Service (MLAS),
24/7 in emergencies on 1800 128 268.
Share your view
We welcome your feedback on this article – email the Editor at: firstname.lastname@example.org