Are you ready for new privacy laws coming into force on 22 February? Last year, the Federal Government amended the legislation, which applies to the private sector and Australian government agencies, to introduce a mandatory data breach notification scheme.
Nearly 300 members* across a broad range of specialities responded to our ‘Member Survey: How well do you understand the privacy laws?’ The survey was created to help us clarify our members’ understanding of their obligations under the privacy laws so that we can better support the development of tools and resources to help you comply with the legislation.
If this is the first you have heard about the new privacy laws, you are not alone. The survey results reveal the overwhelming majority of members who responded (73%) were unaware the privacy laws are coming into force this month. In response, we have developed some resources below to help you understand and comply with the new requirements – but first, the results...
In response to the question: ‘How well do you understand what these new privacy laws mean for you and your practice?’ 46% of the members who responded admitted: ‘I don’t yet understand what this new law means.’ Only 15% answered in the affirmative – ‘I know what would be considered an eligible data breach and how to respond.’ View the graph below for all the results.
Making data breach response plans a priority
Georgie Haysom, Avant’s Head of Research, Education and Advocacy said, “The survey results emphasise that understanding of privacy law among practitioners remains low, and we need to continue to help our members to stay up to date with key legislative changes affecting their practice.”
The survey results revealed 44% of members who responded conceded they did not have a written process or procedure in place for responding to data breaches in their practice and 37% answered: ‘I think so, but I’m not sure.’ Only 19% confirmed they did have a written process or procedure for responding to data breaches.
“The results are slightly worrying as doctors and practices should already have processes or procedures in place to respond to privacy breaches,” Ms Haysom said. “Now is the time to review your current privacy policies and procedures and ensure a detailed data breach response plan is in place and that staff receive training about their privacy obligations.”
“From 22 February, if there is a ‘notifiable data breach’ the doctor or practice has a legal obligation to notify both the individuals whose data were affected by the data breach, and the Office of the Australian Information Commissioner (OAIC),”she said. “A breach will need to be notified if a data breach is likely to result in serious harm and remedial action cannot be taken to prevent the likelihood of serious harm.”
Avant resources to help you comply
In light of the survey results, our medico-legal experts have developed the educational resources below to help members prevent data breaches in the first place. If a data breach does occur, the resources guide how to respond and whether or not you need to notify the data breach under the new privacy laws. We will update you on our further resources when they become available.
Over half of respondents confident in responding to privacy breaches
We also asked members: ‘How confident are you that you’d know how to respond under this new law?’ based on this hypothetical scenario:
You are the treating doctor for a female patient and her two children. The patient is separated from her partner and she has taken an Apprehended Violence Order (AVO) out against him due to allegations of domestic violence.
The father has contacted your practice to request a copy of the children’s medical records. As there is no parenting order in place, the parents have joint custody of the children and the father has a right to access his children’s records. Your practice manager sends the children’s medical records to the father, but does not redact the patient’s contact details.
Your practice manager realises the error after she has sent the records. How would you respond to this privacy breach?
Almost half of the respondents (49%) admitted they were ‘Not confident’ they would know how to respond under the new privacy legislation. While 47% said they were ‘Fairly confident’ and 4% said they were ‘Completely confident’.
Members were also asked how they would respond to the scenario under the new laws. Fifty four per cent of respondents said they would notify both the patient and the Office of the Australian Information Commissioner (OAIC) of the data breach (View the graph below for the full results).
Ms Haysom said that given the legislation is new, it’s difficult to know how the OAIC would interpret the privacy laws based on this scenario.
“However, in this instance, where there is a risk of serious harm to the patient and her children because of the breach and nothing can be done to prevent that risk, the most appropriate response would be to notify both the patient and the OAIC of the privacy breach.”
Notifiable data breaches scheme
Data breach preparation and response - a guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)
Data breach notification — A guide to handling personal information security breaches
The Australian Digital Health Agency’s Information Security Guide for small healthcare businesses
If you require advice on your obligations relating to privacy, visit our website or for immediate advice, call our Medico-legal Advisory Service (MLAS), 24/7 in emergencies on 1800 128 268.
*The member survey results were collated on 14 December, 2017.
Share your view
We welcome your feedback on this article – email the Editor at: firstname.lastname@example.org