The Notifiable Data Breaches (NDB) scheme commenced on 22 February 2018. Under this scheme it is mandatory for private sector and Australian government organisations to assess the potential harm to individuals from a data breach. If serious harm is considered likely, the organisation must notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC).
Last month, the OAIC released a report1 detailing insights into the first 12 months of the scheme. It highlighted increased understanding of the scheme, areas of uncertainty and the nature of reported data breaches. Just over half of the breaches arising within the health sector derived from human error (most commonly personal information sent to the wrong recipient), while most others related to malicious or criminal attack.
In March and April this year, we invited members to complete a survey telling us more about their understanding of the scheme. This was a follow-up to a survey we ran in December 2017, just before the new laws commenced. The 2017 survey showed there was considerable lack of awareness about the pending legislation, so how has this changed?
What our members told us
Over 400 members across a broad range of specialities responded to the survey. As expected, the survey results revealed a much higher awareness of the scheme than previously with 66% of respondents saying they were aware of the scheme compared to 24% in 2017.
Awareness of the Notifiable Data Breaches scheme over time
We were pleased to see that among those who were aware, Avant’s educational resources were the most common source of information. Two-thirds said they received information about the scheme through Avant, including our newsletter articles, our website resources and Avant presentations.
However, despite the increased awareness of the scheme, roughly a third of respondents were not aware of the new laws. As the scheme is now over a year old, the OAIC is less forgiving of this as stated in their report:
“After a full year of operation of the NDB scheme, entities should now be fully aware of their obligations and have in place processes to notify and minimise harm to individuals."
We also asked members who were aware of the scheme, how they would respond to a hypothetical scenario:
The reception staff at your workplace accidentally emailed a referral letter for your patient to the incorrect email address. The letter was received by another doctor with a name similar to the doctor who was supposed to receive it.
Responses to the question: 'Under the Notifiable Data Breaches scheme, how would you respond in this scenario?”
The correct answer was to ‘ask the other doctor to destroy the email’.
Data breaches only need to be reported to the individual/s concerned and the OAIC if the breach is likely to result in serious harm, and this cannot be prevented by remedial action. In this example, remedial action can be taken by the other practice deleting the email. It is also relevant that the recipient of the email is another doctor who has strict duties of confidentiality and privacy obligations.
This option was selected by only one third of respondents. A similar proportion chose ‘notify both the patient and the Office of the Australian Information Commissioner’.
Interestingly, when those who were aware of the scheme were asked how well they understood what the scheme meant for them and their workplace, only around a third said they know what would be considered a notifiable data breach and how to respond. Around one quarter said they don’t yet understand what the new law means.
Responses to the question: ‘How well do you understand what the Notifiable Data Breaches scheme means for you and your workplace?’
Deeper analysis showed that even among those who said they knew what would be considered a notifiable data breach and how to respond, only 38% gave the correct response to the hypothetical scenario. This suggests some false confidence about knowledge of the scheme and further need for education. Clearly, awareness of the new laws is not sufficient to ensure understanding and without understanding, healthcare professionals are at risk of mishandling a data breach, should it occur.
Avoiding data breaches
Our survey results show that if you aren’t sure about how to prevent privacy and data breaches, you are not alone. 71% of all respondents (including those who were not aware of the scheme) said they would like to learn more about this topic.
The recent OAIC report highlights the importance of organisations ensuring they have an understanding of their data holdings and says they should rethink how secure their personal information holdings are, taking into account the now known causes of the breaches.
Given many breaches arising in the healthcare sector were from human error, they stress the need for “strong privacy governance in the health sector that includes robust and regular employee training and technological solutions to assist employees.”
To help our members understand and comply with the laws under the Notifiable Data Breaches scheme, our medico-legal experts have developed the educational resources below to help members prevent data breaches in the first place.
Responding to data breaches
Most (84%) members who responded to our survey also wanted to know more about how to respond to privacy and data breaches.
You don’t have to wait for a breach to occur before preparing a response. Having the right procedures in place for responding to data breaches is key to responding efficiently and appropriately. The survey results were promising in this regard. Almost half (48%) of respondents said they had a written process for responding to data breaches in their main clinical workplace (compared to 19% in the first survey). However, almost one in five (18%) said they did not and 35% answered: ‘I think so, but I’m not sure.’
While this is an encouraging increase, all practices should have a written policy and process in place. But even with processes in place, it is important to test whether these systems address all requirements in the event of a breach, such as who is responsible for assessing harm, and for making the notifications.
Finally, under the new laws, organisations who have experienced a reportable privacy breach must not only report the breach to the OAIC and affected individuals, but assist the affected individuals by providing recommendations on what steps they can take to reduce harm. They stress the need to move beyond compliance to a focus on supporting the individuals who have been affected.
To help members respond appropriately in the event of a data breach, we have provided them with a resources guide (below), including information on whether or not you need to notify the data breach under the new privacy laws.
Avant resources to help you comply
If you require advice on your obligations relating to privacy, visit our website or for immediate advice, call us on 1800 128 268, 24/7 in emergencies.
1OAIC Notifiable Data Breaches Scheme 12-month Insights Report. Office of the Australian Information Commissioner, 2019.