How will Australia's mandatory data breach notification laws affect health service providers?
Amendments to the Privacy Act 1988 (Cth) (the Act) which came into effect on 23 February 2018 introduce mandatory data breach notification provisions which all health service providers must comply with. “Health service” is broadly defined, and includes all medical practices.
Part IIIC of the Act requires providers to notify the Office of the Australian Information Commissioner (The OAIC) and affected individuals when an eligible data breach occurs, i.e, when they suspect that a data breach has occurred and there is a real risk of serious harm to individuals as a result of the breach.
How will this impact medical practices?
Practices are increasingly storing personal and sensitive patient information electronically. Practices should:-
(a) Review their information handling processes and policies and their storage and security systems to ensure they are able to comply with the mandatory data breach notification requirements of the Act.
(b) Prepare a data breach response plan
(c) Ensure that staff training covers the risks associated with handling patient data and the damage that can be caused by mishandling.
Eligible data breach
An eligible data breach occurs when:
- There is unauthorised access to, or unauthorised disclosure of, information in circumstances where a reasonable person would conclude that the access of disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
- Information is lost and unauthorised access to, or unauthorised disclosure of, information is likely to occur, and assuming unauthorised access or disclosure of the information will occur, the access or disclosure is likely to result in serious harm to any or the individuals to whom the information relates.
Breaches may occur through data theft, hacking or by accident loss or disclosure of information through internal errors or failure to follow policies.
If a reasonable person would conclude that the data breach is likely to result in serious harm, it is an eligible breach. “Serious harm” is not defined, but the explanatory memorandum indicates that it could include serious physical, psychological, emotional, economic and financial harm, or serious harm to reputation.
Serious harm will be “likely” if such harm is more probable than not, having regard to a number of factors set out in the Act, including the kinds of information accessed/disclosed /lost, the sensitivity of the information, whether the information is protected by security measures, the person(s) or kinds of persons who obtained or could obtain the information and the nature of the harm that may result.
Suspected eligible data breach
If a provider has reasonable grounds to suspect an eligible data breach may have occurred but cannot confirm this is so at the time, the provider has 30 days to carry out a reasonable and expeditious assessments as to whether there are reasonable grounds to believe that the circumstances amount to an eligible data breach.
If a provider has reasonable grounds to believe there has been an eligible data breach, the provider must prepare a statement setting out:-
(a) The identity and contact details of the provider
(b) A description of the data breach that the provider has reasonable grounds to believe has occurred.
(c) The kinds of information concerned.
(d) Recommendations about the steps which individuals should take in response to the data breach.
The statement must be provided to the OAIC and, if practicable, the provider must also notify the individuals to whom the information relates, or each of the individuals who are at risk as a consequence of the data breach, or the contents of the statement.
If it is not practicable to contact the individuals, the provider must take reasonable steps to publicise the contents of the statement and must publish a copy on its website (if it has one).
A mandatory notification is not required to be made if the breach is required to be, and is, reported pursuant to the My Health Records Act 2012.
A mandatory notification is not required to be made if effective remedial action is taken before any serious harm is caused by the breach.
This article was originally published in VicDoc April/May 2018, VicDoc is the magazine of the Australian Medical Association Victoria.