Column

Mandatory notifiable data breaches: New legislative requirements


Sara Bird 11/12/2017 3:14:04 PM

A summary of new legislative requirements under the Federal Government’s Notifiable Data Breaches scheme, which commences on 22 February 2018 and only applies to eligible data breaches that occur from that date.

News teaser
The Federal Government’s Notifiable Data Breaches scheme commences on 22 February 2018.

A patient contacts the practice requesting that you email her test results to her so she can take them to an appointment with a cardiologist that day. After sending the results, you realise you have inadvertently emailed them to the wrong patient who has the same surname. You immediately contact the patient who has incorrectly received the results. The patient assures you that they have not opened the email and will immediately delete it.
 
You then contact your patient to inform her about the error. She says she is not concerned about the error, but is keen to receive her results. You confirm the correct email address and, after the call, send her the test results.
 
While you are aware of the Notifiable Data Breaches (NDB) legislation, you remain unsure if you have a legal obligation to do anything more, such as notify the Office of the Australian Information Commissioner (OAIC) about the email error.
 
What is a notifiable data breach?
The NDB scheme requires organisations covered by the Privacy Act 1988, including general practices, to notify particular individuals and the OAIC about ‘eligible data breaches’.
 
According to the legislation, an eligible data breach arises when the following three criteria are satisfied:

  1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an entity holds.
  2. This is likely to result in serious harm to one or more individuals.
  3. The entity has not been able to prevent the likely risk of serious harm with remedial action.
Examples of a data breach include when:
  • a database containing medical records is hacked
  • health information is mistakenly provided to the wrong person
  • a device containing patients’ medical records is lost or stolen.
It is important to note that not all data breaches are notifiable under the NDB scheme. Only those data breaches which meet the criteria of an ‘eligible data breach’ require notification.
 
What is serious harm?
The term ‘serious harm’ is not defined in the legislation. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm. The chance that an individual will experience serious harm increases as the number of people whose personal information was part of the data breach increases.
 
Issues to consider when deciding whether the data breach would be likely to result in serious harm include the:
  • type of personal information involved in the data breach – information about an individual’s health is considered to be ‘sensitive information’ that may increase the risk of serious harm
  • circumstances of the data breach – whose information was involved, the number of individuals, whether the information was encrypted or otherwise not easily accessible, the parties that have gained access to the information
  • nature of the harm that may result from the data breach – such as humiliation, damage to reputation or relationships, threats to an individual’s safety.
How to notify
When a general practice becomes aware that there are reasonable grounds to believe an eligible data breach has occurred, it is obligated to notify the individuals at risk of serious harm and the OAIC as soon as practicable.
 
The notification must set out:
  • the identity and contact details of the practice
  • a description of the data breach
  • the kind of information involved in the data breach
  • recommendations about the steps that individuals should take in response to the data breach.
GPs and their staff can seek advice from their medical defence organisation if unsure how to proceed in a particular situation.
 
Postscript
In this case, in view of the remedial action taken by the GP, the error was not likely to result in serious harm – so there was no eligible data breach. Therefore, the notification obligations under the legislation were not required.
 
Further reading
Office of the Australian Information Commissioner. Notifiable Data Breaches.
 
This article is provided by MDA National. They recommend that you contact your indemnity provider if you need specific advice in relation to your insurance policy.


THE AUTHOR:


general-practice-datahealthcare-datamandatory-notifiable-data-breaches



Leave message


 Security code