New legislation for notifiable data breaches

Paul Hayes

22/02/2018 12:35:54 PM

New legislative requirements under the Federal Government’s Notifiable Data Breaches scheme came into effect from today, with the government aiming to set ‘new standards of accountability and transparency to protect individuals’ personal information’.

The Notifiable Data Breaches scheme includes non-compliance fines of up to $420,000 for individuals and up to $2.1 million for corporations.
The Notifiable Data Breaches scheme includes non-compliance fines of up to $420,000 for individuals and up to $2.1 million for corporations.

Under the scheme, entities subject to the Privacy Act 1988 (including most Federal Government agencies, businesses with an annual turnover of more than $3 million, and certain categories of smaller businesses, such as health providers) are required to notify individuals if their personal data has been involved in a serious breach.
The scheme includes non-compliance fines of up to $420,000 for individuals and up to $2.1 million for corporations.
‘This means that Australians will know if their personal information has been breached and will be empowered to protect themselves, by being able to act quickly to minimise damage,’ Australia’s Attorney-General Christian Porter said.
Notifiable data breaches can have a potentially damaging effect in healthcare. The Federal Government includes the release of people’s health records and Medicare card information as examples of data breaches that may increase the risk of serious harm.
What is a notifiable data breach?
The Notifiable Data Breaches (NDB) scheme requires organisations covered by the Privacy Act 1988, including general practices, to notify particular individuals and the Office of the Australian Information Commissioner (OAIC) about ‘eligible data breaches’.
According to the legislation, an eligible data breach arises when the following three criteria are satisfied:

  1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an entity holds.
  2. This is likely to result in serious harm to one or more individuals.
  3. The entity has not been able to prevent the likely risk of serious harm with remedial action.
Examples of a data breach include when:
  • a database containing medical records is hacked
  • health information is mistakenly provided to the wrong person
  • a device containing patients’ medical records is lost or stolen.
It is important to note that not all data breaches are notifiable under the NDB scheme. Only those data breaches which meet the criteria of an ‘eligible data breach’ require notification.
What is serious harm?
The term ‘serious harm’ is not defined in the legislation. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm. The chance that an individual will experience serious harm increases as the number of people whose personal information was part of the data breach increases.
Issues to consider when deciding whether the data breach would be likely to result in serious harm include the:
  • type of personal information involved in the data breach – information about an individual’s health is considered to be ‘sensitive information’ that may increase the risk of serious harm
  • circumstances of the data breach – whose information was involved, the number of individuals, whether the information was encrypted or otherwise not easily accessible, the parties that have gained access to the information
  • nature of the harm that may result from the data breach – such as humiliation, damage to reputation or relationships, threats to an individual’s safety.
How to notify
When a general practice becomes aware that there are reasonable grounds to believe an eligible data breach has occurred, it is obligated to notify the individuals at risk of serious harm and the OAIC as soon as practicable.
The notification must set out:
  • the identity and contact details of the practice
  • a description of the data breach
  • the kind of information involved in the data breach
  • recommendations about the steps that individuals should take in response to the data breach.
GPs and their staff can seek advice from their medical defence organisation if unsure of how to proceed in a particular situation.
Further reading
Office of the Australian Information Commissioner. Notifiable Data Breaches.
Part of this article originally appeared in newsGP in December 2017. In addition, MDA National contributed to this article; they recommend that you contact your indemnity provider if you need specific advice in relation to your insurance policy.

notifiable-data-breaches Office-of-the-Australian-Information-Commissioner Privacy-Act-1988

Login to comment