Q&A with a Risk Adviser: Spotlight on Privacy

The changes were made pursuant to the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth).

Under the NDB Scheme, if an ‘eligible’ breach of personal information (data) occurs in your practice, you must notify the individuals involved and the Office of the Australian Information Commissioner (OAIC).

Here are some answers to frequently asked questions.

What data breaches are covered by the scheme?

• Unauthorised access to personal information
  • e.g. a receptionist browses through patients’ records without a legitimate business reason; hackers take control of the practice’s medical records
• Unauthorised disclosure of personal information
  
  • e.g. an employee accidentally sends a patient’s medical records to the wrong email address
• Loss of personal information which may result in unauthorised access or disclosure
  • e.g. an employee accidentally leaves the backup hard drive on a train

An example of a data breach not covered by the scheme is a staff member accessing a patient’s phone number to contact them for social purposes. While this is highly inappropriate and a breach of privacy, it is not a breach covered by the NDB scheme.

What do I do if there has been an eligible data breach?

You must decide:

a) if serious harm is likely to come to someone, and

b) whether you can do something to prevent that harm.

Note that health information is considered ‘sensitive information’ under the Privacy Act and may contain details used for identity fraud, thus increasing the risk of serious harm. The OAIC’s website has a number of tips for assessing whether serious harm is likely. Here are several examples below:

• Whose personal information? Young people, celebrities or vulnerable individuals may be at more risk.


• Is the information protected by security measures? If the lost hard drive is password-protected and the data on it is encrypted, harm is less likely.


• What parties have gained or may gain access to the personal information? Hackers may be more likely to cause harm than a known patient of the practice.

Things you can do to prevent serious harm may include:

• contacting the person who received the email and having them agree to delete the email without reading it


• remotely deleting information before it can be accessed.

If serious harm is likely and you cannot prevent it, you must notify the OAIC and the individuals involved. Information on how to notify is available on the OAIC’s website.

Does the new scheme mean that we can’t send emails to patients?

The NDB scheme does not prohibit sending confidential patient information by email. Privacy law does require you to take reasonable steps to make email communication safe and secure. Use of encrypted email may or may not be reasonable in the practice’s circumstances. Reasonable steps may include:

• robust IT systems such as firewalls, virus protection, up-to-date versions of software, frequent password updates, backups, etc


• procedures such as staff education about email use, staff signing confidentiality agreements, email addresses being checked before hitting ‘send’, etc

Depending on the sensitivity of the information, it may be reasonable to take extra steps, such as sending the information in a password-locked PDF file, with the password supplied verbally or by SMS.

Is there anything I should be doing now?

The OAIC recommends preparing a data breach response plan. This will enable you to respond quickly in the event of a data breach. A guide to such a plan is available on the OAIC’s website.

Support in Practice, MDA National