Articles and Case Studies

Q&A with a Risk Adviser: Spotlight on Privacy

10 Jul 2018

Stethoscope on keyboard showing a privacy and confidentiality key

Q&A with a Risk Adviser: Spotlight on Privacy

Our Risk Advisers have been getting a number of questions from Members about the new Notifiable Data Breaches (NDB) Scheme which came into effect in February 2018.

The changes were made pursuant to the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth).

Under the NDB Scheme, if an ‘eligible’ breach of personal information (data) occurs in your practice, you must notify the individuals involved and the Office of the Australian Information Commissioner (OAIC).

Here are some answers to frequently asked questions.

What data breaches are covered by the scheme?

  • Unauthorised access to personal information
    • e.g. a receptionist browses through patients’ records without a legitimate business reason; hackers take control of the practice’s medical records
  • Unauthorised disclosure of personal information
    • e.g. an employee accidentally sends a patient’s medical records to the wrong email address
  • Loss of personal information which may result in unauthorised access or disclosure
    • e.g. an employee accidentally leaves the backup hard drive on a train

An example of a data breach not covered by the scheme is a staff member accessing a patient’s phone number to contact them for social purposes. While this is highly inappropriate and a breach of privacy, it is not a breach covered by the NDB scheme.

What do I do if there has been an eligible data breach?

You must decide:

a) if serious harm is likely to come to someone, and

b) whether you can do something to prevent that harm.

Note that health information is considered ‘sensitive information’ under the Privacy Act and may contain details used for identity fraud, thus increasing the risk of serious harm. The OAIC’s website has a number of tips for assessing whether serious harm is likely. Here are several examples below:

  • Whose personal information? Young people, celebrities or vulnerable individuals may be at more risk.

  • Is the information protected by security measures? If the lost hard drive is password-protected and the data on it is encrypted, harm is less likely.

  • What parties have gained or may gain access to the personal information? Hackers may be more likely to cause harm than a known patient of the practice.

Things you can do to prevent serious harm may include:

  • contacting the person who received the email and having them agree to delete the email without reading it

  • remotely deleting information before it can be accessed.

If serious harm is likely and you cannot prevent it, you must notify the OAIC and the individuals involved. Information on how to notify is available on the OAIC’s website.

Does the new scheme mean that we can’t send emails to patients?

The NDB scheme does not prohibit sending confidential patient information by email. Privacy law does require you to take reasonable steps to make email communication safe and secure. Use of encrypted email may or may not be reasonable in the practice’s circumstances. Reasonable steps may include:

  • robust IT systems such as firewalls, virus protection, up-to-date versions of software, frequent password updates, backups, etc

  • procedures such as staff education about email use, staff signing confidentiality agreements, email addresses being checked before hitting ‘send’, etc

Depending on the sensitivity of the information, it may be reasonable to take extra steps, such as sending the information in a password-locked PDF file, with the password supplied verbally or by SMS.

Is there anything I should be doing now?

The OAIC recommends preparing a data breach response plan. This will enable you to respond quickly in the event of a data breach. A guide to such a plan is available on the OAIC’s website.

Support in Practice, MDA National

Confidentiality and Privacy, Regulation and Legislation


Doctors Let's Talk: Get Yourself A Fricking GP

Get yourself a fricking GP stat! is a conversation with Dr Lam, 2019 RACGP National General Practitioner of the Year, rural GP and GP Anesthetics trainee, that explores the importance of finding your own GP as a Junior Doctor.


25 Oct 2022

Systematic efforts to reduce harms due to prescribed opioids – webinar recording

Efforts are underway across the healthcare system to reduce harms caused by pharmaceutical opioids. This 43-min recording of a live webinar, delivered 11 March 2021, is an opportunity for prescribers to check, and potentially improve, their contribution to these endeavours. Hear from an expert panel about recent opioid reforms by the Therapeutic Goods Administration and changes to the Pharmaceutical Benefits Scheme. 

Diplomacy in a hierarchy: tips for approaching a difficult conversation

Have you found yourself wondering how to broach a tough topic of conversation? It can be challenging to effectively navigate a disagreement with a co-worker, especially if they're 'above' you; however, it's vital for positive team dynamics and safe patient care. In this recording of a live webinar you'll have the opportunity to learn from colleagues' experiences around difficult discussions and hear from a diverse panel moderated by Dr Kiely Kim (medico-legal adviser and general practitioner). Recorded live on 2 September 2020.