Privacy Breaches: Notify or Not Notify

A hospital was recently criticised for failing to notify patients of privacy breaches. In 2015, a patient’s emergency assessment paperwork was discovered on the ground near Gosford Hospital. In the same year, a list of patients including their reasons for attending hospital was discovered on a walkway near the hospital.

On both the above occasions, patients were not notified of the privacy breach because the information was not deemed to put them at “serious risk of harm”.

New Mandatory Data Breach Obligations in February 2018

This criticism comes at a time when the Privacy Amendment (Notifiable Data Breaches) Act 2017  received Royal Assent on 22 February 2017 and will come into effect on 22 February 2018. Under the new scheme, an entity covered by the Privacy Act must take steps to notify the Information Commissioner and affected individuals if the entity:

• has reasonable grounds to believe that an eligible data breach has happened; or
• is directed to do so by the Commissioner.

An “eligible data breach" happens if:

1. there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
2. the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

In preparation for the introduction of mandatory data breach notification, we recommend that all medical practices ensure they have a data breach response plan in place, including a nominated response team.

This blog contains general information only. We recommend you contact your medical defence organisation or insurer when you require specific advice in relation to medico-legal matters.