Privacy processes

Under Australian privacy law a practice must have a privacy policy which covers:

• the kinds of information collected or held
• how it’s collected and held
• for what purposes it’s collected, held, used and disclosed
• how an individual may
  • access their personal information and seek its correction
  • complain about a breach of privacy and how the complaint will be handled
• whether information is disclosed to overseas recipients and to what countries.

1. Try to limit the damage if possible. Get help from IT experts if the breach is IT-based.
2. Inform the person responsible for privacy in your organisation and follow the organisation’s data breach response plan.
3. Call your medical defence organisation.
4. Inform the affected patient/s if reasonable.
   • Not strictly necessary under privacy law in all cases but good for transparency and may help assess the likelihood of harm.
   • Should involve apologising, explaining what happened, and an opportunity for questions.
5. Report the breach to the Office of the Australian Information Commissioner if both of the following are true:
   • There has been unauthorised access or disclosure of personal information (or loss of information likely to result in result in unauthorised access or disclosure).
   • The breach is likely to result in serious harm.
6. Review the incident to try to prevent it happening again. This may include (among other actions) further staff training or consulting your IT experts.