Mandatory data breach legislation – report it or risk it
Significant reform to privacy legislation in Australia and internationally has occurred in the last two years. Australian health service providers need to be aware of new reporting obligations under the new Notifiable Data Breach Scheme.
What is the Notifiable Data Breach (NDB) scheme?
The Notifiable Data Breach Scheme is a new legal requirement for organisations operating under National Privacy Acts of 1988 to notify the Office of Australian Information Commissioner (OAIC) in the event of a data breach. The new legislation came into effect on February 22nd, 2018. Australian health professionals failing to notify the OAIC under the terms of this scheme potentially face severe financial penalties. These penalties apply to not only health care organisations – individual practitioners risk severe financial penalties under the terms of this scheme.
What constitutes a data breach under this scheme?
A data breach occurs when personal information held by an individual or organisation is either lost, accessed or disclosed without authorisation.
When does a data breach need to be reported to the Office of the Australian Information Commissioner (OAIC) ?
Several criteria must be met in order for the OAIC to be notified:
There in unauthorised access to personal information (usually in relation to malicious intent, criminal activity or a cybersecurity breach) OR
There is unauthorised disclosure of personal information (usually a result of human error such as emailing the wrong recipient or failing to follow policies or procedures) OR
There is loss of personal information AND
The data breach is likely to cause serious harm AND
The individual/organisation hasn’t been able to prevent the risk of serious harm with remedial action.
Does it apply to all Australian health professionals?
Not necessarily. Whilst the NDB scheme is broad it only applies health service providers operating under the National Privacy Act 1988. This therefore includes practitioners operating in private hospitals, general practice, pharmacies and outpatient allied health services. However, it does not apply to those practising in public hospitals where relevant State and Territory legislation applies.
What steps should I take in the event of a data breach?
Organisations experiencing a data breach should immediately take steps to both contain the breach and minimise the harm. If these steps undertaken are unlikely to prevent the risk of serious harm both the individual whose data has been breached and the OAIC should be notified. For more information on reporting a breach visit the OAIC – reporting a data breach.
Are there penalties if I fail to notify the OAIC?
There are financial penalties for failing to notify both the OAIC and individuals whose personal information has been compromised. Organisations face a maximum penalty of up to $AU 2.1 million at the time of writing. Compared with other industries operating under the NDB scheme (eg financial services), health professionals operating as solo practitioners can be held personally liable under the legislation.
What steps can I take to minimise the future risk of data breaches in my practice?
The NDB has delivered telling findings from the first quarter of reporting under this scheme (Fig 1). Health services providers had the unenviable distinction of reporting the highest number of data breaches. In part, this reflects both the high volume communication that occurs in health communication and the sometimes time-critical nature of information transfer. However, in contrast to most other sectors where malicious intent and cyberattacks account for the majority of breaches, in health services the majority of data breaches (55%) related directly to human error.
Education, training, updating policies and procedures, and the adoption of secure communication solutions to replace dated legacy solutions such as fax and non-secure email all serve to minimise risk in an individual’s practice.
Personal information pertains to information that allows an individual to be identified and may include name, medicare numbers, and address. Information may be non-obvious but in combination with other information may allow the individual to be reasonably identifiable.