Significant reform to privacy legislation in Australia and internationally has occurred in the last two years. Australian health service providers need to be aware of new reporting obligations under the new Notifiable Data Breach Scheme.
The Notifiable Data Breach Scheme is a new legal requirement for organisations operating under National Privacy Acts of 1988 to notify the Office of Australian Information Commissioner (OAIC) in the event of a data breach. The new legislation came into effect on February 22nd, 2018. Australian health professionals failing to notify the OAIC under the terms of this scheme potentially face severe financial penalties. These penalties apply to not only health care organisations – individual practitioners risk severe financial penalties under the terms of this scheme.
A data breach occurs when personal information held by an individual or organisation is either lost, accessed or disclosed without authorisation.
Several criteria must be met in order for the OAIC to be notified:
Not necessarily. Whilst the NDB scheme is broad it only applies health service providers operating under the National Privacy Act 1988. This therefore includes practitioners operating in private hospitals, general practice, pharmacies and outpatient allied health services. However, it does not apply to those practising in public hospitals where relevant State and Territory legislation applies.
Organisations experiencing a data breach should immediately take steps to both contain the breach and minimise the harm. If these steps undertaken are unlikely to prevent the risk of serious harm both the individual whose data has been breached and the OAIC should be notified. For more information on reporting a breach visit the OAIC – reporting a data breach.
There are financial penalties for failing to notify both the OAIC and individuals whose personal information has been compromised. Organisations face a maximum penalty of up to $AU 2.1 million at the time of writing. Compared with other industries operating under the NDB scheme (eg financial services), health professionals operating as solo practitioners can be held personally liable under the legislation.
The NDB has delivered telling findings from the first quarter of reporting under this scheme (Fig 1). Health services providers had the unenviable distinction of reporting the highest number of data breaches. In part, this reflects both the high volume communication that occurs in health communication and the sometimes time-critical nature of information transfer. However, in contrast to most other sectors where malicious intent and cyberattacks account for the majority of breaches, in health services the majority of data breaches (55%) related directly to human error.
Education, training, updating policies and procedures, and the adoption of secure communication solutions to replace dated legacy solutions such as fax and non-secure email all serve to minimise risk in an individual’s practice.
For tips on how to safely maintain patient privacy visit our Foxo help centre.
Personal information pertains to information that allows an individual to be identified and may include name, medicare numbers, and address. Information may be non-obvious but in combination with other information may allow the individual to be reasonably identifiable.