PIP: Welcome to today's webinar, Notifiable Data Breaches Scheme, information for General Practice. My name’s Pippa and I’m the Project Coordinator for the RACGP Practice Technology and Management Team, and I will be your host for today. I'm joined by Dr Penny Burns, who will deliver the presentation for you today, and Amanda Baird who is the Director of Dispute Resolution from the Office of the Australian Information Commissioner, or the OAIC, who will present the information to you today in today's webinar. A little bit more about Dr Penny Burns… Penny is a General Practitioner based in Sydney. She has worked for over 20 years in urban and rural general practice, and is a member of the RACGP Expert Committee for Practice Technology and Management. She's been interested in computer and technology use in general practice since the early 90s. Penny is interested in the use of technology to improve outcomes in learning. Over the last year she's been involved in delivering education sessions as part of the My Health Record in General Practice National Education Awareness Campaign, and she is currently part of the CSIRO Primary Care Data Quality Content Working Group, which examines the use of data in general practice, and is also Deputy Chair of the Disaster Management specific interest group at the RACGP. Penny and Amanda, welcome to the webinar.
PENNY: Thanks, Pip.
PIP: Thank you. Penny, Amanda, myself, and the RACGP would like to thank everyone today for taking the time out of your busy schedules to participate in this webinar. Before we begin we'd like to make an acknowledgment to country. I would like to begin by acknowledging the traditional owners of the land on which we are meeting here, today, and to pay my respects to their elders past and present.
PENNY: Today, the aim is to cover what is in the Notifiable Data Breaches Scheme and how it applies to general practice, a little bit of statistics to make it relevant to health care provision, what is an eligible data breach, and what to do if you experience one, data breaches and the My Health Record system, which is slightly different, and then we'll do some case studies and a poll and some questions. The learning outcomes for this session are to be able to describe a notifiable data breach, identifying which one has occurred so you're prepared to respond, summarise what actions are required if a notifiable data breach occurs, and the difference between response for a data breach relating to My Health Record or a notifiable data breach under the scheme, and then discuss how the NDB applies to general practice.
So, what is a data breach? A data breach occurs when personal information held by an organisation is accessed by an unauthorised party, it’s disclosed to an unauthorised party, or it's just lost. So, a data breach occurs when personal information held by an organisation enables an individual to be identified or reidentified, and this can be related to names, or Medicare numbers, or addresses, or phone contacts. Information will be personal information. The information may not by itself however be obvious but in combination with other information that's released it may be, the irrelevant individual may be identified or reasonably identifiable. So, when in doubt the suggestion is to err on the side of caution and to treat the information as personal information. Some of the examples are: an email containing test results have been sent to the wrong recipient, a spreadsheet of patients is made publicly available, a staff member accessing a patient's information without authorisation, or even if patient files are locked up in someone's bag and may have ended up somewhere else in public. All of those are potential data breaches.
So, what is the Notifiable Data Breach Scheme? So, it's only new, it came into effect on the 22 February 2018, and it applies to all agencies and organisations with existing personal information security obligations under the Privacy Act, and that includes general practice. It's a legal requirement to notify individuals in the OAIC of notifiable data breaches, and there are quite steep fines if it's not done in a very timely fashion. So, the NDB outlines three criteria that must be met before a data breach is reported to the OAIC and they have specific requirements on what needs to be reported to them. Now, we're very lucky to have Amanda Baird, the Assistant Director of the Dispute Resolution from the OAIC to cover these in more detail.
So, does the NDB Scheme apply to general practice? The NDB Scheme applies to all private sector health providers. If you provide a health service and you hold health information you're covered by the Privacy Act, even if that's not your primary activity. The definition of private health service providers is quite broad, so some examples would be general practice, other traditional health service providers, such as private hospitals, day surgeries, pharmacists, specialists, allied health professionals, also complementary therapist such as naturopaths and chiropractors, even gyms and weight loss clinics, childcare centres and private schools. This definition of a health provider under the federal Privacy Act does not include public hospitals, these are regulated by the relevant law in the state or the territory.
So, why is the NDB Scheme important for general practice? General practices hold a lot of identifying personal information about patients such as name, date of birth, address, telephone number, etc, etc. This information may be vulnerable to unauthorised access, unintended authorised disclosure, for example a staff member accessing a patient file unintentionally, or a staff member sending personal patient information to an incorrect recipient, or leaving a computer open on a desk for a patient or unauthorised staff member to read the notes. We know from the data collected since February 2018 that health care providers are a significant source of data breaches. Handling of personal information is nothing new for us. Information confidentiality has actually been something that GPs have been very aware of, and it's been a strong part of medical treatment amongst general practice, and GPs are a highly trusted group of individuals, but this trust will now also extend to data security, and it's really important that general practices are able to understand their responsibility to protect this personal information for their patients. The main purpose of the National Data Breaches Scheme is to ensure that individuals are made aware when their personal information is caught up in a data breach, and serious harm is likely to result. So it’s essential for practices to proactively engage their patients’ privacy expectations, and the expectations of the regulators.
PIP: Thank you very much, Penny. So, right now we'll have Amanda from the OAIC joining the webinar to talk about some of the statistics around Notifiable Data Breaches. Thanks, Amanda. Hello, Amanda, are you online?
AMANDA: Oh, I'm sorry there, Pip, it looks like it was muted. Thank you for that overview, Penny. I'll just run through some of the statistics we've seen in the Notifiable Data Breaches Scheme, and particularly the last quarter that we've reported on, from October to December 2018, and our full report is available on our website for this quarter. So, as we can see on this slide the top 5 industry sectors to report data breaches in that quarter are health service or healthcare providers; finance; legal, accounting and management; education; and personal services. We've seen a notable increase in entities awareness of their new responsibilities under the Notifiable Data Breaches Scheme, and the health sector is leading the way with regard to the number of notifications. In that last quarter we saw about 262 data breach notifications, which is up on the previous quarter. The purpose for our quarterly statistical report is to build a picture of the trends in personal information security risks that are likely to result in serious harm to individuals, and over time we hope they can help us point out and proactively assist entities in managing these risks. As shown in our chart, health service providers were responsible for 21% of the notifications, and this is consistent with international trends that we've seen in other data protection agencies to date, and the OAIC is working with healthcare providers and the College to provide advice and guidance on data breach prevention strategies. What I might just note here, as well, is that the high number of notifications in the health sector might be influenced by a range of factors, including the factors as Penny outlined. The broad requirement for all private sector health service providers to comply with the Privacy Act, regardless of size or turnover, and this compares to other businesses which are mostly exempt from the obligations under the Privacy Act, if their turnover is less than $3 million a year. More generally we find, as well, that the health sector seems to have a greater level of responsibility and awareness of their privacy obligations, and this is a good thing, but it can also lead to over notification, which I will come back to later.
So, the source of data breaches for the October to December quarter, across all sectors, we saw human error and malicious and criminal attacks accounting for the majority of notifiable data breaches. For the health sector we saw 54% were caused by human error and 46% were caused by malicious or criminal attacks. Looking first at human error in the healthcare sector, the ratio of 54% is much higher than the economy-wide average of 33%. So, breaking down human error data breaches into more detail, we can see that personal information sent to the wrong recipient by email was the most common type of human error data breach for the health sector. And this also is extended to the sending of personal information via email, mail, fax, or some other form of communication. That's fairly consistent across the quarters that we've seen. There was also a significant number of situations where people failed to use the BCC (blind carbon copy) function when sending emails, thereby disclosing personal information to a wider group of individuals, and we've also seen lost paperwork, or storage devices, as well as unintended release or publication of information. Turning to malicious or criminal attacks, 46% of recorded breaches were attributed to this particular source. So, this can include cyber incidents such as compromised credentials through phishing, or spear phishing attacks, ransomware, malware, or brute-force attacks, where it is an automated system of guessing a username and password combinations. Now, this particular source also includes theft of paperwork or data storage devices, rogue employee or insider threats, wherein an individual employee deliberately accesses or disperses personal information, but also social engineering, and impersonation, so where an individual impersonates another to gain access to their personal information. Some of the key lessons we have for health providers arising out of the NDB Scheme are firstly to reduce risk by addressing human error. So, the findings of our quarterly reports support the need for organisations to promote staff awareness about secure information handling and, where relevant, to look for technological solutions that will assist staff. So, our office has worked with the Australian Cyber Security Centre on preparing some useful tips and resources for improving data security in this regard, and those are available on our website. Another important lesson is to implement an effective data breach strategy. The faster a data breach can be identified and contained the lower the cost to customers or patients and the organisation itself. Thirdly, I would highlight that recent notifications to our office have demonstrated the importance of considering how you will work with third parties if the data breach involves personal information that you hold jointly, either in the joint centre or with a contractor. For the health sector this can include, for example, an entity that provides online services that integrate with your practice management software, or another contract that you share personal information with. So, the important thing, in this instance, is to be aware of where the personal information you jointly hold is, and what are the arrangements that you have in place if a data breach occurs. And the fourth lesson from the first six months of the NDB Scheme is around attitudes to notification and if this is of particular importance to the health sector. So, generally better safe than sorry might seem like the best approach to data breach notification but over‑notifying is something that we've seen fairly often in the health sector and it can lead to data breach fatigue for individuals, which can make them complacent about the risks of a serious data breach. Given the time-sensitive nature of data breaches our office understands that the question of whether to report or not can cause a dilemma, particularly if the data breach is not that clear, but we do want to stress that not all data breaches have to be reported to our office. Those that need to be reported are those that reach the threshold test and are considered eligible data breaches under the scheme, and we'll spend some time exploring that now.
So, what constitutes an eligible data breach? To determine whether a data breach needs to be reported three criteria must be satisfied. So, the first requirement is that there must be a data breach, as defined in the Privacy Act. So, that is, it must be personal information, that is, information about an individual or where that individual is reasonably identifiable or is specifically identified, and that information must have been subject to a data breach. So, turning to the next slide, a data breach under the NDB Scheme involves either unauthorised access to the personal information, so this can include situations where security or practice systems are compromised by a third party, for example by a hacker, through malware or ransomware, or through stolen credentials used to access a practice system, and, as Penny outlined before, it can also include when a staff member has read a patient's file without authorisation.
PIP: Thanks Amanda what we're gonna do now is launch another poll and we're going to ask those listening if they've experienced any of these examples as we go through. So, I'll launch this poll now, and our question is has anyone had an experience of unauthorised access in their practice? So, we're talking about that criteria, that Amanda’s just described, around unauthorised access in their practice. I'll just leave it open for a few more seconds as I can still see results coming in… and I'll close that poll and share it with you… and we can see that 11% have responded with yes and 89% no.
AMANDA: And I think with this one, unauthorised access can sometimes be quite difficult to determine, and sometimes it does requires quite technical expertise to identify, and so with unauthorised access we see it usually as a result of a malicious or criminal attack, or a cyber incident. The second kind of data breach is one that involves unauthorised disclosure. So, an unauthorised disclosure is where information is released from the control of the entity itself, which distinguishes it from unauthorised access. So, this can include when a staff member sends personal patient information in an email to the wrong recipient, it can include if a spreadsheet of patient personal information is accidently made public on the Internet.
PIP: Okay, so we will launch another poll, and so we're going to ask here has anyone had an experience of unauthorised disclosure of personal information in their practice? So, this is an example of unauthorised disclosure of personal information. Most people have now responded so I’ll close that poll and share that. Numbers are a little bit higher here, so 25% have responded with yes and 75% with no.
AMANDA: Thanks, Pip, and I would say with this one we would generally find unauthorised disclosure as the result of some kind of human error, so it would more likely affect a smaller number of individuals, so where information is sent to the wrong recipient, and is either because of just a general human error or because particular policies or procedures weren't followed. The third kind of data breach is the loss of personal information, and the requirement here is that the information must be lost in circumstances where unauthorised access or disclosure is likely to occur. So, if personal information is lost in a way where there is no likelihood of it ever being accessed by another individual it doesn't fall within the definition of a data breach under the scheme. So, that might be where information is accidentally destroyed, but it can also include, more generally, if a Practice Manager or GP leaves a laptop on the bus containing patient personal information or patient files, or if they lose a USB memory stick containing personal information.
PIP: Thank you, Amanda. We're gonna launch our last poll for this section, where we're asking people has anyone had an experience of a loss of personal information in their practice? Just a few more seconds while some last polls come in… and the result of this one is 17% yes and 83% no.
AMANDA: Okay, great. What I might turn to now then is the second criteria that we have to look at when determining whether a data breach is notifiable, and that's whether the data breach is likely to result in serious harm to one or more individuals whose personal information is involved in the data breach. Now, the wording of the “likely to result in serious harm” means that the risk of serious harm to an individual has to be more probable than not, rather than just possible, as a result of a data breach. Serious harm is not defined in the Privacy Act, but our guidance includes considering whether it's likely to result in serious psychological, emotional, physical, financial, reputational, or other kinds of harm. So, when considering, from the perspective of a reasonable person, if the data breach is likely to result in serious harm, what we recommend you think about is the kinds of information that are involved in the data breach, including how sensitive the personal information is, noting that, health information is considered sensitive under the Privacy Act and may be likely to result in different kinds of harm. You should also consider whether it's protected, whether the personal information is protected by one or more security measures, what kind of harm could result, and other relevant matters which are set out in Section 26WG of the Privacy Act. And then moving on from there, the third consideration is whether the likely risk of serious harm can be prevented with remedial action. So, for instance, the scheme provides this opportunity for entities to take some kind of action to prevent or reduce that risk of harm. For instance, if you sent a document containing sensitive personal information to the wrong recipient, but that’s a trusted recipient and they've confirmed that they have deleted or destroyed the document, and your assessment concludes that you can rely on that advice and there's no longer a likely risk of serious harm, then notification would not be required. I will just note here that remedial action can actually include contacting the individuals who are affected by the data breach, it doesn't prevent you from informally advising them of the circumstances the data breach, as trying to remedy the likely risk of that harm. So, the purpose for taking that remedial action is to assist the individual in trying to contain and mitigate the risk of harm as a result of a data breach.
So, what do I do if an eligible data breach has occurred? So, when an unauthorised access, or unauthorised disclosure, or loss of personal information occurs, the first priority is to take immediate steps to contain the data breach. That is, take steps to prohibit further data from being accessed or disclosed. The next step is to assess the data breach, to gather the facts and evaluate the risks, including the potential harm to affected individuals, and where possible taking action to remediate any risk of harm. If serious harm is obvious on its face, so if the circumstance of the data breach mean that it's immediately obvious that it's going to… it's likely to result in serious harm to affected individuals then the third step, which is notification, must follow. But sometimes serious harm might be suspected but not certain, particularly in instances where there's a cyber intrusion into your networks, in these instances an organisation needs to undertake an assessment to confirm whether or not an eligible data breach has occurred, which is one that meets that threshold test. In that case, the business has to undertake an assessment as expeditiously as possible, and our guidance provides that we're talking days to do that assessment rather than weeks. If your practice experiences a data breach, and after conducting an assessment you're satisfied that all three criteria has been met then you must notify the OAIC and any individuals that are at likely risk of harm as soon as practical, so that means contacting your patients or customers. The NDB Scheme has a bit of flexibility about how to notify individuals. Firstly, you can notify all individuals whose personal information was involved in the eligible data breach, secondly, if you're able to, you can notify only the individuals who you’ve identified at likely risk of serious harm. This tends to occur where there’s different categories of personal information involved and you're able to assess that one category of individuals is at more risk than the others. If those two options are not practicable then the scheme requires you to publish the notification on your website and to take reasonable steps to publicise that, with the aim of bringing it to the attention of all individuals at likely risk of serious harm. So, that goes to the purpose of the scheme which is to ensure that individuals are aware of data breaches that involve their personal information, where there is that risk. So, notification can occur in a number of different ways including by letter, email, phone, or online. It's up to the entity to think about what is appropriate, and this will depend on the situation, the severity of the data breach, but also your normal means of communicating with patients or individuals, so how would they expect to receive that information from you. You must also notify the Australian Information Commissioner in the form of a statement, and there are some statutory requirements to the information that must be included in this statement, which I will go to shortly. But I just wanted to quickly touch on the fourth and most important step and that is to review the incident and consider what actions can be taken to prevent future data breaches. So, this can involve an investigation into the cause of the data breach, it can involve creating a remediation prevention plan, it can involve an audit of your policies and processes, and can in instances, obviously involve staff training.
So, going to the required information… the NDB Scheme requires that your statement to the Commissioner include the identity and contact details of your practice, a description of the data breach, the kind or kinds of information that is involved in the data breach, and recommendations about the steps individuals should take in response to the data breach. So, we have an online form on our website that you can complete, and the link should now be sent to you in your chat message books. I will also note that we have some guidance on our website about how to fill in the statement, and our online forum also asks you to provide information about the incident voluntarily, which assists our office in assessing the notification.
So, if your practice deals with My Health Record system you might be wondering how the two schemes work together. So, do you have to notify breaches under both schemes, and is the threshold the same. So, essentially the Notifiable Data Breach Scheme requirements sit alongside the data breach reporting requirements of My Health Record system but they do not overlap. So, while there are similarities between the reporting requirements of both schemes there's some important differences. Firstly, data breaches notified under the My Health Record Act do not need to be reported under the NDB Scheme, and this is to prevent duplication of reporting. Another key difference is that every breach of My Health Record data needs to be reported, whereas under the NDB Scheme only data breaches that are likely to result in serious harm to affected individuals need to be reported. Thirdly, breaches must be reported as soon as practicable under the My Health Record Act, even when remedial action to address the data breach could be in progress or has already been taken. So, if you're not dealing with My Health Record information, and you're unsure whether a data breach meets the notification threshold under the NDB Scheme, that's when you will need to undertake an assessment.
PIP: Thank you very much, Amanda… oh, no, continued.
AMANDA: No, that’s okay. that was it.
PIP: Okay. We'll move on to the next slide and Penny will join us once again and introduce a case study, after which we will launch a poll and have a bit of a discussion. Thank you, Penny.
PENNY: So, the case study… we've got two case studies. The first one is a GP’s surgery has become aware that its customer database has been made publicly available on the internet due to a technical error. It contains records of prescription drugs that have been prescribed to patients. Security consultants confirm the database was only accessed a few times, but they can't identify who accessed the data or if they kept a copy. So, what we want you to think about here is does this fit an eligible data breach? Is it likely to result in serious harm, and has the practice been able to prevent the likely risk of harm with remedial action? So, the first question here is, “Is this an eligible data breach?”, and there's a poll in front for you to comment on.
PIP: Thank you, Penny. The responses are still coming in so we'll give it a second. Close that of. And 82% have responded that they believe this is an eligible data breach, and 18% aren't sure.
AMANDA: And look, it depends on the exact circumstances of the data breach, but the OAIC generally consider that this is an eligible data breach, and I'll go into the reasons why we would, sort of on the available information, lean that way. So, details of prescription drugs are sensitive, personal information. Obviously, we all understand they can indicate treatment of a range of medical conditions, including mental health issues. Based on if the GP surgery is unable to confirm who access the database, and whether it would be likely to be accessed by someone who could use that information against the individuals, then we would think that a breach of that kind would be more likely to result in serious harm, to affect an individual. What steps the GP surgery then has to take would depend on the situation. So, they would need to notify our office, and all individuals whose personal information was involved in the data breach. If they were unable to get in contact with a number of patients, for instance if the records were old, or if patients have not updated or provided their details in the first place, it may be necessary, in that instance, to issue a more public notice, for instance on the website, or in the surgery office.
PENNY: And so, now we have a second case study, and again we want you to think about the same thing… Is this a notifiable data breach, does it fit an eligible data breach? Is it likely to result in serious harm, and has the practice been able to prevent the likely risk of harm with remedial action? So, a staff member has left their iPad on a train. The staff member’s work email account can be accessed on the device. The staff member reports the loss and arranges for IT to remotely delete all the content from the device, and IT confirms that the device has not been accessed. Is this a notifiable data breach? And the quick poll’s come up on your screen for you to respond.
PIP: Thank you, everyone, for participating in the poll. Well, I’ll close off this final poll. And the results are in. 11% say that this is an eligible data breach, 80% believes that it is not, and 9% are unsure.
AMANDA: I think the majority of people here don't think this is an eligible data breach, and I would say notification is probably not required, in this situation. So, that's having regard to the security protections on the iPad, and the ability to take remedial action in this instance. So, if your IT department is confident that the contents could not have been accessed, in the short period between when the iPad was lost and when it was erased, then notification is not necessary. And that's goes to what I was saying before, that if the information is lost but you're able to take that action to prevent it from being subject to unauthorised access or disclosure, then that means it's not notifiable and this is an example of how that action can prevent serious harm following a data breach. What we would say with this one is, not only do you need to make sure you need to have good technical security infrastructure in place, you also need to make sure your staff know what to do if something goes wrong, and it comes back to staff awareness and education.
PIP: Thank you very much, Amanda… oh, sorry, continue, Penny,
PENNY: Amanda, I was wondering if…
PIP: I was going to hand over to you anyway.
PENNY: One of the questions that comes up for me is that 9% of us that were unsure, if we were unsure, in this case, I presume that we would be able to ring the office of the OAIC and discuss that with them?
AMANDA: Absolutely, we have an enquiries line that any entity can call for general advice about the thresholds of the NDB Scheme, and also to discuss our guidance on making that kind of assessment. So, absolutely, if the health service provider is not sure they can contact us.
PENNY: Thanks, Amanda. So, the College has also got some really excellent resources on this. These two… the fact sheet (RACGP Notifiable Data Breaches Scheme - Fact Sheet), and the flow chart, both probably contain a really good summary of what's been discussed today and have a lot of information there to guide you making a decision. The fact sheet talks about how to help you define a eligible data breach, and the flow chart takes you through that, including the My Health Record. So, they're both equally available on the College site. There's also the background information for keeping your information and resources private, that’s existed for a while and most of you are probably aware of. So, the Information Security in General Practice, which talks about prevention, protection, and preservation of data in general practice, and is really worth having a look at, and comes with a number of templates. And then Privacy and Managing Health Information in General Practice is also available. The OAIC has also developed good information and resources, so you can see on the screen another flow chart, and this is again about what to do in the case of a data breach. So, it takes you through a suspected or known data breach, how to contain that, how to assess it, then to work out whether there’s serious harm or is at all likely, and then if you need to notify what you should do, and take you back to review, afterwards, to review your processes. And there's the number for the OAIC on the front.
PIP: Thank you very much, Penny. So, as promised at the start, we have allocated some time for questions and answers, so if you have a question, for Penny or for Amanda, if you please to type it into the question bar on the control panel and press ENTER, and we'll try to get to everyone's questions. If not, we can be contacted at ehealth@racgp.org.au. So, we have had some questions come through already… What kind of penalties or enforcement action can be taken in response to data breaches?
AMANDA: I'll field this one. So, in addition to receiving notifications of eligible data breach, the OAIC plays an important role in compliance of the scheme, and the Commissioner has a number of enforcement powers that can be exercised in instances of non-compliance. So, in terms of notifiable data breaches, if we become aware of a data breach that hasn't been notified by an entity, and we have reasonable grounds to believe it meets that threshold of serious harm, we can direct an entity to notify. If the entity doesn't comply with that direction, then we have a number of different powers which go from enforceable undertakings, can include a determination by the Commissioner. In terms of fines, what the Commissioner has the ability to do is to seek civil penalties in the Federal Court, for up to $2.1 million per breach for organisations, and that's for serious or repeated privacy incidence. And we also... the Commissioner has the ability to seek injunctive relief in the Federal Court for an ongoing act or practice. So, some of the, I guess, conditions with the NDB Scheme that could prompt regulatory action include the failure to conduct a reasonable and expeditious assessment of a suspected data breach. So, if you have reason to suspect that unauthorised access or disclosure has occurred but you don't assess it that's, what's called, an interference with privacy under the Privacy Act. A failure to notify individuals or the OAIC, as soon as practical, is also a condition of the NDB Scheme, and, as I said before, if you fail to comply with the direction to notify, from our office, that can lead to further regulatory action. But, generally this stage, we’re working with organisations and agencies about the requirements of the NDB Scheme, but we will have that focus on ensuring compliance, through the regulatory action if we need to.
PIP: Thank you, Amanda. Penny, this might be a question for you. Someone has asked whether we should also notify our MDO as well.
PENNY: I think that's a very advisable thing to do, and the MDO, I know, have got some documents that are available on this topic as well. But I think, particularly in terms of just letting them know this is happening and getting extra advice, I think that's a very valuable thing. And also one of the areas in which I think they'll be particularly useful, is in how to notify those individuals that have been affected. And most of us have had to manage issues with patients, around difficult processes in the past, but this is going to be a new one for all of us, and we're all going to be learning from it. But, using those usual means of communication that we would have previously, like a phone, letter email, or online, depending on what we usually use, would be useful, but I think the MDOs, in particular, would be a good group to be contacting, in regard to this, as well, but it mustn't… it can't get in the way of getting the notification through to the OAIC. We've only got a few days to do that. We have to move quickly.
PIP: Thanks, Penny. We've had a question whether patients can report data breaches directly?
AMANDA: This is Amanda… In terms of the functions of our office, we do receive referrals from members of the public, about a data breach they become aware of. So, either they can record it to us, if they become aware of a data breach, or they can make a complaint about a data breach that involves their personal information. So, where they make a complaint we will treat that as a complaint under the Privacy Act and we have a statutory obligation to conciliate that. So, we'll generally contact the respondent and try and conciliate that complaint. In the case of what we call a referral, we generally contact the respondent to see if they're aware of the data breach, and provide information about the requirements of the Notifiable Data Breaches Scheme. Like I said before, that may be one of the ways we become aware of a data breach there hasn't been notified to us, so that might be a prompt for regulatory action, if that involves, I guess, an awareness on behalf of the entity that they haven't done that assessment.
PIP: Thank you, Amanda. We have a question, and Amanda this one will more than likely be for you, prior to the Notifiable Data Breach Scheme coming in last year, in February, what are the steps required if the malicious breach occurred prior to the institution of the scheme?
AMANDA: Okay, so pre 22nd of February 2018 we ran a voluntary data breach notification scheme where regulated entities could let us know about data breaches, and we provided advice or guidance. So, to be specific, the NDB Scheme only applies to instances of unauthorised disclosure or unauthorised access that occurred after… on or after the 22nd of February. So, the disclosures… that's quite clear, however if the instance of unauthorised access or disclosure occurred over that date, so is ongoing, then it would be covered by the NDB Scheme. So, if you become aware of something that occurred prior to the scheme you can notify our office, or we would generally suggest that the focus should be looking at do you need to notify individuals, as a matter of best practice, where it's not a requirement of the scheme, but is there an advantage in letting individuals know, are they at risk of serious harm that they could mitigate or prevent through taking their own steps in response to that data breach. But yes, generally the NDB Scheme only applies to that unauthorised access or disclosure that occurred on or after the 22nd of February, so prior to that it was a voluntary scheme.
PIP: Thank you very much. Penny a question for you… How do we decide who is authorised to have access to files? Should all receptionists have access or just a practice manager or just clinical staff?
PENNY: Well, in terms of files, I guess it depends on what we're actually doing. When we set up the software we actually set it up so that people log in under their own name and their own files, so there's an ability to track what people are doing and what they have accessed. So, at the moment the receptionists and practice staff usually have access to the files, but they're not able to access them in the same way. So, I think it's… I think that in terms of building your security level and working out who has access to what, you need to actually work fairly closely with your IT group and set up fairly good practice security governance, and then work out if you should have what, because in some practices you have other allied health also accessing patient files. I know where I work we have physios that actually have some access to our general practice software, so I think again it's all about working out a good structure to start with around security governance. Get your IT team together and look at preventing and protecting data from the beginning.
PIP: Thank you, Penny. We now have a question from someone who I imagine would have answered yes to some of the earlier questions. What if we have received a patient file not intended for us? We did not cause the data breach, but are we supposed to notify, or are we just to contain and then let the original entity notify?
AMANDA: So, in this case there’s kind of a multiple issue here. You don't have an obligation to notify under the NDB Scheme if you weren’t the entity that held the information to begin with. As a matter of best practice I would probably let the entity know that they disclosed that information to you incorrectly, and as health service provider you have an obligation when you receive information that you didn't solicit to consider separately under Australian Privacy Principle #4 whether you could have solicited that information, and if not to take steps to delete or destroy it. So, you can let us know about a particular data breach, if you think it should be reported, but generally we would say you've got separate obligations to assess whether you can keep that information or delete or destroy it, and it's probably best to let the original entity know, if they aren't aware, of that disclosure, and you know it's open, to say, you know there are these assessment obligations under the NDB Scheme, as well, if they're not across that. But, generally we do receive referrals from lots of different members of the public and entities about these kinds of issues. But, that's what we would do in that instance is contact the original entity, make sure they're aware of the disclosure, and that they were taking steps to prevent it from occurring again.
PIP: Thanks, Amanda. I know we touched on this earlier, but if we could just clarify what the time frame is in which a practice would be required to notify of a data breach.
AMANDA: Absolutely, and this is something that we have found that there can be a bit of confusion about. So, the timeframes in the NDB Scheme are, you have to conduct an assessment of a suspected data breach within, or take all reasonable steps to conduct that assessment within 30 calendar days. So, that's the only hard timeframe that there is, and that only applies if you suspect that the data breach is likely to result in serious harm, but you're not sure. If, on first discovering the data breach, it’s quite clear that it meets that threshold, that it's a serious data breach that needs to be notified, then the requirement is to notify our office and individuals as soon as practicable. So, we generally expect that to be quite prompt unless there's reasons, you know, quite good reasons for a delay. But, it doesn't have a particular… there isn’t a date timeframe the way that there is with the assessment process. But, in general, we expect, if you have all the information before you to assess that it's a serious data breach that needs notification, that you’ll take all steps to do that as quickly as you can.
PIP: Thank you very much. Maybe, Penny, this one might be for you. Do you have any advice on how to communicate a particularly bad breach to a patient?
PENNY: I think, again, that, well, that could actually go back to the suggestion of contacting the MDO as well for advice, but I think that as GPs we are used to managing issues with patients, and I think we know our patients and we know our sort of context, and there will be expectations from the… on the part of the patient as to how they would expect to be notified. It will depend on the severity, I think, of the information that's been released, and the knowledge of the patient and the family, and the likely risk, but I think that the usual means of communicating would also be used here, and I think, you know, personal contact, phone, would usually be something that we would use in our practice for something serious that happened. but then also confirmation with email, or letter, depending on what the expectations of the patient are. I think it's very, very individual, and sometimes it may require more than one means of communicating. Sometimes it may require getting the patient in to talk to them about it, and help them work through it. Each case will be different.
PIP: Thank you very much. Amanda, this will be a question for you… Do you have any examples of data breaches that have been well handled?
AMANDA: Yes, yeah we do… I guess I would note here that the way an organisation handles a data breach, both response to it, notifies individuals, can go quite a way, in terms of preserving that organisation's reputation, but also demonstrates a willingness to be open and transparent about these kinds of issues. I think this is a growing issue where data breaches are occurring more frequently, and it's, I think, as Penny said at the beginning of the webinar, this is nothing that any entity is exempt from. In terms of case studies that we can talk to, and this occurred prior to the Notifiable Data Breaches Scheme, but it is a good example, is the Red Cross Blood Services’ data breach in October 2016. So, for those that aren't familiar with it, a file containing the information of approximately 550,000 prospective blood donors was saved to a publicly accessible part of the Donate Blood website. The data file was discovered and accessed by an unknown individual, or an anonymous individual, who was acting as what we call a “white hat hacker”, and it was a result of an error by a third-party provider that managed the Donate Blood website and web server. So, in that particular case we did open an investigation with the Blood Service, but the Red Cross did take immediate steps to contain the data breach, it took responsibility for the data breach, including responsibility for the actions of its contractor, and it was transparent with affected individuals, but also the public about what had occurred, and they notified and provided assistance to the affected individuals. So, in that case, the lesson that we saw with that one is that organisations and health service providers, in particular, can maintain trust by being prepared and responding to data breaches effectively, and having a plan in place, and having that staff awareness and training about how to respond to those data breaches. Particularly as that one included information that was jointly held with a contractor, so that's an example, and we've seen that particularly in the notifications we've received under the NDB Scheme, that you also need to be prepared for how you deal with information that is jointly held how you prepare about communicating with your contractors in the event of a data breach, and how you assign the assessment and notification obligations as well.
PIP: Thank you very much, Amanda. That actually brings us to the end of our webinar. So, we'd like to thank both of you for taking us through that information this evening.
AMANDA: Thank you very much, Pippa and…
PENNY: Thanks, Pip.
PIP: Pleasure. So, we’d just like to remind everyone that this webinar was delivered as part of the monthly RACGP eHealth Webinar series. This topic, Notifiable Data Breaches, is our first for the year. So, we'll be running education each month, two to four sessions each month. In March, we'll be talking about My Health Record and some medico-legal concerns for general practice, and you can access the registration link via the RACGP website. We hope that you've enjoyed the presentation and found the information useful tonight, and we'll be sending everyone an email after the webinar so they have the opportunity to provide us with some feedback, and also to provide you with links with the resources that were discussed in the presentation today. And, as we said before, if you have any other questions you can email the Practice Technology and Management Team at any time with any of your questions at ehealth@racgp.org.au. So, thank you once again, and I hope you all have a lovely evening.