Notifiable data breaches

Notifiable data breaches

The Privacy Amendment (Notifiable Data Breaches) Act 2017 establishes a Notifiable Data Breaches (NDB) scheme.

The NDB scheme sets mandatory notification and control requirements for data breaches involving personal information held by an organisation. It outlines criteria for determining if a data breach is considered ‘eligible’ (notifiable) and the subsequent reporting requirements.

Organisations covered by the Australian Privacy Act 1988 are subject to the requirements of the NDB scheme. This includes health service provider that hold health information. 

An eligible data breach occurs when:

• there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
• this is likely to result in serious harm to one or more individuals, and
• the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.

If your practice has reasonable grounds to believes an eligible breach occurred, the NDB scheme requires you to  promptly notify any individual at risk of serious harm and report the breach to the OAIC. 

Detailed information on the NDB scheme including what constitutes an eligible data breach,  reporting requirements and what rectification measures may need to be undertaken, can be found on the OAIC website. 

Flowchart: Managing notifiable data breaches in general practice

Step 1 - Maintain information governance and security
To reduce the risk of data breaches, make sure your privacy and data security practices, procedures and systems are up to date and reviewed regularly.

Step 2 - Identify suspected or actual data breach
A data breach involving personal information or compromising the security or integrity of the My Health Record system has occurred or is suspected.

Step 3 - Contain the suspected or actual data breach
Take immediate steps to contain the suspected or actual data breach.

Step 4 - Evaluate the risks
Assign to a data breach response team/person who promptly:

• investigates the incident
• evaluates the risks arising from the incident.

Step 5 - Is the suspected or actual data breach related to the My Health Record system?
Consider whether the breach or suspected breach is a data breach under the My Health Records Act 2012.
Data breaches under this Act arise from:

• unauthorised collection, use or disclosure of health information in an individual’s My Health Record or
• events or circumstances that may compromise the security or integrity of the My Health Records system.

If Yes, go to Step 6
If No, go to Step 7

Step 6 - Notify the data breach to the Office of the Australian Information Commissioner (OAIC) and the My Health Record system operator (Australian Digital Health Agency)
Notify the OAIC and Australian Digital Health Agency as soon as practicable after becoming aware of the data breach. In some circumstances, you must also ask the system operator to notify affected healthcare recipients about the breach.
Go to Step 11

Step 7 - Does the suspected or actual data breach fall within the Notifiable Data Breaches scheme under the Privacy Act 1988?
Has personal information been (or is it suspected to have been) accessed by or disclosed to unauthorised parties, or lost?
Is the data breach likely to cause serious harm to individuals?
If Yes, go to Step 8
If No, go to Step 11

Step 8 - Is there remedial action that can be taken to reduce the likelihood of serious harm?
If Yes, go to Step 9
If No, go to Step 10

Step 9 - Despite the remedial action taken, is serious harm still likely?
If Yes, go to Step 10
If No, go to Step 11

Step 10 - As soon as practicable, notify the data breach to the OAIC and inform all individual/s at risk of serious harm.

Step 11 - Review the incident
Review and evaluate the incident and take action to prevent or mitigate the effects of future data breaches. 

Leading risk – personal information emailed to the wrong recipient

A leading potential risk in a general practice’s information security is the high incidence of personal information being emailed to the wrong recipient, otherwise known as human error.
 
To reduce such occurrences, it is critical to regularly confirm with each patient that the email address you have listed against their name on your Patient Management System is correct and up to date. Aim to confirm patient email addresses every six months or, at a minimum, annually.
 
Your entire practice team has a responsibility to ensure cybersecurity measures are in place to protect your practice information systems from cybercrime and online threats. Each person in the practice needs to actively contribute to protecting the practice’s information systems.

Case study: Privacy breaches and electronic communication

The Australian Information Commissioner ordered a Victorian general practice to pay $16,400 in compensation following a breach of privacy. This is the largest award of compensation made by the Commissioner in the context of a medical or healthcare privacy matter. 
The practice had inadvertently sent an email containing sensitive information to an incorrect email address. The email included information concerning the human immunodeficiency virus status of the complainants. 
Read the full story, complete with recommendations here.¹²