Notifiable Data Breaches scheme
Penny: So a data breach is when information that is personal or private about an individual is released into the public domain or public space where other people can access it. The Notifiable Data Breach Scheme came into effect in February 2018. And it's under the auspices of the office of the Australian Information Commissioner and it deals with managing eligible data breaches, and also assessing potential data breaches that might be eligible. It applies to general practice. It applies to all private organizations that are covered by the 1988 Privacy Act and this includes not only general practices, but private hospitals and businesses dealing with private health information. It doesn't apply to public hospitals.
So the RACGP has a number of resources to minimise any risk of data breaches and to manage it when it occurs, and this is available on the RACGP website. There's a flow chart and the some fact sheets and there's a privacy and information document available as well.
So an eligible data breach needs to have three criteria. It needs to be unauthorized access or disclosure or loss of personal private information. It also needs to be a case where there is likely risk of serious harm to one or more individuals, and the third element is that there needs to be an attempt by the entity to maintain or control the breach that has not been successful. So when a data breach occurs, it's really important that general practices act quickly and this needs to be within days not within weeks. There's an obligation to do that, so you need to take steps to assess what's happened, assess the data breach, what data's been breached, what is the risk of harm, and how can this be contained rapidly and quickly.
So in many cases you'll be able to contain the data. It may be a case where one of the practice staff sent an email to the wrong person - and that's a common cause - and that you quickly realize this, identify it, and the person who's received the email may be a very trusted person who says “no, I haven't looked at it, I'm happy to delete it”. And in that case the data breach has been contained. It's not an eligible data breach because it was contained by the practice before anything happened. So in order to reduce your risk of data breaches, it's really important that practices have a good plan for management of data, good privacy management, good use of passwords or those sorts of issues that we normally have, and then also that when a data breach happens there is a plan of attack for when that happens. So there's an immediate response and the it's assessed as whether it's an eligible data breach and then there's notification if that needs to happen.