According to the most recent Quarterly Report by the Office of the Information Commissioner, data breaches have affected 63 Australian organisations since 22 February, 24 per cent of those were in healthcare. In this briefing we consider the current data protection regime in Australia, and offer useful compliance information for all Health Service Providers.
The Notifiable Data Breaches scheme (‘the Scheme’), which came into effect on 22 February 2018, established requirements for entities in responding to data breaches. Essentially, the Scheme, requires Australian Government agencies and various organisations with obligations to secure personal information under Privacy Act 1988 (Cth) (the Privacy Act), to notify individuals who have been subjected to data breaches that are likely to result in serious harm.
The Scheme also requires mandatory notification of certain data breaches to the Australian Information Commissioner (‘the Commissioner’); even if a data breach is merely suspected, entities must conduct an assessment to determine whether the breach should be notified or reported.
There is no requirement of a cyber attack for a breach to arise. An eligible data breach arises when the following three criteria are satisfied:
Data breaches occur more simply than organisations might expect. They can arise out of malicious acts, information and security system failures, loss or theft of devices or paper records, unauthorised access by employees, disclosure of personal information due to inadequate identity verification procedures, and by pure human error. Human error can arise by simply sending a document or email, containing personal information to the incorrect recipient.
In its most recent quarterly report , the Office of the Australian Information Commissioner (OAIC), reported that:
Where information is held jointly and a data breach occurs, an entity will be deemed responsible if it is holding the affected information. For example, if a health service provider stores health records with a cloud service provider, or offsite, the health service provider has an obligation to retain control of the records, whilst the cloud service company, or off site storage provider holds the personal information. Each entity has obligations under the Scheme, however only one is required to comply with the assessment and notification requirements on behalf of both entities. Both entities may be found to have breached the Scheme where neither entity conducts an assessment or notifies of a data breach.
Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s position.
The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).
‘Serious harm’ is not defined by the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
Entities should assess the risk of serious harm holistically, having regard to the likelihood of the harm eventuating for individuals whose personal information was part of the data breach and the consequences of the harm.
An eligible data breach may involve one or more kinds of personal information. The majority of data breaches reported to the OAIC involved ‘contact information’, such as an individual’s name, email address, home address or phone number. This is distinct from ‘identity information’, which is information that is used to confirm an individual’s identity, such as driver licence numbers and passport numbers.
A failure to comply with the notification requirements of the Scheme may result in penalties of up to $1.8 million for organisations and $360,000 for individuals for serious or repeated breaches.
A failure to comply can also result in affected individuals filing a complaint with the Commissioner or the Commissioner may investigate even without a complaint being made. Following an investigation the Commissioner may issue a determination requiring the organisation to:
In addition to statutory monetary penalties, and any compensatory damages awarded by the Commissioner, a data breach is likely to have a negative impact on your commercial reputation which could ultimately result in further economic loss.
The Scheme applies to all Australian government agencies; businesses and not-for-profits with an annual revenue of $3 million or more per annum; all health service providers; credit providers, credit reporting bodies, entities that trade in personal information, and tax file number recipients.
If you provide a health service and hold health information you are covered by the Privacy Act even if that is not your primary activity.
Under the Privacy Act, 'health service' includes any activity that involves:
This includes activities that take place in the course of providing aged care, palliative care or care for a person with a disability.
Organisations providing a health service include:
If a data breach is required to be notified under s 75 of the My Health Records Act, the Scheme does not apply. This exception is intended to avoid duplication of notices under the Scheme and the data breach notification requirements in the My Health Record system.
As technology becomes more flexible, data becomes more valuable. However, the legal framework and the risks around use, management and security have never been more complex.
We can provide a range of services to suit your organisation’s needs. We recognise that budgets are not limitless, so we can help you to identify the most important areas that you should address
If you require assistance in understanding or implementing a data breach response plan, or for any other general enquiries on any Health Law related matters please contact Natalie Mason.