What new mandatory notifiable data breach laws means to healthcare providers
  1. Home
  2. Data & Security
  3. What new mandatory notifiable data breach laws means to healthcare providers

What new mandatory notifiable data breach laws means to healthcare providers

What new mandatory notifiable data breach laws means to healthcare providers

The Federal Government’s new Notifiable Data Breaches scheme comes into effect on 22 February 2018, placing further pressure on the healthcare sector to ensure compliance when it comes to sensitive patient data.

In this article, we answer key critical questions around the new legislation and what it means to professional healthcare providers in Australia.

What are the new data breach laws?

The Privacy Amendment (Notifiable Data Breaches) Act 2017, amends the Privacy Act 1988 and establishes the Notifiable Data Breaches (NDB) scheme in Australia, which includes the mandatory notification of ‘eligible data breaches’.

Who does it apply to?

The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act). This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.

What are your obligations?

Under the new NDB scheme, entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

The scheme applies to all kinds of personal and sensitive information. Examples include names, addresses, email addresses, genders, family members, financial information, tax file numbers and medical history.

When information of these types is collected and stored, steps must be taken to keep it secure and safe and to avoid loss and unauthorised disclosure.

What type of breaches are ‘notifiable?

According to the legislation, an ‘eligible data breach’ is notifiable when the following three criteria are satisfied:

  1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an entity holds.
  2. This is likely to result in serious harm to one or more individuals. ‘Serious harm’ could include risks to personal safety, damage to reputation, or serious psychological harm.
  3. The entity has not been able to prevent the likely risk of serious harm with remedial action.

The NDB scheme only applies to eligible data breaches that occur from 22 February 2018.There are a few exceptions which may mean notification is not required for certain eligible data breaches.

What should I do if a data breach has occurred?

If a notifiable breach has occurred, the organisation must report details of it to those affected by it, and to the OAIC (Office of the Australian Information Commissioner). The police may also need to be notified if a crime is suspected.

The notification must set out:

  • the identity and contact details of the practice;
  • a description of the data breach;
  • the kind of information involved in the data breach; and
  • recommendations about the steps that individuals should take in response to the data breach.

It will be up to the organisation concerned to investigate breaches and to determine if serious harm is likely to occur. This needs to be done within 30 days of the breach. The organisation should also take steps to prevent any further harm or damage from happening.

What are examples of notifiable breaches for the healthcare sector?

 A data breach could occur due to a cyber attack, loss or theft of a device that contains sensitive personal information, or because personal information that gets published or shared without authorisation (whether deliberate or inadvertent).

 In the healthcare section, examples of a data breach include when:

  • any electronic or cloud-based database containing medical records is hacked
  • health information is mistakenly provided to the wrong person (for example, via email)
  • an electronic device containing patients’ medical records is lost or stolen.

If unsure, medical practitioners and healthcare providers can seek advice from their medical defence organisation before taking any further actions to proceed.

Next steps to take

For professional healthcare providers, strengthening data protection benefits everyone, including and helps to reduce the risk of regulatory burdens, financial losses, damaged reputation, and loss of patient trust.

All healthcare providers need a proactive approach when it comes to managing personal information and develop a culture engrained in data privacy, ensuring that any patient information collected is treated as an asset to be protected and managed with the utmost care.

It’s also now imperative to strengthen internal procedures and systems regarding the handling of personal information. Leveraging technology can further increase data security, to ensure compliance and prevent potential breaches. This can include more robust methods of encryption, backups, restricted access, and passwords.

On top of this, it’s critical to appoint staff members to oversee information management, mitigate and risk, and be responsible for investigating any potential data breaches.