Tuesday, February 27, 2018

Notifiable data breach scheme

Timothy Bowen, Senior Solicitor – Advocacy, Claims & Education at MIGA outlines the new obligations for health care providers.

From 22 February 2018 doctors, other health practitioners and health care practices in private practice will have new obligations to inform patients and the Office of the Australian Information Commissioner (OAIC) of ‘eligible data breaches’.

These obligations are an extension of existing privacy law obligations around collection, use and disclosure of health and other personal information as part of caring for patients.

What is the notifiable data breach obligation?

Private health care providers are required to:

  • Inform individuals (usually patients) and the OAIC about events which involve:
  • unauthorised access to information
  • unauthorised use of information
  • loss of information likely to result in authorised access or disclosure
If these events are:
  • likely to result in serious harm to affected individuals, and/or
  • cannot be effectively remediated through action to prevent the likely risk of serious harm
  • Make the notification to individuals and OAIC as soon as reasonably practicable.
According to the OAIC

The NDB scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that organisations respond to serious data breaches. This in turn supports consumer and community confidence that personal information is being respected and protected. It also gives individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.

In recent years, the OAIC has been encouraging ‘voluntary’ notifications of certain data breaches to it. This is seen as part of promoting transparency, ensuring public confidence and allowing appropriate steps to be taken to minimise the risk posed to individuals.

What MIGA has been and is doing

MIGA is conscious of the new burdens these obligations will place on its members.

It has had significant involvement in consultations around the scheme. In particular, it successfully opposed the suggestion of all health ‘data breaches’ being notifiable, emphasised the challenges this regime will pose for a diverse health profession and has been contributing to OAIC draft guidance for those affected by the scheme (see below).

Our claims solicitors can assist our members and clients in navigating this new regime, particularly in working out whether there has been a notifiable data breach and to work through the process of notifying patients and the OAIC, if required.

What happens from 22 February 2018?

Over the first 12 months of the scheme, the OAIC’s primary focus will be on educating those affected by the new scheme, working with them to ensure they understand what is required and that they are trying to ensure they follow it. After that, it is likely the OAIC will have a stronger focus on ensuring compliance with the scheme.

Non-compliance with the obligations could have significant implications. The OAIC can determine there has been an interference with an individual’s privacy, leading to a complaint to the Privacy Commissioner. In serious or repeated cases, there may be Court proceedings seeking significant financial penalties.

When could these obligations arise?

Even though the scheme refers to ‘data’, the obligations are not just for situations involving electronic health records or other e-health information. They can apply to all situations in which health care providers hold and disclose health and other personal information for their patients, including hard copy health records and contact information.

Possible examples of unauthorised access, disclosure or loss which could lead to an obligation to inform patients and the OAIC include:

  • Test results being sent to the wrong patient
  • Inappropriate disclosure of health information to a family member or friend, ie where not permitted under privacy laws or in breach of a Court order
  • Viewing of health records by unauthorised practice staff members or contractors
  • Inadequate steps to ‘cleanse’ or destroy information on computer hardware before it is disposed of
  • Successful hacking of a practice’s computer system or cloud storage provider
  • Practice or storage provider break-ins and theft of information
  • Loss of information stored electronically (i.e. USB) or on paper
  • Inadvertently placing health or other personal information on a publicly accessible website.
I think there may have been a data breach – what should I do?

The first thing is to take the necessary steps to contain or fix the breach.

The next step is to assess the breach, what it involves and the risk it may pose to affected individuals.

At this point, we encourage you to contact MIGA claims solicitors for assistance in working through what, if any, reporting requirements need to be considered... If you believe there has been a notifiable data breach, you must notify OAIC and affected individuals as soon as practicable.

If you only suspect there may have been a notifiable data breach, you have up to 30 days to complete an assessment of whether there has been a notifiable data breach.

There are no prescribed assessment process procedures. Depending on the circumstances, it may only involve liaising with those involved in your practice and reviewing information. In more complex cases, such as hacking of practice systems, you may need expert involvement.

To assess whether individuals are at risk of serious harm, you apply the test of the ‘reasonable person’ in your position, taking into account information you have or can reasonably ascertain, considering:

  • The nature of the information
  • Sensitivity of the information
  • Any security measures used and likelihood they could be overcome
  • Nature of potential harm to individuals, which could be psychological, emotional, physical, financial or reputational.
According to the OAIC, the chance of serious harm increases with the number of individuals affected, and it would be prudent to assume breaches involving a very large number of individuals are likely to result in serious harm to at least one individual.[2]

What about data breaches involving cloud storage?

Even if the breach occurred with the cloud service provider, the health care provider who uses that service for storage of health and other personal information may still need to inform individuals and the OAIC if the breach reaches the threshold of being notifiable.

This reinforces the need to take care when considering choice of cloud service providers for information storage, particularly how robust their security and privacy protocols are.

There has been a notifiable data breach – what do I do?

Once you have established the need to notify the OAIC and affected individuals:

  • You should provide individuals with enough information for them to assess the possible consequences of the data breach and to take any necessary protective action. MIGA can assist with the preparation of an appropriate notice.
  • To notify the OAIC, there is a template notifiable data breach statement available on its website – www.oaic.gov.au/ndb - you need to provide provider identity and contact details, description of the breach, nature of the information involved and recommendations about steps which affected individuals could take in response.
If you are able to determine which individuals are at risk of serious harm, you have the options of:

  • Notifying all individuals affected, even if it is unclear if all are at risk of serious harm
  • If this is impractical, publishing the OAIC notification on your website and taking additional steps to publicise its contents (ie through social media, print and online).
Are there exceptions?

The key exceptions to these obligations are:

  • Individuals are not likely to suffer a risk of serious harm from unauthorised access, disclosure or loss
  • There was no unauthorised access or disclosure following loss of information
  • Remedial action taken following unauthorised access, disclosure or loss was sufficient to prevent the risk of serious harm.
There are also exceptions on the obligation to notify if there is more than one person or entity who holds the information and have an obligations to notify. In those circumstances, only one is expected to make the notifications on behalf of all – usually the one with the most direct connection with the affected individuals. In the health care context, this would usually be the doctor, other health practitioner or practice.

Is My Health Record affected by these obligations?

There are already separate obligations on My Health Record registered health care provider organisations to notify the Australian Digital Health Agency (the ‘System Operator’) and the OAIC of:

  • Unauthorised collection, use or disclosure of information in My Health Record
  • Potentially compromised integrity of My Health Record
Unlike the notifiable data breach scheme, there is no requirement of a risk of serious harm to affected individuals, and the ADHA is responsible for notifying affected individuals.

This scheme only applies to breaches involving the My Health Record itself. It does not apply information which may have been taken from it and put with the patient’s records, which is then subsequently part of a data breach via other means.

Is there anything I can be doing to reduce the risk of a notifiable data breach?

It may be that certain data breaches are unpreventable notwithstanding the steps taken to prevent them occurring.

However, there may be steps you could take to minimise the risk of a data breach occurring, which could include:

  • Reviewing privacy practices and procedures – are these in place and up-to-date?
  • Does everyone in your practice understand their privacy obligations? Is any training required?
  • For those working with you, including IT contractors or cloud service providers, do you have agreements dealing with privacy and notifiable data breach obligations?
  • Assessing where you or your practice may be at risk of a data breach, and taking remedial or risk reducing action before it occurs
  • Having a notifiable data breach response plan – the OAIC has developed a template, available HERE.
MIGA’s claims solicitors regularly provide clients with advice on privacy matters that arise in their practice. In the case of a possible data breach our solicitors are available to assist assessing the breach and provide advice on any actions that may need to be taken.

Additional resources

We encourage MIGA clients to contact our claims solicitors as soon as they think that a breach may have occurred so that we can assist them take timely action and ensure they meet their obligations. Clients can contact us via email claims@miga.com.au, telephone 1800 839 280 or via miga.com.au

Timothy Bowen,
Senior Solicitor – Advocacy, Claims & Education at MIGA  

Vividus surveys
Space For Health
Sydney Medical Specialists
Perpetual Ebook