Private sector health service providers will be obligated to notify affected individuals and the Australian Information Commissioner of certain data breaches involving personal information from 22 February 2018 under the Notifiable Data Breaches (NDB) scheme.
The NDB scheme requirements supplement the mandatory data breach reporting requirements of the My Health Record system. The NDB scheme will apply to data breaches that occur outside of the My Health Record system. There is also a higher threshold triggering the obligations to notify under the NDB scheme — only data breaches that are likely to result in serious harm to an individual are notifiable. This harm could be physical, psychological, emotional, financial, reputational, or other forms of harm.
Understanding whether a data breach can result in serious harm, or whether this harm is likely or not, requires an evaluation of the context of a data breach, including the types of personal information involved, who has access to it, whether the data breach can be contained, and more.
If you are unsure if a data breach meets the threshold, you are required to undertake an assessment of the data breach within a maximum of 30 days.
The Office of the Australian Information Commissioner (OAIC) has a range of resources to assist you in preparing for the Notifiable Data Breaches scheme at www.oaic.gov.au/ndb.
The OAIC is also hosting a webinar on the scheme’s requirements on 21 November 2017. Please click here to sign up to attend.
Example data breach scenarios
Gym owner’s client records not shredded before disposal
The owner of a gym that offers personal training services places old client records in a large plastic bag with other rubbish for collection. When they come into work the next morning, they realise that the plastic bag has torn open and the records have spread across the street.
After attempting to collect the documents, the gym owner works to establish if any records are missing. They also consider how long the documents may have been exposed, and the likelihood that someone would have picked up a client’s record. They are aware that because the documents were on the street outside the gym, it is likely that other customers who know people in the records might have them.
Given that the documents contained health information in addition to contact information, the gym owner decides to notify all of the individuals whose records were involved in the breach, and the Australian Information Commissioner. Because the gym owner maintains a database of client contact details, they are able to email each person with the information about the data breach required under the NDB scheme.
Following the data breach, the gym owner reviews how client records are stored and destroyed to reduce the risk of a data breach reoccurring.
GP’s patient records stolen
A GP’s car is broken into and their workbag is stolen. In the bag were the medical records of two patients.
The GP acknowledges that the records contained sensitive information about their patients, and that they are unable to know where, or in whose hands, the records will end up. The GP determines that both patients are at a likely risk of experiencing serious harm, and that notification is required.
They notify the police about the break in, and prepare a statement for the Australian Information Commissioner. They then call the two patients to notify them of the data breach.
Accidental publication of sensitive information by a pharmaceutical chain
A pharmaceutical chain becomes aware that it has accidently made its record of customers and dispensed prescriptions publicly available online due to an error made by a staff member. It is removed from the organisation’s website one hour after the error is discovered.
The organisation begins an assessment to clarify the likelihood of serious harm to any of its customers. As part of this assessment, the organisation’s security consultants find that the record had not been accessed during the time it was publicly available.
Because the record was not accessed by a member of the public, the organisation determines that it is unlikely that any of its customers will experience serious harm, and that notification is not required. However, the organisation does undertake a review of the incident to identify how the error was made, and to retrain staff responsible for managing customer information.