The Privacy Amendment (Notifiable Data Breaches) Bill 2016 will come into force on 22 February 2018. This will apply to all health service providers as they are Australian Privacy Principles (APP) individuals and entities under the Privacy Act 1988 (Cth).
The website of the Office of the Australian Information Commissioner (OAIC) has many resources to assist APP entities and individuals to comply with their obligations under the Act and APPs. www.oaic.gov.au/
Among the resource material provided by the OAIC for APP entities is an easy to understand Privacy management plan template with four steps that the Commissioner “expects you to take to meet your ongoing compliance obligations under Australian Privacy Principle (APP) 1.2.”
Figure 1: Privacy management framework Four Steps
To assist practice managers better understand the NDB scheme and its ramifications, I posed the following written questions to the OAIC:
QUESTION 1: SMALL ENTITY VS LARGE ENTITY
Will the NDB scheme requirements be applied differently to a small private clinic (less than 20 employees) vs a large healthcare organisation?
QUESTION 1, OAIC ANSWER:
“All health service providers regardless of size are covered by the Privacy Act and the NDB scheme. Once the NDB scheme commences on 22 February 2018, all private sector health service providers will be required to notify affected individuals and the Australian Information Commissioner of data breaches that are likely to cause serious harm.
‘Health service providers’ refers to organisations, including small businesses, that provide a health service and hold people’s health information. This generally includes general practitioners (GPs), pharmacists, therapists, allied health professionals, gyms and weight loss clinics, and childcare centres among others.”
QUESTION 2: DRAFT GUIDANCE
ON OAIC WEBSITE
Many of the guidelines on the OAIC website are draft documents. Will there be final guidelines published before 22 February 2018?
QUESTION 2, OAIC ANSWER:
“It is our intention that these will be final by the commencement of the scheme. We are currently incorporating feedback from our public consultation on this guidance, with the aim of publishing final NDB guidance by December 2017”
QUESTION 3: EVENTS BEYOND
One of our clinic administration staff members has the responsibility to take the full data backup drive home every day for safe off site storage. Her car was stolen with the full data backup drive in it. Because this event was beyond the clinics control (and beyond the staff members control) does this require notification and would sanctions be applied a) to the clinic, b) to the staff member?
QUESTION 3, OAIC ANSWER:
“The intention or fault of a business or person is not a relevant issue in the operation of the NDB scheme.
An eligible data breach, which requires notification to individuals and the Commissioner, occurs when the following three criteria are satisfied:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information in circumstances where either of these are likely to occur
- this is likely to result in serious harm to one or more individuals, and
- the entity has not been able to prevent the likely risk of serious harm with remedial action
In this situation, the clinic will need to assess whether the loss is likely to result in unauthorised access or disclosure of the personal information contained
in the backup drive. Then, they will need to assess whether this would be likely to result in serious harm to any of the individuals whose personal information was lost. If so, then the clinic will need to notify. At all times, the clinic should be taking steps to remediate the situation, which both removes the risk of harm
to individuals and the need to notify. For breaches where information is lost, remedial action is adequate if it prevents the unauthorised access or disclosure of personal information.
In regards to sanctions, it is a common misunderstanding that experiencing an eligible data breach can attract penalties. While some notifications may point to a possible breach of existing obligations under the Privacy Act, in most cases where an entity complies with the NDB scheme’s assessment and notification requirements no further action will be taken.
However, where there is an intentional breach of the scheme or
failure to notify, it would be more likely that the Australian Information Commissioner would pursue this breach. In at least the first 12 months of the scheme’s operation, the Commissioner’s focus will be on assisting and educating entities.
QUESTION 4: REASONABLE STEPS
How will the Commissioner determine whether reasonable steps have been taken to secure personal information – a small private clinic (less than 20 employees) vs a large healthcare organisation?
EXAMPLE A: OLD COMPUTERS STILL
FUNCTIONAL TO USE
A small private clinic has a mix of old and new PCs, some with Windows XP operating system and a file server with Windows 2003 Small Business Server operating system, all of which still work well. Is it reasonable to continue to use these perfectly functional but older computers?
EXAMPLE B: IN HOUSE IT MANAGEMENT
The computer systems at a small private clinic are setup and serviced by one of the doctors when he can find time or when the computers need attention. Because the doctor is very busy, applying computer updates is done but infrequently. Is this Ok/reasonable?
EXAMPLE C: FULLY OUTSOURCED IT
We have outsourced the computer systems management to an IT company who have assured us that our computer systems are secure, are being regularly updated and the patient data backups are Ok. Because we have outsourced the IT management to an IT company, does that qualify as reasonable steps and move the responsibility for any data breach event from the clinic to the IT company?
EXAMPLE D: EMAILING PATIENT NOTES TO PATIENT
Some of our patients request us to email their medical histories to their private email address or to WorkCover. Is this reasonable given that the patient has requested this?
QUESTION 4, OAIC ANSWERS:
“An entity has to take reasonable steps to protect information that
it holds, and what will be reasonable will depend on the particular circumstances of each organisation, including its size and resources.
In terms of the various examples you’ve outlined there are two comments to offer.
First, keeping software and operating systems up to date is one of
the most important security steps that an organisation can take. If a clinic’s computer systems are internet connected and contain personal information such as medical records, those systems absolutely need to be patched and updated regularly. And if the developer of the software you use is no longer supporting and updating that software, you will need to upgrade.
Second, while a business can outsource the delivery of its privacy obligations it can’t outsource the obligations themselves – and the actions of a contractor can affect your business. Therefore, asking a potential contractor to demonstrate their understanding of privacy and security, and how they will meet their obligations, is a critical part of protecting your reputation.”
QUESTION 5: CYBER HACKING EVENTS
We have just been hacked with ransomware and found out that our data backups are not Ok. We have relied on the IT company and they tell us that despite all their best efforts our data is locked up by the ransomware. If we pay the ransom and get our data back do we have to notify the OAIC and patients?
QUESTION 5, OAIC ANSWER:
“The NDB scheme will commence on 22 February 2018. It only applies to eligible data breaches that occur on, or after, that date.
Once the NDB scheme comes into effect, regardless of the circumstances of the breach, if a business has reasonable grounds to believe that there is a likely risk of serious harm to an individual then this breach requires notification.”
QUESTION 6: PRIVACY ACT/NDB PENALTIES
It has been reported in the media that the Commissioner can issue penalties up to $360,000 for individuals to $1.8m for entities for personal data breaches. Are the media reports of the penalties correct?
QUESTION 6, OAIC ANSWER:
“As of July 2017, the maximums are $420,000 and $2.1M respectively. But it should be noted that the Commissioner would need to be satisfied of serious or repeated breaches before seeking these penalties from the Federal Court. The OAIC prefers a proactive approach as regulator, and looks to cooperate with Australian businesses and agencies as far as possible to improve privacy practices and to support businesses that are making good efforts to meet their privacy obligations.”
So, there we have it, direct from the OAIC. Please ensure your healthcare organisation is fully compliant with the Privacy Act and ready for the NDB scheme before 22 February 2018. More to come…