According to the most recent Quarterly Report by the Office of the Information Commissioner, data breaches have affected 63 Australian organisations since 22 February, 24 per cent of those were in healthcare. In this briefing we consider the current data protection regime in Australia, and offer useful compliance information for all Health Service Providers.
The new regime
The Notifiable Data Breaches scheme (‘the Scheme’), which came into effect on 22 February 2018, established requirements for entities in responding to data breaches. Essentially, the Scheme, requires Australian Government agencies and various organisations with obligations to secure personal information under Privacy Act 1988 (Cth) (the Privacy Act), to notify individuals who have been subjected to data breaches that are likely to result in serious harm.
The Scheme also requires mandatory notification of certain data breaches to the Australian Information Commissioner (‘the Commissioner’); even if a data breach is merely suspected, entities must conduct an assessment to determine whether the breach should be notified or reported.
What is a data breach?
There is no requirement of a cyber attack for a breach to arise. An eligible data breach arises when the following three criteria are satisfied:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
- this is likely to result in serious harm to one or more individuals; and
- the entity has not been able to prevent the likely risk of serious harm with remedial action.
Data breaches occur more simply than organisations might expect. They can arise out of malicious acts, information and security system failures, loss or theft of devices or paper records, unauthorised access by employees, disclosure of personal information due to inadequate identity verification procedures, and by pure human error. Human error can arise by simply sending a document or email, containing personal information to the incorrect recipient.
In its most recent quarterly report , the Office of the Australian Information Commissioner (OAIC), reported that:
- 51% of eligible data breach notifications were caused by human error;
- 44% were due to malicious or criminal attacks; and
- 3% were the result of system faults.
Where information is held jointly and a data breach occurs, an entity will be deemed responsible if it is holding the affected information. For example, if a health service provider stores health records with a cloud service provider, or offsite, the health service provider has an obligation to retain control of the records, whilst the cloud service company, or off site storage provider holds the personal information. Each entity has obligations under the Scheme, however only one is required to comply with the assessment and notification requirements on behalf of both entities. Both entities may be found to have breached the Scheme where neither entity conducts an assessment or notifies of a data breach.
What is serious harm?
Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s position.
Is serious harm likely?
The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).
‘Serious harm’ is not defined by the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
Entities should assess the risk of serious harm holistically, having regard to the likelihood of the harm eventuating for individuals whose personal information was part of the data breach and the consequences of the harm.
What type of personal information is involved in reported breaches?
An eligible data breach may involve one or more kinds of personal information. The majority of data breaches reported to the OAIC involved ‘contact information’, such as an individual’s name, email address, home address or phone number. This is distinct from ‘identity information’, which is information that is used to confirm an individual’s identity, such as driver licence numbers and passport numbers.
What is the cost of non-compliance?
A failure to comply with the notification requirements of the Scheme may result in penalties of up to $1.8 million for organisations and $360,000 for individuals for serious or repeated breaches.
A failure to comply can also result in affected individuals filing a complaint with the Commissioner or the Commissioner may investigate even without a complaint being made. Following an investigation the Commissioner may issue a determination requiring the organisation to:
- Perform any reasonable act or course of conduct to redress any loss or damage suffered by affected individuals;
- Take specified steps to ensure that an organisation's conduct is not repeated or continued; and/or
- Pay compensation for any loss or damage to affected individuals.
In addition to statutory monetary penalties, and any compensatory damages awarded by the Commissioner, a data breach is likely to have a negative impact on your commercial reputation which could ultimately result in further economic loss.
Does the Scheme apply to my provider or business?
The Scheme applies to all Australian government agencies; businesses and not-for-profits with an annual revenue of $3 million or more per annum; all health service providers; credit providers, credit reporting bodies, entities that trade in personal information, and tax file number recipients.
Does my organisation provide a Health Service?
If you provide a health service and hold health information you are covered by the Privacy Act even if that is not your primary activity.
Under the Privacy Act, 'health service' includes any activity that involves:
- assessing, maintaining or improving a person's physical or psychological health;
- diagnosing or treating a person's illness, disability or injury;
- recording a person’s physical or psychological health for the purposes of assessing, maintaining, improving or managing the person’s health;
- dispensing a prescription drug or medicinal preparation by a pharmacist; and
- where a person’s health cannot be maintained or improved – managing the person’s physical or psychological health.
This includes activities that take place in the course of providing aged care, palliative care or care for a person with a disability.
Organisations providing a health service include:
- traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals;
- complementary therapists, such as naturopaths and chiropractors;
- gyms and weight loss clinics; and
- child care centres and private schools.
My Health Records Act – an exemption to the Scheme
If a data breach is required to be notified under s 75 of the My Health Records Act, the Scheme does not apply. This exception is intended to avoid duplication of notices under the Scheme and the data breach notification requirements in the My Health Record system.
Getting your data protection right
As technology becomes more flexible, data becomes more valuable. However, the legal framework and the risks around use, management and security have never been more complex.
We can provide a range of services to suit your organisation’s needs. We recognise that budgets are not limitless, so we can help you to identify the most important areas that you should address
If you require assistance in understanding or implementing a data breach response plan, or for any other general enquiries on any Health Law related matters please contact Natalie Mason.