We have been keeping our members updated on developments regarding privacy legislation amendments and the new Notifiable Data Breaches scheme and have received many enquiries since the scheme was introduced. Further information on the nature of the scheme and what it means for health practitioners and healthcare practices can be found on the MIGA website.¹

The Notifiable Data Breaches first quarterly report was recently released by the Office of the Australian Information Commissioner (OAIC), and it provides useful information on the state of play since the new scheme came into effect.

Following the introduction of the scheme on 22 February 2018, the OAIC reports that²:

  • There were 63 data breach notifications in the first six weeks (compared with 114 notifications in the financial year ended 30 June 2017 under the previous voluntary notification scheme).
  • 33% of all breaches were reported to involve health information, and the vast majority of breaches (78%) were reported to involve an individual’s contact information.
  • More than half of the breaches notified indicated that the cause arose from human error and just under half from malicious or criminal attack. Only 3% of breaches notified arose from system faults.
  • Health service providers were listed as the top sector in terms of notifying the OAIC of breaches, sitting at 24% of all notifications.
  • The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said these results highlight “the importance of implementing robust privacy governance alongside a high-standard of security. The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessments, information security risk assessments, and training for any staff responsible for handling personal information”.

MIGA considers it is an opportune time for health practitioners and healthcare practices to review their information security standards and ensure compliance with the Australian Privacy Principles (APP). In particular, an APP entity that holds personal information must take “reasonable steps” to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.³

The RACGP has recently released a new policy on Information Security in General Practice.4

Some of the key points to think about include:

  • Practices should have information security policies which are known, accessible and remain up-to-date.
  • Use access controls for practice staff, providing only the necessary access to data to enable work to be undertaken.
  • Undertake risk assessments of security controls and have a business continuity plan which covers information recovery.
  • Have resilient back-up and restoration processes and regularly update software.
  • Have policies around e-mail, practice website and other secure messaging use.
  • Have a policy on using mobile devices for clinical and business purposes – devices should be password protected, use data encryption where possible and should not be used to send or access sensitive data on public or unsecure networks.

Further Resources
OAIC – Notifiable Data Breaches scheme

If you are unclear about your privacy obligations or need to consider a mandatory data breach notification, please contact our Claims & Legal Services team.

3 See Australian Privacy Principle 11, which can be accessed at: www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-11-app-11-security-of-personal-information

Other resources

  1. OAIC – Notifiable Data Breaches scheme

    Get more information about the scheme

Prefer to read a PDF of the Bulletin? Download it here

We'd love to hear your feedback, comments and ideas