Privacy Amendment (Notifiable Data Breaches) Bill 2016 passes - health service providers and aged care providers required to comply
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) was passed by the House of Representatives in February 2017. Once the Bill becomes Law, health service providers and aged care providers (providers) will be required to comply with the mandatory data breach notification (‘MDBN’) provisions.
The Bill amends the Privacy Act 1988 to require providers to notify the Australian Information Commissioner (the Commissioner) and affected individuals when they suspect that a data breach has occurred and there is a real risk of serious harm to the individual as a result of the breach.
Eligible Data Breach
An eligible data breach occurs when:
- there is unauthorised access to, or unauthorised disclosure of, information in circumstances where a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
- information is lost and unauthorised access to, or unauthorised disclosure of, information is likely to occur, and assuming authorised access or disclosure of the information will occur, the access or disclosure is likely to result in serious harm to any of the individuals to whom the information relates.
Breaches are not limited to malicious actions (for example, theft or hacking) but may also occur from internal errors or a failure to follow policies which cause accidental loss or disclosure of information.
For the purposes of an eligible data breach, a reasonable person is required to conclude that the breach is likely to result in serious harm. Serious harm may, as outlined in the Bill’s Explanatory Memorandum, include serious physical, psychological, emotional, economic and financial harm in addition to serious harm to reputation.
The Bill sets out a number of factors which may be considered in assessing the nature of serious harm including the kinds of information accessed / disclosed, the sensitivity of the information, whether the information is protected by security measures, the person/s who have obtained or could obtain the information and the nature of the harm that may result.
Suspected Eligible Data Breach
If a provider is aware there are reasonable grounds to suspect an eligible data breach may have occurred however it does not have reasonable grounds to confirm this is so at the time, the provider has 30 days within which it must carry out a reasonable and expeditious assessment as to whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach.
If a provider is aware there are reasonable grounds to believe there has been an eligible data breach, the provider must prepare a statement including:
- the identity and contact details of the provider;
- a description of the eligible data breach that the provider has reasonable grounds to believe has occurred;
- the kinds of information concerned; and
- recommendations about the steps which individuals should take in response to the eligible data breach.
The statement must be provided to the Commissioner.
If practicable, the provider must notify the contents of the statement to the individuals to whom the relevant information relates, or to each of the individuals who are at risk as a consequence of the data breach.
If it is not practicable for the provider to contact the individuals, the provider must take reasonable steps to publicise the contents of the statement and must publish a copy on its website (if any).
A MDBN is not required to be made in certain circumstances including if the breach is required to be, and is, reported pursuant to the My Health Records Act 2012.
How Will This Impact You?
With continual advances in technology, providers are increasingly storing personal and sensitive information electronically.
Providers should take steps now to review their information handling processes, their storage and security systems, and ensure they are ready to comply with the requirements of the Bill when the Bill becomes Law this year.
For further advice or assistance, please contact a member of the TressCox Lawyers Health & Aged Care Team.
Patricia Marinovic, Solicitor
Health & Aged Care