Written by 

Important Privacy Update for allied health private practitioners (Part 1)

Did you know that there has been an amendment to the Privacy Act that will affect you as an allied health private practitioner? The Notifiable Data Breaches scheme comes into effect on the 22 February and today we want to help you understand what it means for you and your practice.

The Notifiable Data Breaches (NDB) scheme introduces “an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act)” (www.oaic.gov.au)  

What this means in simple terms for allied health private practitioners, is that in the event of personal or sensitive client or employee information being lost or subjected to unauthorised access or disclosure, you are legally required in some circumstances, to notify both the individual(s) affected and the Office of the Australian Information Commissioner (OAIC).

Let’s break it down further:

What type of data breaches are notifiable?

The scheme uses the term ‘eligible data breach’ to label the type of breach that requires mandatory reporting.

An eligible data breach is one that likely to result in serious harm to any of the individuals to whom the information relates, and the likely risk of serious harm has not been able to be prevented with remedial action.

Example 1*

A mobile occupational therapist carries a folder that contains client notes including names, addresses, contact numbers, Medicare details and detailed health information, and realises that it has been left on a café seat the day prior. On calling the café it was not found. In this case:

a) It was identified that a data breach had occurred; and

b) It is considered an ‘eligible’ data breach as the release of this information could cause serious harm to the individuals involved as a ‘reasonable person’ would consider release of their health information to unauthorised persons as serious. The practitioner was also unable to retrieve the information or minimise the extent of the loss.

c) The practitioner is therefore required under the amendment to follow steps to report this loss of information to both clients and the OAIC.

Example 2*

An administrative staff member working in a physiotherapy practice accidentally emails a letter for a client to another practice instead of the specialist, who was the intended recipient. The error was identified immediately and the staff member recalled the email, and then phoned the other practice who confirmed they would delete the email if received. In this case:

a) It was identified that a data breach had occurred; and

b) It could be perhaps assessed as not an ‘eligible’ data breach as although the release of this information could cause serious harm to the individual as a ‘reasonable person’ would consider release of their health information to unauthorised persons as serious, however, the remedial action taken by the staff member effectively contained the breach and minimised the likelihood of serious harm.

c) The practitioner would be therefore not required to report the data breach.

*These example are provided for illustration purposes only and do not account for any specific circumstances. The assessment of eligible data breaches must be conducted on a case by case basis.

Next week:

What you need to do to prepare your practice for the new privacy laws.
Want to read more now? Head to https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

Read 690 times Last modified on Wednesday, 21 February 2018 09:37

Login