Speaking recently to a group of health practitioners I asked who in the room ran a business that was subject to the Privacy Act 1998 (Cth). Not one hand went up.
An individual, partnership or body corporate in Australia that provides a health service to another individual and holds any health information is an organisation defined as an APP entity under the Privacy Act and subject to the Privacy Act.
The fact many health practitioners still do not understand this is of concern having regard to both the information they hold and the fundamental privacy principles that underpin the Privacy Act and other State and Territory privacy laws. Further, the Australian Government has proposed amendments to the Privacy Act which will significantly increase the penalties to be imposed on an APP entity when an act or practice interferes with the privacy of an individual.
It is also of concern when considering the release of the Notifiable Data Breaches Scheme 12-month Insights Report (Report) by the Office of the Australian Information Commissioner (OAIC) on 13 May 2019. The Report looks back on the first 12 months of the Notifiable Data Breaches Scheme (NDB Scheme) and provides the following interesting statistics for health practitioners to consider:
- Health service providers were the top reporting sector across Australia notifying data breaches for the period from 1 April 2018 to 31 March 2019. This was not by a small margin. Health service providers notified 35% of data breaches. The next reporting sector was finance which notified only 24%; and
- The leading cause of data breach by health service providers was human error which accounted for 55% of data breaches by health service providers. Compare this figure to:
- 35% of data breaches related to human error in all other industries; and
- 60% of the total data breaches notified in the Report related to malicious or criminal attacks.
The fact that human error is the primary source of data breach in the health sector should mean it is the easiest of data breaches to rectify. The OAIC points out in the Report that there is a need for:
‘strong privacy governance in the health sector that includes robust and regular employee training and technological solutions to assist employees’.
The OAIC also makes clear that it expects APP entities to:
‘understand the causes of data breaches and take proactive steps to prevent them. This means taking reasonable steps to ensure that the necessary people, processes and technology are in place to prevent and respond to breaches’.
To assist APP entities (which includes all health service providers) the OAIC recommends the following best practice tips to manage, and prevent, data breaches:
- All employees are to be trained on how to detect and report e-mail based threats, understand basic account security and protect their devices;
- All APP entities should prioritise investments in improving overall security and where necessary, engage expert security advice;
- All APP entities should have a data breach response plan which provides practical guidance on how to reduce the impact of a data breach and meet the APP entity’s obligations;
- All APP entities should understand what data they hold and how a breach could impact their customers. An APP entity should understand whether a particular data breach is likely to result in serious harm for an affected individual; and
- The key guiding principles when managing data breaches should be transparency and simplicity.
Whether health practitioners like it or not, the health sector is undergoing significant change due to digital technologies and other forms of innovation. Privacy practices that were good enough in the past are no longer good enough. It is important for health practitioners and all health service providers to first understand their obligations under the Privacy Act and then to take steps to ensure that everyone who works for the health service provider does as well. This is not only important for medico-legal purposes, but to provide optimal patient care.
This article was written by Karen Keogh, Partner.
P: +61 2 9334 8884