Despite the best of intentions, data breaches can and will occur. Dr Kiran Keshwara, dentolegal adviser at Dental Protection, outlines a recent case and explores the standard for notifiable breaches under current legislation

In the workplace, there are a number of competing factors that a clinician will have running through their mind – from providing the best possible treatment for the patient in a finite period of time, to making sure they run on time for their next patient and ensuring they write contemporaneous and accurate notes.

At the same time, the dentist may also have other important things to think about, such as how they will explain a complex treatment plan to a patient or how they will negotiate a particularly narrow canal in a molar.

Dentists and other clinicians often feel under pressure to make sure that they have not missed anything, so it is natural to try every method at their disposal to help remind them of the important things to follow up. The use of these reminders, while helpful, can sometimes lead to further issues for a clinician if there is sensitive or personal information on these reminders, and if the format that is used is one that is visible to all.

One such incident, recently reported to Dental Protection, involved a patient at a practice who was a suspected alcoholic. The patient was unsure about the medications he took, and gave the dentist permission to contact the GP to follow up on this.

The dentist was unable to contact the GP that day, so he wrote himself a reminder on a Post-It note to call the patient’s GP later in the week:



This Post-It note was left on the computer monitor all day and neither the dentist nor any of his assistants removed it. The next morning, another patient, who knew the original patient, went into the surgery and saw the note. He later told their common acquaintances and the original patient about what he had seen.

The patient was naturally upset to hear that his confidential and personal information had been left in the open for others to see and, while he understood that this was a completely innocent mistake, he sought counselling and legal advice. The Post-It note was removed and the dentist was told of the incident.

The dentist called Dental Protection for further advice and, given the highly sensitive nature of the information that had been seen by a third party, we informed the dentist of his and his employer’s obligations under the Privacy Act 1988 and the later Privacy Amendment (Notifiable Data Breaches) Act 2017.

Since 22 February 2018, all agencies and organisations with existing personal information security obligations, including all health service providers, are obliged to notify the Office of the Australian Information Commissioner, as well as any affected individuals whose personal information is involved in a data breach that is likely to result in serious harm. A failure to notify can lead the organisation or agencies to be fined up to $2.1 million.

In this case, an eligible data breach occurred because an individual’s personal information was disclosed without authorisation and it was likely to result in serious harm to the patient. ‘Serious harm’ to an individual may include serious physical, psychological, emotional, reputational or financial harm. Other examples in the dental practice could include if a practice’s computer is hacked and patient information has been obtained, or if a patient’s credit card details are left lying on the desk.

When the dentist called, he was noticeably shaken that a simple reminder to himself had not been removed, and the outcome of it was a significant lapse in patient confidentiality and a very upset patient. Dental Protection provided the member with support by advising him of his obligations and offering further training on record keeping and patient confidentiality via our PRISM e-learning system.

Leaning points

To find out more about the Notifiable Data Breaches scheme and to access the Notifiable Data Breach form, visit the Office of the Australian Information Commissioner website.