Membership information 1800 444 542
Dentolegal advice 1800 444 542

Data breaches in the workplace

25 July 2019

Despite the best of intentions, data breaches can and will occur. Dr Kiran Keshwara, dentolegal adviser at Dental Protection, outlines a recent case and explores the standard for notifiable breaches under current legislation

In the workplace, there are a number of competing factors that a clinician will have running through their mind – from providing the best possible treatment for the patient in a finite period of time, to making sure they run on time for their next patient and ensuring they write contemporaneous and accurate notes.

At the same time, the dentist may also have other important things to think about, such as how they will explain a complex treatment plan to a patient or how they will negotiate a particularly narrow canal in a molar.

Dentists and other clinicians often feel under pressure to make sure that they have not missed anything, so it is natural to try every method at their disposal to help remind them of the important things to follow up. The use of these reminders, while helpful, can sometimes lead to further issues for a clinician if there is sensitive or personal information on these reminders, and if the format that is used is one that is visible to all.

One such incident, recently reported to Dental Protection, involved a patient at a practice who was a suspected alcoholic. The patient was unsure about the medications he took, and gave the dentist permission to contact the GP to follow up on this.

The dentist was unable to contact the GP that day, so he wrote himself a reminder on a Post-It note to call the patient’s GP later in the week:

This Post-It note was left on the computer monitor all day and neither the dentist nor any of his assistants removed it. The next morning, another patient, who knew the original patient, went into the surgery and saw the note. He later told their common acquaintances and the original patient about what he had seen.

The patient was naturally upset to hear that his confidential and personal information had been left in the open for others to see and, while he understood that this was a completely innocent mistake, he sought counselling and legal advice. The Post-It note was removed and the dentist was told of the incident.

The dentist called Dental Protection for further advice and, given the highly sensitive nature of the information that had been seen by a third party, we informed the dentist of his and his employer’s obligations under the Privacy Act 1988 and the later Privacy Amendment (Notifiable Data Breaches) Act 2017.

Since 22 February 2018, all agencies and organisations with existing personal information security obligations, including all health service providers, are obliged to notify the Office of the Australian Information Commissioner, as well as any affected individuals whose personal information is involved in a data breach that is likely to result in serious harm. A failure to notify can lead the organisation or agencies to be fined up to $2.1 million.

In this case, an eligible data breach occurred because an individual’s personal information was disclosed without authorisation and it was likely to result in serious harm to the patient. ‘Serious harm’ to an individual may include serious physical, psychological, emotional, reputational or financial harm. Other examples in the dental practice could include if a practice’s computer is hacked and patient information has been obtained, or if a patient’s credit card details are left lying on the desk.

When the dentist called, he was noticeably shaken that a simple reminder to himself had not been removed, and the outcome of it was a significant lapse in patient confidentiality and a very upset patient. Dental Protection provided the member with support by advising him of his obligations and offering further training on record keeping and patient confidentiality via our PRISM e-learning system.

Leaning points

  • Ensure that all patient information is kept out of sight to respect patient confidentiality
  • Maintaining patient confidentiality is a team effort, so work as a team and identify ways in which the dental team can help reduce any possible data breaches
  • Do not talk about other patients in the presence of people who are not directly involved in the care of your patients
  • There are some instances where patient information can be shared, for example where requested by a court, referral between colleagues or specialists, or in mandatory reporting of child abuse
  • Make sure you remove all reminders/notes about patients securely
  • If you become aware of any data breaches, call Dental Protection for advice.

To find out more about the Notifiable Data Breaches scheme and to access the Notifiable Data Breach form, visit the Office of the Australian Information Commissioner website

© 2010-2024 The Medical Protection Society Limited

DPL Australia Pty Ltd (“DPLA”) is registered in Australia with ABN 24 092 695 933. Dental Protection Limited (“DPL”) is registered in England (No. 2374160) and along with DPLA is part of the Medical Protection Society Limited (“MPS”) group of companies. MPS is registered in England (No. 36142). Both DPL and MPS have their registered office at Level 19, The Shard, 32 London Bridge Street, London, SE1 9SG. DPL serves and supports the dental members of MPS. All the benefits of MPS membership are discretionary, as set out in MPS’s Memorandum and Articles of Association.
“Dental Protection member” in Australia means a non-indemnity dental member of MPS. Dental Protection members may hold membership independently or in conjunction with membership of the Australian Dental Association (W.A. Branch) Inc. (“ADAWA”).
Dental Protection members who hold membership independently need to apply for, and where applicable maintain, an individual Dental Indemnity Policy underwritten by MDA National Insurance Pty Ltd (“MDANI”), ABN 56 058 271 417, AFS Licence No. 238073. MDANI is a wholly-owned subsidiary of MDA National Limited, ABN 67 055 801 771. DPLA is a Corporate Authorised Representative of MDANI with CAR No. 326134. For such Dental Protection members, by agreement with MDANI, DPLA provides point-of-contact member services, case management and colleague-to-colleague support.
Dental Protection members who are also ADAWA members need to apply for, and where applicable maintain, an individual Dental Indemnity Policy underwritten by MDANI, which is available in accordance with the provisions of ADAWA membership.
None of ADAWA, DPL, DPLA and MPS are insurance companies. Dental Protection® is a registered trademark of MPS.

Before making a decision to buy or hold any products issued by MDANI, please consider your personal circumstances and the Important Information, Policy Wording and any supplementary documentation available by contacting the DPL membership team on 1800 444 542 or via email.