Membership information 1800 444 542
Dentolegal advice 1800 444 542

Health privacy and how to report data breaches

24 October 2019

Dr Kiran Keshwara, dentolegal adviser at Dental Protection, looks at the expectations on all dental practitioners to protect personal information and what you should do to report data breaches

In healthcare, matters of privacy and the prevention of data breaches are essential for all dental practitioners. The Office of the Information Commissioner has just released a new guide, the Guide to health privacy, which is designed to assist health service providers understand what their obligations are under the Privacy Act 1988.

Notifiable Data Breaches Scheme

When the Privacy Amendment (Notifiable Data Breaches) Act 2017 was passed, it had a significant implication on all healthcare providers to ensure that the data that they keep about their patients is well-protected and backed up. Following the passing of the Act, the Notifiable Data Breaches Scheme came into effect on 22 February 2018.

The following terms are used and should be understood:

Personal information is information that can be used to identify an individual, such as their name, address, Medicare number or phone number. Part of an individual’s personal information can also include their medical and social history.

A data breach happens when personal information held by an organisation is accessed by an unauthorised party, disclosed to an unauthorised party, or if the data is lost. This can include losing a computer with patient details, information mistakenly given to the wrong person or when a database is hacked through malware or ransomware.

A notifiable data breach is a data breach that is likely to result in serious harm to one or more individuals whose personal information has been compromised. Serious harm can include emotional, financial, reputational, physical or psychological harm.

What to do when a data breach occurs

When a data breach occurs, the first step that a dental practitioner should take is to try to contain the data breach so that the information cannot be accessed or disseminated further. The next steps involve assessing the data breach, what caused it and whether it can be prevented from happening again in the future, and whether any individuals involved can be harmed due to the data breach.

If it is deemed that a notifiable data breach has occurred – that is, it is likely to result in serious harm to an individual, then practitioners have an obligation to notify the affected individuals as well as the Office of the Australian Information Commissioner (OAIC) if they believe a notifiable data breach has occurred, within 30 calendar days.

The affected individuals can be informed in a number of ways – by letter, email, phone or online. A practice can either contact all those whose personal information has been released or only those who are deemed to be likely to result in serious harm. If the individuals are not contactable, another option is to publish a notification on the practice website and to take reasonable steps to tell patients of the data breach. The purpose of this is to allow those affected individuals to be on alert and to be aware that their information may have been accessed by an unauthorised party.

The practitioner should also inform the OAIC using a Notifiable Data Breach Form, which includes a description of the data breach that has occurred, the steps the practice will take to prevent or reduce this from happening, any remedial action taken to assist individuals who have been affected, and how the affected individuals have been contacted and informed of the data breach. 

The Office of the Australian Commissioner can be contacted and the breach discussed with them in order to try to understand whether data breaches need to be notified.

Failure to notify the OAIC and affected individuals can lead to penalties being imposed on dental practitioners, such as fines or enforceable undertakings.

© 2010-2024 The Medical Protection Society Limited

DPL Australia Pty Ltd (“DPLA”) is registered in Australia with ABN 24 092 695 933. Dental Protection Limited (“DPL”) is registered in England (No. 2374160) and along with DPLA is part of the Medical Protection Society Limited (“MPS”) group of companies. MPS is registered in England (No. 36142). Both DPL and MPS have their registered office at Level 19, The Shard, 32 London Bridge Street, London, SE1 9SG. DPL serves and supports the dental members of MPS. All the benefits of MPS membership are discretionary, as set out in MPS’s Memorandum and Articles of Association.
“Dental Protection member” in Australia means a non-indemnity dental member of MPS. Dental Protection members may hold membership independently or in conjunction with membership of the Australian Dental Association (W.A. Branch) Inc. (“ADAWA”).
Dental Protection members who hold membership independently need to apply for, and where applicable maintain, an individual Dental Indemnity Policy underwritten by MDA National Insurance Pty Ltd (“MDANI”), ABN 56 058 271 417, AFS Licence No. 238073. MDANI is a wholly-owned subsidiary of MDA National Limited, ABN 67 055 801 771. DPLA is a Corporate Authorised Representative of MDANI with CAR No. 326134. For such Dental Protection members, by agreement with MDANI, DPLA provides point-of-contact member services, case management and colleague-to-colleague support.
Dental Protection members who are also ADAWA members need to apply for, and where applicable maintain, an individual Dental Indemnity Policy underwritten by MDANI, which is available in accordance with the provisions of ADAWA membership.
None of ADAWA, DPL, DPLA and MPS are insurance companies. Dental Protection® is a registered trademark of MPS.

Before making a decision to buy or hold any products issued by MDANI, please consider your personal circumstances and the Important Information, Policy Wording and any supplementary documentation available by contacting the DPL membership team on 1800 444 542 or via email.