Dr Kiran Keshwara, dentolegal adviser at Dental Protection, looks at the expectations on all dental practitioners to protect personal information and what you should do to report data breaches
In healthcare, matters of privacy and the prevention of data breaches are essential for all dental practitioners. The Office of the Information Commissioner has just released a new guide, the Guide to health privacy, which is designed to assist health service providers understand what their obligations are under the Privacy Act 1988.
Notifiable Data Breaches Scheme
When the Privacy Amendment (Notifiable Data Breaches) Act 2017 was passed, it had a significant implication on all healthcare providers to ensure that the data that they keep about their patients is well-protected and backed up. Following the passing of the Act, the Notifiable Data Breaches Scheme came into effect on 22 February 2018.
The following terms are used and should be understood:
Personal information is information that can be used to identify an individual, such as their name, address, Medicare number or phone number. Part of an individual’s personal information can also include their medical and social history.
A data breach happens when personal information held by an organisation is accessed by an unauthorised party, disclosed to an unauthorised party, or if the data is lost. This can include losing a computer with patient details, information mistakenly given to the wrong person or when a database is hacked through malware or ransomware.
A notifiable data breach is a data breach that is likely to result in serious harm to one or more individuals whose personal information has been compromised. Serious harm can include emotional, financial, reputational, physical or psychological harm.
What to do when a data breach occurs
When a data breach occurs, the first step that a dental practitioner should take is to try to contain the data breach so that the information cannot be accessed or disseminated further. The next steps involve assessing the data breach, what caused it and whether it can be prevented from happening again in the future, and whether any individuals involved can be harmed due to the data breach.
If it is deemed that a notifiable data breach has occurred – that is, it is likely to result in serious harm to an individual, then practitioners have an obligation to notify the affected individuals as well as the Office of the Australian Information Commissioner (OAIC) if they believe a notifiable data breach has occurred, within 30 calendar days.
The affected individuals can be informed in a number of ways – by letter, email, phone or online. A practice can either contact all those whose personal information has been released or only those who are deemed to be likely to result in serious harm. If the individuals are not contactable, another option is to publish a notification on the practice website and to take reasonable steps to tell patients of the data breach. The purpose of this is to allow those affected individuals to be on alert and to be aware that their information may have been accessed by an unauthorised party.
The practitioner should also inform the OAIC using a Notifiable Data Breach Form, which includes a description of the data breach that has occurred, the steps the practice will take to prevent or reduce this from happening, any remedial action taken to assist individuals who have been affected, and how the affected individuals have been contacted and informed of the data breach.
The Office of the Australian Commissioner can be contacted and the breach discussed with them in order to try to understand whether data breaches need to be notified.
Failure to notify the OAIC and affected individuals can lead to penalties being imposed on dental practitioners, such as fines or enforceable undertakings.