Membership information 1800 444 542
Dentolegal advice 1800 444 542

What happens when data is breached?

06 July 2018

Karen Kumar, Partner at Hicksons Lawyers, explains what your requirements are if you discover a data breach following the launch of the Notifiable Data Breaches Scheme.

Read this article to:

  • Understand what the Notifiable Data Breaches Scheme is about
  • Learn how to manage and report a data breach
  • Discover resources to help you with the requirements of the scheme

What’s changed?
In February 2017, Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, and a year later – in February 2018 – the Notifiable Data Breaches Scheme (NDBS) came into effect. This means that health service providers regulated by the Privacy Act 1988 are now required to notify the Privacy Commissioner and affected individuals of an eligible data breach.

Who does the NDBS apply to?
Dental practitioners, as individuals and practices, are obligated under the Privacy Act to secure personal, health and sensitive information, and are therefore required to comply with the NDBS.

What is a data breach?
A data breach occurs if there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or if such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.

Which data breaches are required to be notified?
A data breach is an eligible data breach (and therefore a breach that must be reported) if a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.

Serious harm includes:

  • physical
  • psychological
  • emotional
  • economic
  • financial
  • reputational.

There is a likely risk of serious harm if a reasonable person would be satisfied that the risk of serious harm occurring is more probable than not. In deciding whether this is the case, you are required to have regard to a list of “relevant matters” included in the Act.

If you suspect that an eligible data breach has occurred, you must undertake an assessment of the relevant circumstances. You are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable after becoming aware that there are reasonable grounds to believe there has been an eligible data breach.

These assessments are required to be undertaken and completed within 30 calendar days. While this is the maximum time, the OAIC encourages assessments to be completed as quickly as possible.

The OIAC states that at any time, including during an assessment, you can, and should, take steps to reduce any potential harm to individuals caused by a suspected or eligible data breach. If remedial action is successful in preventing serious harm to affected individuals, notification is not required.

There is an important exception to the notification requirement. If there is a data breach but you take action, and as a result of the action:

  • there is no unauthorised access to, or unauthorised disclosure of, the information
Or
  • there is no serious harm to affected individuals, and as a result of the remedial action, a reasonable person would conclude that the breach is not likely to result in serious harm

then the breach will not be an eligible data breach.

How to notify if an eligible data breach has occurred?
The notification to affected individuals and the OAIC must include the following information:

  • the identity and contact details of the organisation
  • a description of the data breach
  • the kinds of information concerned
  • recommendations about the steps individuals should take in response to the data breach.

A form to notify the breach can be accessed at https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB

When notifying affected individuals, however, you have a discretion to notify either each affected individual or, if not all affected individuals are deemed to be “at risk” from an eligible data breach, only those affected individuals who are deemed to be at risk.

Results of a failure to comply
Failure to comply with the requirements means the Privacy Commissioner has the power to:

  • conduct investigations
  • make determinations
  • seek enforceable undertakings
  • pursue civil penalties for serious or repeated interferences with privacy.

It is also possible that a failure to comply will result in referral to the Dental Council for consideration of disciplinary proceedings being brought against the practitioner.

What should you do now?

  • Develop or update your data breach response plan:
    The plan should cover the actions to be taken if a breach is suspected, discovered or reported.
  • Plan to utilise the eligible data breach exception:

    Having to notify customers of a data breach can cause serious damage to your reputation. If a breach occurs and if it is possible, the aim should be to take remedial action. A notification is not required because this action has prevented the data breach from causing serious harm to an individual.

  • Review contracts with outsourced service providers:
    Contracts with outsourced service providers should be reviewed and, if necessary, updated in order to ensure that the provider is required to notify and work with you in the event of a data breach.

Summary

Dental practitioners are now required to notify the OAIC of any unauthorised access to, or unauthorised disclosure of, or loss of personal information where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.

Subject to what information is disclosed or lost, it may be that a mandatory notification is not required as it is not likely to result in serious harm to the individual. Remedial action taken after a suspected or actual data breach may obviate the requirement to notify the breach.

In the event that you are uncertain of the steps required to undertake the requisite assessment or remedial action, or are uncertain as to your obligations to make a mandatory notification, then you should seek advice from Dental Protection. In order to ensure that you are up-to-date regarding the NDBS, you should refer to the below resources provided by the OAIC.

 

Resources

Two of the OAIC’s publications – the Data breach preparation and response and the Guide to securing personal information – provide useful information for practitioners and practices. An OIAC webinar entitled Preparing for the Notifiable Data Braches Scheme may also be of assistance.

Visit oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme


More support
In the event that you suspect a data breach has occurred and you are unsure as to what your obligations are, you should contact Dental Protection for advice. Call 1800 444 542 or email [email protected]

© 2010-2024 The Medical Protection Society Limited

DPL Australia Pty Ltd (“DPLA”) is registered in Australia with ABN 24 092 695 933. DPLA is part of the Medical Protection Society Limited (“MPS”) group of companies. MPS is registered in England (No. 00036142) with its registered office at Level 19, The Shard, 32 London Bridge Street, London, SE1 9SG. All the benefits of MPS membership are discretionary, as set out in the Memorandum and Articles of Association.

“Dental Protection member” in Australia means a non-indemnity dental member of MPS. Dental Protection members may hold membership independently or in conjunction with membership of the Australian Dental Association (W.A. Branch) Inc. (“ADAWA”).

Dental Protection members who hold membership independently need to apply for, and where applicable maintain, an individual Dental Indemnity Policy underwritten by MDA National Insurance Pty Ltd (“MDA”), ABN 56 058 271 417, AFS

Licence No. 238073. DPLA is a Corporate Authorised Representative of MDA with CAR No. 326134. For such Dental Protection members, by agreement with MDA, DPLA provides point-of-contact member services, case management and colleague-to-colleague support.

Dental Protection members who are also ADAWA members need to apply for, and where applicable maintain, an individual Dental Indemnity Policy underwritten by MDA, which is available in accordance with the provisions of ADAWA membership.

None of ADAWA, DPLA and MPS are insurance companies. Dental Protection® is a registered trademark of MPS.

Before making a decision to buy or hold any products issued by MDANI, please consider your personal circumstances and the Important Information, Policy Wording and any supplementary documentation available by contacting DPLA on 1800 444 542 or via email.

For information on MPS and DPLA’s use of your personal data and your rights, please see our Privacy Notice.