Karen Kumar, Partner at Hicksons Lawyers, explains what your requirements are if you discover a data breach following the launch of the Notifiable Data Breaches Scheme.
Read this article to:
- Understand what the Notifiable Data Breaches Scheme is about
- Learn how to manage and report a data breach
- Discover resources to help you with the requirements of the scheme
In February 2017, Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, and a year later – in February 2018 – the Notifiable Data Breaches Scheme (NDBS) came into effect. This means that health service providers regulated by the Privacy Act 1988 are now required to notify the Privacy Commissioner and affected individuals of an eligible data breach.
Who does the NDBS apply to?
Dental practitioners, as individuals and practices, are obligated under the Privacy Act to secure personal, health and sensitive information, and are therefore required to comply with the NDBS.
What is a data breach?
A data breach occurs if there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or if such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.
Which data breaches are required to be notified?
A data breach is an eligible data breach (and therefore a breach that must be reported) if a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.
Serious harm includes:
There is a likely risk of serious harm if a reasonable person would be satisfied that the risk of serious harm occurring is more probable than not. In deciding whether this is the case, you are required to have regard to a list of “relevant matters” included in the Act.
If you suspect that an eligible data breach has occurred, you must undertake an assessment of the relevant circumstances. You are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable after becoming aware that there are reasonable grounds to believe there has been an eligible data breach.
These assessments are required to be undertaken and completed within 30 calendar days. While this is the maximum time, the OAIC encourages assessments to be completed as quickly as possible.
The OIAC states that at any time, including during an assessment, you can, and should, take steps to reduce any potential harm to individuals caused by a suspected or eligible data breach. If remedial action is successful in preventing serious harm to affected individuals, notification is not required.
There is an important exception to the notification requirement. If there is a data breach but you take action, and as a result of the action:
- there is no unauthorised access to, or unauthorised disclosure of, the information
- there is no serious harm to affected individuals, and as a result of the remedial action, a reasonable person would conclude that the breach is not likely to result in serious harm
then the breach will not be an eligible data breach.
How to notify if an eligible data breach has occurred?
The notification to affected individuals and the OAIC must include the following information:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned
- recommendations about the steps individuals should take in response to the data breach.
A form to notify the breach can be accessed at https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB
When notifying affected individuals, however, you have a discretion to notify either each affected individual or, if not all affected individuals are deemed to be “at risk” from an eligible data breach, only those affected individuals who are deemed to be at risk.
Results of a failure to comply
Failure to comply with the requirements means the Privacy Commissioner has the power to:
- conduct investigations
- make determinations
- seek enforceable undertakings
- pursue civil penalties for serious or repeated interferences with privacy.
It is also possible that a failure to comply will result in referral to the Dental Council for consideration of disciplinary proceedings being brought against the practitioner.
What should you do now?
Dental practitioners are now required to notify the OAIC of any unauthorised access to, or unauthorised disclosure of, or loss of personal information where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.
Subject to what information is disclosed or lost, it may be that a mandatory notification is not required as it is not likely to result in serious harm to the individual. Remedial action taken after a suspected or actual data breach may obviate the requirement to notify the breach.
In the event that you are uncertain of the steps required to undertake the requisite assessment or remedial action, or are uncertain as to your obligations to make a mandatory notification, then you should seek advice from Dental Protection. In order to ensure that you are up-to-date regarding the NDBS, you should refer to the below resources provided by the OAIC.
Two of the OAIC’s publications – the Data breach preparation and response and the Guide to securing personal information – provide useful information for practitioners and practices. An OIAC webinar entitled Preparing for the Notifiable Data Braches Scheme may also be of assistance.
In the event that you suspect a data breach has occurred and you are unsure as to what your obligations are, you should contact Dental Protection for advice. Call 1800 444 542 or email [email protected]