Here’s what you need to know about the new laws that require notification regarding patient data breaches, by Stephanie McGrath

Earlier this year, Australia enacted laws requiring businesses to notify patients, customers, clients and the Office of the Australian Information Commissioner (OAIC) if a serious data breach occurs.

The mandatory requirement to notify came into effect on 22 February 2018, and applies for all data breaches that occur on or after 22 February 2018.

The new laws are a response to the potential for people’s personal information being lost, stolen and/or misused in this era of increasing use of technology and people’s lives and information being stored online, despite the best endeavours of organisations to try and protect people’s personal information.

Personal information can be used by criminals to, among other things:

  • steal identities
  • target people for scams
  • fraudulently obtain credit
  • fraudulently obtain tax refunds

We’ve seen first-hand clients who have experienced data breaches, including hackers who obtained access to a pharmacy business’ databases containing customer personal information and used this database to email customers and other contacts.

There was also the experience of an accounting firm where hackers obtained Tax File Numbers.

Who does the mandatory requirement apply to?

The following businesses are required to notify if a serious data breach occurs:

  • businesses with an annual turnover of $3m or greater; and
  • businesses with an annual turnover of less than $3m if they meet certain requirements. These businesses are usually called ‘small businesses’.

Types of small business that must report include, among others, businesses that:

  • provide a health services to an individual and holds any health information (except in an employee record);
  • are related to a business with an annual turnover greater than $3m; and
  • are contracted to provide a service for a Commonwealth contract (even if not a party to the contract).

Many medical centres, pharmacies and other allied health business will be caught under the new scheme.

What is a serious data breach?

In summary, a serious data breach occurs when:

  • unauthorised access or disclosure is made of personal information;
  • there is a likely risk of serious harm to an individual to which the information relates by this unauthorised access; and
  • the business has not been able to perform remedial action to prevent the likely risk of serious harm.

‘Serious harm’ can be psychological, emotional, physical, reputational, financial or other forms of harm.

How do you determine whether there has been a serious data breach?

A business must make a reasonable and expeditious assessment of whether there has been a serious data breach. 

You will likely need to conduct an investigation.

The assessment should be documented as the OAIC (or patients, customers and clients) may ask for an explanation as to why your business came to the decision it did.

A failure to meet your obligations is deemed to be interference with the privacy of an individual. If the OAIC believes there is ongoing non-compliance (repeated breaches), or a serious breach, the OAIC can apply to the Federal Court for penalties against a business.

Penalties can currently be up to $2.1 million.

This is in addition to any claims for compensation that may be made by clients or customers due to a breach.

Who do you need to disclose to?

If you are required to disclose you must send a Notifiable Data Breach statement within 30 days of discovering the data breach to:

  • the affected individuals; and
  • the Commissioner of Australian Information (oaic.gov.au)

We recommend that you inform all affected patients, customers and clients about the breach and what they should do to take steps to protect themselves or stay vigilant in case their information in misused.

The 30 days period is a maximum period. If you form the view that notification should occur before the end of the 30 days period, you must notify at that point in time to best protect your business from any adverse claims.

How do you protect your pharmacy and patient’s private information?

The Scheme is in force. To protect your pharmacy and the private information of your patients, you should:

  • review your business’ data management policies and make sure all personal information is kept secured and encrypted. If you do not have a data management policy, you should contact an expert lawyer to draft one for you.
  • prepare or update your data breach management plan. This can be part of your privacy policy or your crisis management policy. If you do not have these plans or policies, you should contact an expert lawyer to draft plans and policies for you that are tailored to your business.

Further information

If you require any specific information or assistance with any how to protect your business and the personal information you collect, please do not hesitate to contact the writer on 8628 2039 or stephanie@robertjames.com.au.

Stephanie McGrath is a Senior Associate at Robert James Lawyers practising in commercial law with a focus on health, business and property across Australia.

Stephanie’s significant pharmacy experience includes buying and selling interests in pharmacies Australia-wide, advising clients in relation to compliance with the requirements of different State and Territory Pharmacy Regulatory Bodies, applications to Medicare, applications and objections under the Pharmacy Location Rules and Ministerial Discretional Applications, partnership disputes and much more.

Disclaimer: The content of this article is intended only to provide a summary and general overview on matters of interest. It is not intended to be comprehensive nor does it constitute legal advice. You should seek legal or other professional advice before acting or relying on any content of this article.