Kos Sclavos focuses on the new mandatory data breach notification laws and what impact they may have on pharmacy
The new mandatory data breach notification laws which commenced 22 February 2018 have an impact on community pharmacy as the laws apply to businesses with an annual (group) turnover of more than $3m—many pharmacies fall into this category.
What do the changes do?
The changes introduce a mandatory data breach notification scheme into the Privacy Act. Under this scheme, it is mandatory for entities subject to the Privacy Act to notify individuals when a data breach occurs, which is likely to result in serious harm to those individuals.
This would entail thousands of patients being notified of the breach with potentially enormous reputational damage to the pharmacy. The Office of the Australian Information (OAIC) must also be notified of a data breaches.
Is there evidence of pharmacy breaches in the past?
Pharmacy ransomware attacks have been widely reported. This prompted the Pharmacy Board to remind pharmacists that they have an obligation to maintain patient records securely, especially when considering solutions for back-up storage of information.
The Board’s Guideline 9.2 Protection of electronic data in the Board’s revised Guidelines for dispensing of medicines provides additional and updated guidance for pharmacists on this matter, including the need for appropriate backup and disaster recovery processes.
What should a pharmacy do if it becomes aware of a data breach?
The pharmacy owner should firstly ring Guild Insurance. If an assessment is made that there are reasonable grounds to believe that there has been an eligible data breach, you are required to promptly notify any individuals at risk of being affected by the data breach and the OAIC.
An ‘eligible data breach’ occurs where there is unauthorised access to, or unauthorised disclosure of personal information or personal information is lost and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
What should the pharmacy be doing to prepare?
It is important to have a data strategy in place that documents what data your pharmacy has and where it is kept, including offsite storage. Document who has access to the pharmacy data and the passwords process in place. There should also be a data breach response plan.
The Guild Insurance specialist team offers a range of services including neutralising the threat, communicating with affected customers, and a credit monitoring service. For further information on Cyber Insurance, call 1800 810 213 or visit the Guild Insurance website.