Mandatory data breach reporting and the health care sector10 May 2018
The Notifiable Data Breach Scheme
The long-awaited Notifiable Data Breach Scheme (the NDB Scheme) came into effect on 22 February 2018, following changes to the Privacy Act 1988 (Cth) (the Act).
The Scheme applies to health service providers
The Scheme applies to all government agencies and organisations with personal information security obligations under the Act. This includes all Australian government agency health service providers and all private sector health service providers, whether the services provided relate to physical or psychological health, and include providers of aged care, palliative care and disability care (s 6FB(3) of the Act).
The health care sector is a prime target for cyber attacks because of the highly valuable personal information held by those entities.
What information is covered by the Scheme?
The NDB Scheme applies to "personal information", which is any information about an identified individual (or an individual who is reasonably identifiable), regardless of whether the information is true or not. The information does not have to be recorded in material form (s 6).
An eligible data breach happens if:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity, and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
An eligible data breach can be the result of any incident ranging from an accidental loss of a physical file to a sophisticated cyber attack on a network holding personal information.
The grey area is what is meant by "significant harm". Section 26WG of the Act sets out a number of relevant matters to be considered in assessing whether there is significant harm, but does not define the term.
The best guide to the meaning of that term is from the words found in the Explanatory Memorandum to the NDB legislation, which says serious harm "could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity's position would identify as a possible outcome of the data breach..."
If uncertain as to whether there has been an "eligible data breach" organisations have up to 30 days to undertake a reasonable and expeditious assessment to determine if there has been such a breach.
What to do following a breach
In the event of an eligible data breach, the organisation must report the details of the breach to those individuals affected and to the Office of the Australian Information Commissioner (OAIC).
Sparke Helmore's Cyber Insurance team has written extensively about mandatory notification of cyber breaches. You can read more about it on our website.
The Commissioner said: "Notification provides individuals with the opportunity to reduce their chance of experiencing serious harm through protective action, and it reinforces organisations' accountability for the security of the personal information entrusted to them". Notification is therefore important because the risk of serious harm arising from a breach might be reduced by something as simple as affected users changing their passwords on accounts.
Can it happen to you?
The OAIC has published its first quarterly report detailing the notifiable breaches reported to the OAIC between 22 February 2018 and 21 March 2018. In that period of a little more than five weeks, there were 63 eligible data breaches reported. Of the 63 reported breaches, almost one-quarter (15 breaches) involved health service providers.
Given state-based health agencies are not covered by the Privacy Act, there is a significant potential for health service providers to experience an eligible data breach in their organisations.
What can you do?
Training of staff is paramount. While malicious and criminal attacks are a known problem, one-half of the 63 reported eligible data breaches reported to OAIC were caused by human error.
There a number of ways organisations can build a defence to deal with human error as well as external factors to seek to reduce the potential of eligible data breaches occurring. A starting point is the Essential Eight strategy published by the Australian Signals Directorate. Organisations should also ensure their cyber security platform is effective and ensure staff understand the significance and impacts of the NDB legislation.
The OIAC strongly encourages all entities to have an effective data breach response plan, so if a breach occurs, organisations are best armed to respond to it.