Aged care providers will be subject to the Notifiable Data Breach scheme which requires organisations, including residential and home care providers, to mandatorily report eligible data breaches to the Office of the Australian Information Commissioner begins on 22 February 2018.
An eligible data breach will occur if:
If an approved provider has reasonable grounds to believe that a data breach has occurred in these circumstances, it must notify the Commissioner and the affected individuals of the breach.
A data breach may occur, for instance:
Each of these scenarios may give rise to an obligation on the approved provider to comply with the requirements of the Notifiable Data Breach scheme.
In deciding whether a reasonable person would conclude that a data breach would be likely to result in serious harm to an individual, the following factors may be relevant:
Identifying the kind of information that may be the subject of a breach will be particularly critical in determining what steps a provider should take in response.
In the event that a provider is involved in a data breach, and the provider takes action in relation to the breach before it results in serious harm to any of the individuals to whom the information relates (and a reasonable person would conclude that the breach would not be likely to result in serious harm to any of the individuals), then there will be no obligation to inform the Commissioner. This might be the case, for example, where data is emailed by mistake to a trusted business partner (like your lawyer!) and the provider contacts them and obtains the prompt deletion of the data.
If a provider has reasonable grounds to suspect that a data breach may have occurred, they are required to carry out a reasonable and expeditious assessment to ascertain whether a breach did in fact occur.
The provider must take all reasonable steps to ensure that this assessment is completed within 30 days of becoming aware of the suspected breach.
If the provider is aware that there are reasonable grounds to believe that there has been an eligible data breach, it is required as soon as practicable to provide a statement to the Commissioner that sets out the following:
If it is then practicable to do so, the provider must notify the contents of the statement to each of the individuals affected by the breach. This is a significant requirement in the context of aged care, because the breach will probably affect residents and clients. In circumstances where a resident or client has a legal representative or person responsible, you will need to notify them.
If it is not practicable to notify each individual, a more general notice may have to be published, such as on the organisation’s website.
Aged care providers have an obligation under the Privacy Act to take reasonable steps to protect the personal information held by them from misuse, interference and loss, and from unauthorised access, modification or disclosure. Such information may relate to the residents’ clinical care and their financial information and includes prospective residents on waiting lists. It may also affect friends and families who have provided personal information to the provider.
The Commissioner suggests that one of the reasonable steps that organisations may take includes the preparation and implementation of a data breach response plan.
We strongly suggest that providers consider updating their Privacy Compliance Manual or create a separate Data Breach Response Plan or procedure because:
The Commissioner has a number of powers under the Act to ensure that all organisations comply with their obligations under the Notifiable Data Breach scheme, including making a determination against an organisation and bringing proceedings to enforce the determination, and applying to a court for a civil penalty in respect of a breach. These powers could be exercised in respect of an organisation’s failure to undertake the following in accordance with the Notifiable Data Breach scheme:
The Commissioner has published draft resources to help organisations to understand their obligations under the scheme.
Gadens is able to advise providers on their obligations under the Notifiable Data Breach scheme and to assist them to document a response plan.