On 22 February 2018, mandatory data breach notification requirements were incorporated into the Privacy Act 1988 (Act) and now apply to all entities regulated by the Act.
Typically, health service providers such as pharmacists will be bound by the Act irrespective of the size of their business, because they provide a health service and because of the highly sensitive nature of the health and other information they hold.
Prior to 22 February 2018 there was no requirement to notify an individual who may be affected by a data breach, resulting from misuse, interference or loss of personal information. However, since that date, health service providers are under a statutory obligation to promptly notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if an ‘eligible data breach’ occurs.
The key objective of the data breach notification regime is to provide individuals, whose personal information has been compromised in a data breach, with an opportunity to take remedial steps to lessen the adverse impact arising from the breach. For example, if the data breach is the loss of a customer’s credit card information, prompt notification of the loss of this information to the affected individual, may enable the individual to cancel the credit card and prevent financial loss from occurring.
What kinds of data breaches require notification?
Data breaches can occur in a variety of ways in practice, including:
- unauthorised access to software systems by third parties (hacking)
- sight of paper records by unauthorised third parties
- loss of data and information (for example, data left on public transport)
- theft of data or records (for example, theft in the postal system or burglary of a pharmacy)
Mandatory notification of such breaches is only required if an ‘eligible data breach’ has occurred. An eligible data breach takes place where:
- there is unauthorised access to, or unauthorised disclosure of personal information and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
- the personal information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur and assuming that occurs, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
‘Serious harm’ is not defined in the Act but guidance provided by the OAIC, indicates that ‘serious harm’ to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
In assessing whether ‘serious harm’ is likely to occur, the organisation should have regard to:
- the kind of information and the sensitivity of the information (for example, information which reveals sensitive health information, information about ethnicity, sexual orientation or Australian visa/residency or asylum status would be more likely to cause serious harm than merely a person’s name)
- whether the information is protected by any security measures and the likelihood that any of those security measures could be overcome
- the kinds of persons who have obtained, or could obtain, the personal information (for example, a data breach from one Governmental agency to another may be less likely to result in serious harm than a data breach where personal information has been stolen and is therefore in the possession of thieves or potential fraudsters)
- if a security technology or methodology was used and which was designed to make the personal information unintelligible or meaningless to unauthorised persons
- the likelihood that the persons obtaining the information having the intention of causing harm to an individual
- the nature of the harm.
The Act provides that if there has been an eligible data breach then the individual or individuals concerned are at risk as a result of the breach.
It will always be important to take swift action when an eligible data breach takes place.
Section 26WF of the Act contains provisions which, put simply, effectively remove the existence of an eligible data breach if action is taken by the organisation which held the information which removes the likelihood of serious harm occurring to the individual.
Whenever an entity suspects that there may have been an eligible data breach of the entity, the entity must carry out ‘a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach’ and take all reasonable steps to ensure that the assessment is completed.
In the event that there are reasonable grounds to believe that an ‘eligible data breach’ has occurred, and the entity has not been able to take remedial action to remove the likelihood of serious harm, then an entity must notify the OAIC within 30 days. The website for the OAIC contains a link to an online form of the statement required.
The Act additionally requires that, if there has been an eligible data breach and the entity has prepared a statement to the OAIC, then the entity must notify the contents of the statement to each of the individuals to whom the relevant information relates or who are at risk as a result of the breach, if it is practicable for the entity to do so.
If it is not practicable for the entity to contact the affected individuals (for example, if the entity no longer has their contact details), then the Act provides that the entity should publish a copy of the statement on the entity’s website and take reasonable steps to publicise the contents of the statement.
Notification to individuals must take place as soon as practicable after the completion of the preparation of the statement to the OAIC.
Enforcement by OAIC
There are a range of enforcement options which can be undertaken by the OAIC in the event of a breach of the Act including undertaking an investigation, seeking an enforceable undertaking from organisations and applying the civil penalty provisions under the Act resulting in a financial penalty for the organisation involved.
A breach of the requirement for notification of eligible data breaches would be taken to be an act that constitutes “interference with the privacy of an individual”. Section 13G of the Act provides that serious interference with the privacy of an individual attracts a civil penalty of 2,000 penalty units. For an individual, this could amount to a penalty of $420,000.00 and for a body corporate, the OAIC now has the right to apply to the Federal Court for an order that a penalty of up to five times the amount of the pecuniary penalty must be paid.
Consequently, there is potential for bodies corporate to be subject to a financial penalty of up to $2,100,000.00 for serious interferences with the privacy of an individual.
The OAIC has prepared a guide to assist businesses to prepare for and respond to data breaches in line with their obligations under the Act.
The prevention of privacy breaches in the first place is key to protecting personal information and protecting a health provider from compliance action, penalties and reputational damage which flows from data breaches.
Health providers (including pharmacists) should develop a Data Breach Response Plan to enable them to respond quickly to suspected data breaches thereby reducing the impact on the individuals concerned, and providing for a post data breach review of what went wrong and how further, similar breaches can be prevented in the future.
Meridian Lawyers can assist you to understand your privacy obligations and advise on compliance with the Notifiable Data Breaches regime and its impact, and in developing a Data Breach Response Plan.
For further advice, please contact Principal Mark Fitzgerald.
Disclaimer: This information is current as of May 2018. This article does not constitute legal advice and does not give rise to any solicitor/client relationship between Meridian Lawyers and the reader. Professional legal advice should be sought before acting or relying on the content of this article.