Read: The future of Performance Management in Health
The new legislation is aimed at strengthening protection of personal information and make sure serious data breaches are managed appropriately – an important element in today’s patient privacy regime.
Health and care organisations should develop a Data Breach Response Plan which will guide them on how to respond to any potential data breaches and meet their compliance obligations.
While they do their best to protect client and employee files and personal information, incidents of accidental and deliberate data breaches do occur.
Examples of data breaches might include:
- Loss of laptops, USBs or mobile phones with client data or files on them
- The accidental emailing of client or employee information to the wrong person
- Cybersecurity breaches including hacking of system and ransomware and malware attacks
- Release of unauthorised client or employee information to a third party or access to this information by an unauthorised person
- Disclosing tax file numbers, photographic ID or other personal information where this has not been approved
- Stolen credit cards
What to do if you become aware of a data breach
If personal information relating to any person (client or employee) has or might have been obtained by someone ‘outside the organisation’ who was not authorised to receive that information, then there is an obligation to report this immediately to an appointed Privacy Officer.
Under a Data Breach Response Plan, the Privacy Officer will assess the breach and determine whether remedial action can be taken or whether affected parties need to be notified and the matter reported to the Commissioner.
It is important all employees refer situations of Data Breaches to the Privacy Officer for assessment – even if a data breach may seem harmless or trivial. Failure to comply with the legislation risks substantial financial penalties for both individuals and organisations – up to $1.7m for companies and $340,000 for individuals.
Organisations within the health and care sector prime receptacles for confidential and sensitive personal information regarding their patients. These legislative changes are therefore particularly relevant and need to be fully understood, along with the potential impact and ramifications of failure to comply. Forward planning in the event of a cyberattack or breach is paramount to being prepared to deal with this type of incident occurring. Pitcher Partners would be happy to assist in this preparation.