How will Australia’s Mandatory Data Breach Notification Scheme Affect Health Service Providers?
Organisations in Australia that have been able to self-manage their security breaches & IT indiscretions will very soon be legally compelled to disclose them when the mandatory data breach notification scheme will come into effect on February 22.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed through the federal parliament this year after numerous failed attempts as well as numerous governments. This means that soon service providers, businesses, as well as government agencies subject to the Privacy Act will have to report when their systems have been compromised due to cyber-attack or technical shortcomings.
Given the recent number of data breaches, such as Australian Red Cross Blood Bank Service breach in which the records of many Australian blood donors were leaked online, many people believe the legislation was long overdue.
Who will be affected?
This bill will apply to organisations responsible for keeping personal information secure under the Privacy Act, including Australian Government agencies, not-for-profit organisations as well as businesses with an annual turnover of more than $3 million.
But the Act will also apply to some types of businesses with an annual turnover of $3 million or less, such as:
- Private sector health services providers – even alternative medicine practices, weight loss clinics & gyms fall under this category
- Childcare centres, private tertiary educational institutions & private schools
- Businesses that purchase or sell personal information along with credit reporting bodies.
Notifications & penalties
If a notifiable breach has occured, organizations must notify the Privacy Commissioner as well as affected customers within 30 days. Breaches are considered as ‘notifiable’ when they are likely to cause serious harm to the affected organization or individual. As detailed in the bill, failure to comply with the new notification scheme will be “deemed to be an interference with the privacy of an individual” and there will be consequences:
“A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the [Privacy] Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.”
What is actually meant by ‘serious harm’?
Serious harm is considered to have occurred if an individual or organization suffers personal loss, financial loss, risk to personal safety, reputational damage, or any other kind of harm, be it psychological or physical.
Why is this needed?
- Identity fraud costs Australia nearly $2.2 billion each year.
- Due to lack of reporting requirements for data breaches, many organisations have been hiding instances of data breaches.
Contemporary medical as well as dental practices & many other businesses hold large amounts of personal information in electronic form. This has increased the risk of security breaches as well as misuse of the data. This is the reason which compelled government to tighten regulation.
Very soon, practices/practitioners will have to notify patients as well as the Privacy Commissioner as soon as they become aware of a data breach likely to result in serious harm.