Data breaches by aged care providers – complying with the Mandatory Data Breach Scheme

Aged care providers will be subject to the Notifiable Data Breach scheme which requires organisations, including residential and home care providers, to mandatorily report eligible data breaches to the Office of the Australian Information Commissioner begins on 22 February 2018.

An eligible data breach will occur if:

• there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by you as the approved provider; and
• a reasonable person would conclude that the access, disclosure or loss would be likely to result in serious harm to any of the individuals to whom the information relates.

If an approved provider has reasonable grounds to believe that a data breach has occurred in these circumstances, it must notify the Commissioner and the affected individuals of the breach.

A data breach may occur, for instance:

• by a home carer leaving a file in their car where others may be able to access it or the car may be stolen
• where files are left unattended
  through hacking of the provider’s system or through malicious software through a disgruntled staff member taking data with them when they leave an organisation
• by innocent error, such as sending personal information by email to the wrong email address
• if a portable device containing personal information is lost or stolen.

Each of these scenarios may give rise to an obligation on the approved provider to comply with the requirements of the Notifiable Data Breach scheme.

In deciding whether a reasonable person would conclude that a data breach would be likely to result in serious harm to an individual, the following factors may be relevant:

• the kind of information
• the sensitivity of the information
• the extent to which the information is protected by security measures, e.g. encryption
• the kind of persons who have obtained, or could obtain, the information
• the nature of the harm an individual could suffer (consider whether an individual might suffer physical, psychological, emotional or financial harm, or harm to reputation).

Identifying the kind of information that may be the subject of a breach will be particularly critical in determining what steps a provider should take in response.

Remedial action

In the event that a provider is involved in a data breach, and the provider takes action in relation to the breach before it results in serious harm to any of the individuals to whom the information relates (and a reasonable person would conclude that the breach would not be likely to result in serious harm to any of the individuals), then there will be no obligation to inform the Commissioner. This might be the case, for example, where data is emailed by mistake to a trusted business partner (like your lawyer!) and the provider contacts them and obtains the prompt deletion of the data.

Assessing a suspected breach

If a provider has reasonable grounds to suspect that a data breach may have occurred, they are required to carry out a reasonable and expeditious assessment to ascertain whether a breach did in fact occur.
The provider must take all reasonable steps to ensure that this assessment is completed within 30 days of becoming aware of the suspected breach.

Notifying the Commissioner

If the provider is aware that there are reasonable grounds to believe that there has been an eligible data breach, it is required as soon as practicable to provide a statement to the Commissioner that sets out the following:

1. 1. the approved provider’s contact details
   2. a description of the data breach reasonably believed to have happened
   3. the kind of information concerned
   4. recommendations about the steps that individuals should take in response to the breach (for example, if a file containing a resident’s or client’s credit card details is hacked into, the provider might recommend that the resident or client cancel their credit cards).

If it is then practicable to do so, the provider must notify the contents of the statement to each of the individuals affected by the breach. This is a significant requirement in the context of aged care, because the breach will probably affect residents and clients. In circumstances where a resident or client has a legal representative or person responsible, you will need to notify them.

If it is not practicable to notify each individual, a more general notice may have to be published, such as on the organisation’s website.

Data breach response plan

Aged care providers have an obligation under the Privacy Act to take reasonable steps to protect the personal information held by them from misuse, interference and loss, and from unauthorised access, modification or disclosure. Such information may relate to the residents’ clinical care and their financial information and includes prospective residents on waiting lists. It may also affect friends and families who have provided personal information to the provider.

The Commissioner suggests that one of the reasonable steps that organisations may take includes the preparation and implementation of a data breach response plan.

We strongly suggest that providers consider updating their Privacy Compliance Manual or create a separate Data Breach Response Plan or procedure because:

• the failure to respond appropriately to an eligible data breach may expose the provider to civil penalties of up to $2.1M for breaching the Act
• the failure to act quickly and to limit potential harm to affected individuals may expose the provider to a claim for compensation from those individuals
• a provider’s reputation may be seriously harmed if a breach is not dealt with expeditiously and in accordance with the provider’s lawful obligations under the Act
• a breach of the scheme is less likely to occur if the organisation, and particularly those responsible for information privacy within the organisation , follow a clearly documented process.
• As an approved provider you will be in a much better position to respond well, if you have a Data Breach Response Plan in place rather than just responding “ad hoc”.

The Commissioner has a number of powers under the Act to ensure that all organisations comply with their obligations under the Notifiable Data Breach scheme, including making a determination against an organisation and bringing proceedings to enforce the determination, and applying to a court for a civil penalty in respect of a breach. These powers could be exercised in respect of an organisation’s failure to undertake the following in accordance with the Notifiable Data Breach scheme:

• to conduct a reasonable and expeditious assessment of a suspected eligible data breach
• to prepare and provide to the Commissioner a statement about a data breach
• as soon as practicable to notify the contents of the statement to individuals at risk of serious harm
• to comply with a direction from the Commissioner.

The Commissioner has published draft resources to help organisations to understand their obligations under the scheme.

Gadens is able to advise providers on their obligations under the Notifiable Data Breach scheme and to assist them to document a response plan.