We’re all beginning to understand that data is critical to decision making and as the age of ‘Big Data’ draws closer, the ability to collect and store information on individuals is becoming increasingly important. Businesses seeking to capitalise on the value of this information may not realise that obtaining it comes with obligations to protect it, as well as restrictions on its use. This is particularly relevant in the health sphere. Organisations that collect information relating to an individual’s health need to appreciate that this is classified as ‘sensitive information’ and its collection, use and storage is regulated by the Privacy Act 1988 (‘Privacy Act’).
Traditionally our health information has been held by doctors, dentists, specialists and (for those of us that frequent the gym) personal trainers. The transition to electronic records by these providers has not been quick, and many offices still store this data physically. Those businesses now face challenges in securing physical and electronic documents in accordance with the Privacy Act.
Notifiable Data Breaches Scheme
Even if you’re complying with the Privacy Act in relation to the collection, storage and use of personal information, the introduction of the Notifiable Data Breaches scheme on 22 February 2018 will change the way in which all organisations governed by the Privacy Act handle personal information and implement data security.
From 22 February 2018, all businesses governed by the Privacy Act will be required to notify individuals where there has been an actual or suspected data breach that is likely to cause serious harm to the individual. The business may also be required to notify the Office of the Australian Information Commissioner (OIAC) of the data breach.
Having to publicly report a data breach is never a good look, and organisations are no doubt aware of the reputational impact this could have on their business. A Data Breach Policy could be the answer to mitigating this reputational risk.
Data Breach Policy
In assisting businesses, especially in the health sphere, to prepare their Data Breach Policies, we have identified that implementing a policy will:
- ensure compliance with the requirements under the Notifiable Data Breaches scheme in the Privacy Act;
- formalise internal processes to ensure that all suspected or actual data breaches are identified and appropriate action is taken to ensure that a similar breaches does not occur in the future;
- appropriately identify delegation and reporting channels to ensure that breaches are dealt with in a timely manner; and
- reduce the need to seek legal advice in relation to minor data breaches.
By addressing data breaches in a timely manner, the risk of an individual suffering serious harm from the data breach is reduced, and in turn the likelihood of serious reputational risk to the business in having to notify the public and OIAC mitigated.
If you’d like assistance in analysing how the Privacy Act and Australian Privacy Principles apply to your business or in understanding the impact of the Notifiable Data Breaches scheme to your business, please contact Rebecca Halkett or Gerry Cawson.