Privacy Breaches – New Obligations

Here is a quick guide based on the resources published by the OAIC.

Making notifications

You must notify the individuals involved and the OAIC if:

• personal information is:
  
  • lost (e.g. a laptop containing medical records is stolen)
  • accessed by an unauthorised person (e.g. hackers take control of your medical records)
  • disclosed to an unauthorised person (e.g. a fax containing medical information is sent to the wrong person); and 
• this is likely to result in serious harm to someone; and
• you can’t take steps to prevent the risk of serious harm.

Addressing the likelihood of serious harm may mean the breach is no longer “eligible” for reporting to the OAIC.

In order to assess whether serious harm is likely, consider the following:

• Whose personal information? Certain people, such as young persons and vulnerable individuals, may be at more risk. 
• How many individuals were involved? 
• Is the personal information encrypted, anonymised, or otherwise not easily accessible?
• What parties have gained, or may gain access to, the personal information? 

Notifying the OAIC

If such a breach occurs, you must promptly prepare a statement for the Australian Information Commissioner (the Commissioner). The OAIC’s website includes an online form to lodge notification statements and provide additional supporting information.

Your statement must include:

• your organisation’s identity and contact details 
• a description of the data breach
• a description of the personal information involved
• recommendations to individuals about the steps they should take to minimise the impact of the breach.

Notifying individuals

After notifying the Commissioner, depending on what is practicable, you must notify individuals in one of three ways:

• Notify all individuals whose personal information was part of the data breach. 
• Notify only those individuals at risk of serious harm. 
• If neither option 1 or 2 above is practicable, you must publish a notification on your website (if you have one) and take reasonable steps to publicise the contents of the statement. 

When notifying individuals, you can use any method (e.g. a telephone call, SMS, physical mail, social media post, or in-person conversation), as long as the method is reasonable. You must provide the same information as provided in the statement to the Commissioner.

Online notifications

When publishing an online notification:

• ensure the webpage on which it is placed can be located and indexed by search engines
• publish an announcement on your social media channels
• take out a print or online advertisement in a publication or on a website reasonably likely to reach individuals at risk of serious harm.

See also the article Privacy Know-How for an overview of the privacy law and some common issues we have identified from our interaction with MDA National Members.

Medico-legal Advisory Services
MDA National

Reference

1. Office of the Australian Information Commissioner. Notifiable Data Breaches. Available at: https://www.oaic.gov.au/privacy/notifiable-data-breaches/