Are you protecting your patients’ personal information?

26 November 2018

Privacy and data protection concerns the management of personal information. The definition of personal information is broad and captures most information about an identified or identifiable individual. This includes for example names, photographs, basic contact information, credit card details, health or genetic information and information about a person’s location at a specific point in time.

Key obligations

In Australia, the Privacy Act 1988 (Cth) (Privacy Act) is the key piece of legislation with which organisations must comply. The key features of the Privacy Act include:

  • Australian Privacy Principles (APPs).The APPs set out the 13 principles that govern the way that personal information must be handled. The APPs govern how information is to be collected, used, disclosed and stored, and when individuals can request access to, or changes to their personal information. The APPs require complying entities to have and implement a Privacy Policy and a Collection Notice. A Collection Notice is similar to a short-form Privacy Policy and must be given to individuals each time an organisation collects personal information.
  • The Notifiable Data Breaches (NDB) Scheme.

    Since 22 February 2018, certain organisations have been required to notify the Australian Information Commissioner and affected individuals if the organisation experiences a data breach that is likely to cause an individual serious harm. What is “serious harm” depends on the circumstances, but it can include physical, psychological, reputational or financial harm. In almost all breaches that involve health or medical information must be notified. The scheme encourages transparency, and holds organisations accountable when there has been a privacy or data breach. By notifying individuals that a breach has occurred, individuals are able to take steps to protect themselves from the repercussions associated with the breach.
  • Credit reporting provisions.

    The credit reporting provisions govern the way in which credit related personal information is to be collected used, disclosed and stored.
    For many entities in the health and aged care industry, additional obligations are imposed in connection with the handling of health information and confidentiality of patient information under state based health records and privacy legislation.

Penalties for non-compliance

If an organisation is found to have engaged in serious, or repeated interferences with individuals’ privacy, that organisation may face monetary penalties of up to $2.1 million (among other legal non-monetary penalties).

Aside from the legal consequences, the failure to comply with the Privacy Act may cause serious and irreparable reputational damage.

What should your organisation do now?

You may have seen recent media reports about some very high profile data breaches, which is a direct result of the new NDB scheme.

One of the ways you can protect your organisation and reduce the risk of breaching the obligations of the scheme is to put in place a Data Breach Response Plan. A Data Breach Response Plan must be tailored to your organisation and instruct exactly what to do if a data breach occurs. It is very useful tool at what is likely to a stressful time your organisation and employees.

How can Rigby Cooke help?

Rigby Cooke’s specialist Privacy and Data Protection Team can assist your business by:

  • reviewing your organisation’s current personal information handling practices and assist your organisation to obtain “best practice” compliance
  • reviewing your organisation’s existing Privacy Policy and Collection Notice
  • preparing a New Data Breach Response Plan for your organisation
  • assisting in the event of a data breach or potential data breach

We can provide a questionnaire to scope your requirements and then provide you with fixed fee quotes for any or all of these items.