RACGP and OAIC eHealth webinar on the Notifiable Data Breaches scheme - YouTube
YouTube
Primary Language: English
Description:
My Recent Work
You did not do any work on this video
Subtitles in: English
Start End Subtitles
00:00:02 00:00:03 >> Pip: Welcome to today's webinar,
00:00:03 00:00:05 Notifiable Data Breaches Scheme,
00:00:05 00:00:07 information for general practice.
00:00:07 00:00:09 My name's Pip, and I'm the project coordinator
00:00:09 00:00:13 for the RACGP Practice Technology and Management Team,
00:00:13 00:00:16 and I will be your host for today.
00:00:16 00:00:18 I'm joined by Dr. Penny Burns,
00:00:18 00:00:20 who will deliver the presentation for you today,
00:00:20 00:00:24 and Amanda Beard, who is the director of dispute resolution
00:00:24 00:00:27 from the Office of the Australian Information Commissioner,
00:00:27 00:00:30 or the OAIC, who will present the information
00:00:30 00:00:33 to you today in today's webinar.
00:00:33 00:00:35 A little bit more about Dr. Penny Burns.
00:00:35 00:00:38 Penny is a general practitioner based in Sydney.
00:00:38 00:00:40 She's worked for over 20 years
00:00:40 00:00:42 in urban and rural general practice,
00:00:42 00:00:45 and is a member of the RACGP Expert Committee
00:00:45 00:00:47 for Practice Technology and Management.
00:00:47 00:00:50 She's been interested in computer and technology use
00:00:50 00:00:52 in general practice since the early '90s.
00:00:52 00:00:54 Penny is interested in the use of technology
00:00:54 00:00:56 to improve outcomes in learning.
00:00:56 00:00:59 Over the last year, she's been involved in
00:00:59 00:01:01 delivering education sessions as part of
00:01:01 00:01:03 the My Health Record in General Practice
00:01:03 00:01:05 National Education Awareness campaign,
00:01:05 00:01:07 and she is currently part of the CSIRO
00:01:07 00:01:11 Primary Care Data Quality Content Working Group,
00:01:11 00:01:14 which examines the use of data in general practice,
00:01:14 00:01:16 and is also deputy chair of the Disaster Management
00:01:16 00:01:20 Specific Interest Group at the RACGP.
00:01:20 00:01:23 Penny and Amanda, welcome to the webinar.
00:01:24 00:01:25 >> Penny: Thanks, Pip.
00:01:27 00:01:28 >> Pip: Thank you.
00:01:28 00:01:31 Penny, Amanda, myself, and the RACGP
00:01:31 00:01:33 would like to thank everyone today
00:01:33 00:01:34 for taking the time out of your busy schedules
00:01:34 00:01:37 to participate in this webinar.
00:01:37 00:01:39 Before we begin, we'd like to make
00:01:39 00:01:40 an acknowledgement to country.
00:01:43 00:01:45 I would like to begin by acknowledging
00:01:45 00:01:46 the traditional owners of the land
00:01:46 00:01:48 on which we are meeting here today,
00:01:48 00:01:52 and to pay my respects to their elders, past and present.
00:01:52 00:01:54 >> Penny: Today, the aim is to cover
00:01:54 00:01:57 what is in the notifiable data breaches scheme,
00:01:57 00:01:59 and how to apply it to general practice.
00:01:59 00:02:02 A little bit of statistics to make it relevant to
00:02:02 00:02:06 healthcare provisions, what is an eligible data breach,
00:02:06 00:02:08 and what to do if you experience one.
00:02:08 00:02:11 Data breaches in the My Health Record system,
00:02:11 00:02:12 which are slightly different,
00:02:12 00:02:14 and then we'll do some case studies,
00:02:14 00:02:16 and a poll, and some questions.
00:02:19 00:02:21 The learning outcomes for this sessions are to be
00:02:22 00:02:25 able to describe a notifiable data breach,
00:02:25 00:02:27 to look at identifiers in which one has occurred
00:02:27 00:02:30 so you're prepared to respond.
00:02:30 00:02:31 Summarize what actions are required
00:02:31 00:02:34 if a notifiable data breach occurs,
00:02:34 00:02:36 and the difference between response
00:02:36 00:02:39 for a data breach relating to My Health Record,
00:02:39 00:02:43 or a notifiable data breach under the scheme,
00:02:43 00:02:46 and then discuss how the NDB applies to general practice.
00:02:49 00:02:51 So, what is a data breach?
00:02:51 00:02:54 A data breach occurs when personal information
00:02:54 00:02:58 held by an organization is accessed by
00:02:58 00:03:02 an unauthorized party, it's disclosed to
00:03:02 00:03:05 an unauthorized party, or it's just lost.
00:03:06 00:03:09 So, a data breach occurs when personal information
00:03:09 00:03:14 held by an organization enables an individual
00:03:14 00:03:16 to be (mumbling) identified,
00:03:16 00:03:18 and this can be related to names,
00:03:18 00:03:21 or Medicare numbers, or addresses, or phone contacts.
00:03:21 00:03:23 The information will be personal information.
00:03:24 00:03:29 The information may not by itself however, be obvious,
00:03:29 00:03:32 but in combination with other information that's released,
00:03:32 00:03:34 it may be, the relevant individual
00:03:34 00:03:36 may be identified, or reasonably identifiable.
00:03:39 00:03:42 So, when in doubt, the suggestion is to
00:03:42 00:03:43 err on the side of caution
00:03:43 00:03:47 and treat the information as personal information.
00:03:47 00:03:50 Some of the examples are that we got an email
00:03:50 00:03:52 containing test results have been
00:03:52 00:03:54 sent to the wrong recipient.
00:03:54 00:03:56 A spreadsheet of patient information
00:03:56 00:03:57 made publicly available.
00:03:57 00:03:59 A staff member accessing a patient's information
00:03:59 00:04:03 without authorization, or even if patient files
00:04:03 00:04:05 are locked up in someone's bag
00:04:05 00:04:08 and may have ended up somewhere else in public.
00:04:08 00:04:10 All of those are potential data breaches.
00:04:12 00:04:16 So, what is the notifiable data breach scheme?
00:04:16 00:04:16 It's only new.
00:04:16 00:04:20 It came into effect on the 22nd of February, 2018.
00:04:21 00:04:24 And it applies to all agencies and organizations
00:04:24 00:04:26 with existing personal information,
00:04:26 00:04:28 security obligations under the Privacy Act,
00:04:28 00:04:30 and that includes general practice.
00:04:30 00:04:33 It's a legal requirement to notify individuals
00:04:33 00:04:37 in the OAIC of notifiable data breaches,
00:04:37 00:04:39 and they require state fines if it's not done
00:04:39 00:04:40 in a very timely fashion.
00:04:41 00:04:46 So, the NDB outlines three criteria that must be met
00:04:47 00:04:50 before a data breach is reported to the OAIC,
00:04:50 00:04:52 and they have specific requirements on
00:04:52 00:04:55 when they be reported to them.
00:04:55 00:04:57 And we're very lucky to have Amanda Beard,
00:04:57 00:04:59 the assistant director of the dispute resolution
00:04:59 00:05:03 from the OAIC to cover these in more detail.
00:05:03 00:05:06 So, does the NDB scheme apply to general practice?
00:05:06 00:05:08 The NDB scheme applies to
00:05:08 00:05:10 all private sector health providers.
00:05:10 00:05:11 If you provide a health service,
00:05:11 00:05:13 and you hold health information,
00:05:13 00:05:15 you're covered by the Privacy Act,
00:05:15 00:05:17 even if that's not your primary activity.
00:05:17 00:05:20 The definition of private health service providers
00:05:20 00:05:24 is quite broad, so some examples would be general practice.
00:05:25 00:05:27 Other traditional health service providers
00:05:27 00:05:30 such as private hospitals, day surgeries,
00:05:30 00:05:33 pharmacists, specialists, allied health professionals.
00:05:33 00:05:35 Also, complementary therapists,
00:05:35 00:05:38 such as naturopaths and chiropractors.
00:05:38 00:05:40 Even gyms and weight loss clinics,
00:05:40 00:05:43 child care centers and private schools.
00:05:45 00:05:47 This definition of a health service provider
00:05:47 00:05:49 under the Federal Privacy Act
00:05:49 00:05:51 does not include public hospitals.
00:05:51 00:05:53 These are regulated by the relevant law
00:05:53 00:05:54 in the state or the territory.
00:05:56 00:06:00 So, why is the NDB scheme important to general practice?
00:06:00 00:06:02 General practices hold a lot of identifying
00:06:02 00:06:03 personal information of patients,
00:06:03 00:06:05 such as names, date of birth, address,
00:06:05 00:06:08 telephone number, et cetera, et cetera.
00:06:08 00:06:10 This information may be vulnerable to
00:06:11 00:06:15 unauthorized access, unintended authorized disclosure.
00:06:17 00:06:19 For example, a staff member accessing
00:06:19 00:06:20 a patient file unintentionally,
00:06:20 00:06:23 or a staff member sending personal patient information
00:06:23 00:06:25 to an incorrect recipient,
00:06:25 00:06:27 or leaving a computer open on a desk for a patient
00:06:27 00:06:30 or unauthorized staff member to read the notes.
00:06:30 00:06:33 We know from the data collected since February 2018
00:06:33 00:06:34 that healthcare providers are
00:06:34 00:06:37 a significant source of data breaches.
00:06:38 00:06:40 And handling of personal information (mumbling).
00:06:40 00:06:43 Confidentiality's actually been something that GPs
00:06:44 00:06:46 have been very aware of, and it's been
00:06:46 00:06:50 a strong part of medical treatment amongst general practice,
00:06:50 00:06:53 and GPs are a highly trusted group of individuals.
00:06:53 00:06:58 But this trust will now also extend to data security,
00:06:58 00:07:01 and it's really important that general practices
00:07:01 00:07:04 are able to understand their responsibility to
00:07:04 00:07:08 protect this personal information for their patients.
00:07:08 00:07:10 The main purpose of the notifiable data breaches scheme
00:07:10 00:07:13 is to ensure that individuals are made aware
00:07:13 00:07:14 when their personal information
00:07:14 00:07:16 is caught up in a data breach,
00:07:16 00:07:19 and serious harm is likely to result.
00:07:19 00:07:21 So, it's essential for practices to
00:07:21 00:07:25 proactively engage with patient's privacy expectations
00:07:25 00:07:27 and the expectations of the regulators.
00:07:31 00:07:33 >> Pip: Thank you very much, Penny.
00:07:33 00:07:37 So, right now we'll have Amanda from the OAIC
00:07:37 00:07:39 joining the webinar to talk about
00:07:39 00:07:42 some of the statistics around notifiable data breaches.
00:07:42 00:07:43 Thanks, Amanda.
00:07:53 00:07:55 Hello, Amanda.
00:07:55 00:07:56 Are you online?
00:07:57 00:07:58 >> Amanda: Oh, I'm sorry.
00:07:58 00:08:01 (mumbling) looks like it was muted.
00:08:01 00:08:03 Thank you for that overview, Penny.
00:08:05 00:08:07 I'll just run through some of the statistics
00:08:07 00:08:11 we've seen in the notifiable data breaches scheme,
00:08:11 00:08:12 and particularly, the last quarter that
00:08:12 00:08:15 we've reported on from October to December 2018.
00:08:16 00:08:18 And our full report is available
00:08:18 00:08:20 on our website for this quarter.
00:08:21 00:08:23 So, as we can see on this slide,
00:08:23 00:08:26 the top five industry sectors to report data breaches
00:08:26 00:08:30 in that quarter are healthcare providers,
00:08:30 00:08:32 finance, legal accounting and management,
00:08:32 00:08:35 education and personal services.
00:08:35 00:08:38 We've seen a notable increase in NC's awareness
00:08:38 00:08:39 that their new responsibilities
00:08:39 00:08:42 under the notifiable data breaches scheme,
00:08:42 00:08:43 and the health sector is leading the way
00:08:43 00:08:45 with regard to the number of notifications.
00:08:46 00:08:48 In that last quarter, we saw about
00:08:48 00:08:51 262 data breach notifications,
00:08:51 00:08:53 which is up on the previous quarter.
00:08:54 00:08:57 The purpose for our quarterly statistical reports
00:08:57 00:09:00 is to build a picture of the trends in personal information
00:09:00 00:09:02 security risk that are likely to result in
00:09:02 00:09:04 serious harm to individuals.
00:09:04 00:09:06 And over time, we hope they can help us point out
00:09:06 00:09:10 and proactively assist (mumbling) managing these risks.
00:09:12 00:09:15 As shown in our chart, health service providers
00:09:15 00:09:18 were responsible for 21% of the notifications,
00:09:18 00:09:20 and this is consistent with international trends
00:09:20 00:09:24 that we've seen in other data protection agencies to-date.
00:09:24 00:09:27 And the OAIC is working with healthcare callers
00:09:27 00:09:28 providing vast guidance on
00:09:28 00:09:31 data breach prevention strategies.
00:09:32 00:09:33 What I might just note here, as well,
00:09:33 00:09:35 is that the high number of notifications
00:09:35 00:09:37 in the health sector might be influenced by
00:09:37 00:09:40 a range of factors, including the factors,
00:09:40 00:09:42 as Penny outlined, the broad requirement
00:09:42 00:09:44 for all private sector health service providers
00:09:44 00:09:46 to comply with the Privacy Act,
00:09:46 00:09:48 regardless of science or turnover.
00:09:48 00:09:50 And this compares to other businesses
00:09:50 00:09:52 which are mostly exempt from the obligations
00:09:52 00:09:54 under the Privacy Act if their turnover
00:09:54 00:09:57 is less than three million a year.
00:09:57 00:09:59 More generally, we find as well,
00:09:59 00:10:02 the health sector seems to have a greater level of
00:10:02 00:10:04 responsibility and awareness of their privacy obligations,
00:10:04 00:10:07 and this is a good thing,
00:10:07 00:10:09 but it can also lead to over-notification,
00:10:09 00:10:10 which I will come back to later.
00:10:13 00:10:15 So, the source of data breaches for
00:10:15 00:10:19 the October to December quarter across all sectors,
00:10:19 00:10:22 we saw human error and malicious and criminal attacks
00:10:22 00:10:25 accounting for the majority of notifiable data breaches.
00:10:25 00:10:28 For the health sector, we saw 54%
00:10:28 00:10:30 were caused by human error,
00:10:30 00:10:34 and 46% were caused by malicious or criminal attacks.
00:10:35 00:10:37 Looking first at human error in the healthcare sector,
00:10:37 00:10:40 the ratio of 54% is much higher than
00:10:40 00:10:43 the economy-wide average of 33%.
00:10:44 00:10:47 So, breaking down human error data breaches
00:10:47 00:10:51 into more detail, we can see that personal information
00:10:51 00:10:52 sent to the wrong recipient by email
00:10:52 00:10:55 is the most common type of human error data breach
00:10:55 00:10:59 for the health sector, and this also is extended to
00:10:59 00:11:01 sending personal information via email,
00:11:01 00:11:05 mail, fax, or some other form of communication.
00:11:05 00:11:07 That's fairly consistent across
00:11:07 00:11:09 the quarters that we've seen.
00:11:09 00:11:11 There were also a significant number of situations
00:11:11 00:11:13 where people failed to use the BCC function
00:11:13 00:11:16 when sending emails, thereby disclosing
00:11:18 00:11:22 personal information to a wider group of individuals.
00:11:22 00:11:27 And we've also seen lost paperwork with storage devices,
00:11:27 00:11:31 as well as unintended release or publication of information.
00:11:33 00:11:35 Turning to malicious or criminal attacks,
00:11:36 00:11:39 46% of reported breaches were attributed to
00:11:39 00:11:41 this particular source.
00:11:41 00:11:43 So, this can include cyber incidents,
00:11:44 00:11:48 such as compromised credentials through phishing
00:11:48 00:11:51 or spear phishing attacks, ransomware, malware,
00:11:51 00:11:56 or brute force attacks, where it's an automated system of
00:11:57 00:12:00 guessing a username and password combination.
00:12:00 00:12:02 But this particular source also includes
00:12:02 00:12:05 the theft of paperwork or data storage devices,
00:12:06 00:12:08 rogue employee or insider threat,
00:12:08 00:12:11 where an individual employee deliberately
00:12:12 00:12:15 accesses or discloses personal information,
00:12:15 00:12:17 but also social engineering and impersonation.
00:12:19 00:12:22 So, where an individual impersonates another
00:12:22 00:12:24 to gain access to their personal information.
00:12:27 00:12:30 Some of the key lessons we asked the health providers
00:12:30 00:12:34 arising out of the NDB scheme are firstly,
00:12:34 00:12:37 to reduce risk by addressing human error.
00:12:37 00:12:39 So, the findings of our quarterly reports
00:12:39 00:12:41 support the need for organizations to promote
00:12:41 00:12:45 staff awareness about secure information handling,
00:12:45 00:12:47 and were relevant to the technological solutions that
00:12:47 00:12:48 will alert the staff.
00:12:49 00:12:51 So, our offices worked with
00:12:51 00:12:54 the Australian Cybersecurity Center
00:12:54 00:12:56 on preparing some useful tips and resources
00:12:56 00:12:58 for improving data security in this regard,
00:12:58 00:13:00 and those are available on our website.
00:13:02 00:13:04 Another important lesson is to implement
00:13:04 00:13:06 an effective data breach strategy.
00:13:07 00:13:10 The faster a data breach can be identified and contained,
00:13:10 00:13:13 the lower the cost to customers or patients,
00:13:13 00:13:14 and the organization itself.
00:13:16 00:13:19 Thirdly, I would highlight that
00:13:19 00:13:21 recent notifications to our office
00:13:21 00:13:23 have demonstrated the importance of considering
00:13:23 00:13:25 how you will work with third parties
00:13:25 00:13:27 if the data breach involves personal information
00:13:27 00:13:28 that you hold jointly.
00:13:29 00:13:32 Either in a joint venture or with a contractor.
00:13:33 00:13:35 For the health sector, this can include for example,
00:13:35 00:13:38 an entity that provides online services
00:13:38 00:13:40 that integrate with your practice management software,
00:13:40 00:13:43 or another contractor that you share
00:13:43 00:13:44 personal information with.
00:13:45 00:13:50 So, the important thing in this instance is to be
00:13:50 00:13:52 aware of where the personal information you jointly hold is,
00:13:52 00:13:56 and what are the arrangements that you have in place
00:13:56 00:13:57 if a data breach occurs.
00:13:59 00:14:01 And the fourth lesson from the first six months of
00:14:01 00:14:05 the NDB scheme, is there an attitude to notification?
00:14:05 00:14:08 And this is of particular importance to the health sector.
00:14:09 00:14:12 So, generally, better safe than sorry
00:14:12 00:14:13 might seem like the best approach to
00:14:13 00:14:17 data breach notification, but over-notifying
00:14:17 00:14:20 is something that we've seen fairly often
00:14:20 00:14:21 in the health sector, and it can lead to
00:14:21 00:14:24 data breach fatigue for individuals,
00:14:24 00:14:25 which can make them complacent about
00:14:25 00:14:27 the risks of a serious data breach.
00:14:29 00:14:32 Given the time-sensitive nature of data breaches,
00:14:32 00:14:33 (mumbling) understands the question of
00:14:33 00:14:36 whether to report or not can cause a dilemma,
00:14:36 00:14:40 particularly if the data breach is not that clear.
00:14:40 00:14:42 But we do want to stress that not all data breaches
00:14:42 00:14:46 have to be reported to our office.
00:14:46 00:14:47 Those that need to be reported
00:14:47 00:14:50 are those that reach the threshold test,
00:14:50 00:14:53 and are considered eligible data breaches under the scheme,
00:14:53 00:14:55 and we'll spend some time exploring that now.
00:14:57 00:15:00 So, what constitutes an eligible data breach?
00:15:00 00:15:02 To determine whether a data breach
00:15:02 00:15:06 needs to be reported, three criteria must be satisfied.
00:15:06 00:15:08 So, the first requirement is that
00:15:08 00:15:12 there must be a data breach as defined in the Privacy Act.
00:15:12 00:15:16 So, that is it must be personal information.
00:15:16 00:15:18 That's information about an individual
00:15:18 00:15:22 or where that individual is reasonably identifiable,
00:15:22 00:15:26 or is specifically identified, and that information
00:15:26 00:15:29 must have been subject to a data breach.
00:15:30 00:15:32 So, turning to the next slide,
00:15:32 00:15:34 a data breach under the NDB scheme involves either
00:15:34 00:15:38 unauthorized access to the personal information.
00:15:38 00:15:40 So, this can include situations
00:15:40 00:15:43 where security or practice systems
00:15:43 00:15:47 are compromised by a third party.
00:15:47 00:15:51 For example, by a hacker through malware or ransomware,
00:15:51 00:15:54 or through stolen credentials
00:15:54 00:15:56 used to access a password system.
00:15:57 00:15:59 And as Penny outlined before,
00:15:59 00:16:00 it can also include when a staff member
00:16:00 00:16:03 has read a patient's file without authorization.
00:16:05 00:16:06 >> Pip: Thanks, Amanda.
00:16:06 00:16:09 What we're gonna do now is launch another poll,
00:16:09 00:16:12 and we're gonna ask those listening if they've experienced
00:16:12 00:16:15 any of these examples as we go through.
00:16:16 00:16:17 So, I'll launch this poll now,
00:16:17 00:16:21 and our question is has anyone had an experience
00:16:21 00:16:24 of unauthorized access in their practice?
00:16:24 00:16:26 So, we were talking about that criteria that
00:16:26 00:16:28 Amanda's just described around
00:16:28 00:16:31 unauthorized access in their practice.
00:16:33 00:16:35 We'll just leave it open for a few more seconds.
00:16:35 00:16:38 I can still see results coming in.
00:16:40 00:16:43 And I'll close that poll and share it with you.
00:16:44 00:16:49 And we can see that 11% have responded with yes, and 89% no.
00:16:52 00:16:54 >> Amanda: I think with this one,
00:16:54 00:16:57 unauthorized access can sometimes be
00:16:57 00:17:00 quite difficult to determine, and sometimes it does require
00:17:02 00:17:06 quite technical expertise to identify.
00:17:06 00:17:07 And so, with unauthorized access we see
00:17:07 00:17:09 it usually is a result of a malicious
00:17:09 00:17:12 or criminal attack or a cyber incident.
00:17:14 00:17:17 The second kind of data breach is one
00:17:17 00:17:19 that involves unauthorized disclosure.
00:17:20 00:17:24 So, an unauthorized disclosure is where information is
00:17:24 00:17:27 released from the control of the entity itself,
00:17:29 00:17:32 which distinguishes it from unauthorized access.
00:17:32 00:17:36 So, this can include when a staff member
00:17:36 00:17:37 sends personal patient information
00:17:37 00:17:40 in an email to the wrong recipient.
00:17:40 00:17:42 It can include if a spreadsheet of patient
00:17:42 00:17:45 personal information is accidentally
00:17:45 00:17:47 made public on the internet.
00:17:49 00:17:52 >> Pip: Okay, so we will launch another poll,
00:17:52 00:17:54 and so we're going to ask here,
00:17:54 00:17:59 has anyone had an experience of unauthorized disclosure
00:18:00 00:18:02 of personal information in their practice?
00:18:06 00:18:09 So, this is an example of unauthorized disclosure
00:18:09 00:18:10 of personal information.
00:18:16 00:18:19 Most people have now responded,
00:18:19 00:18:21 so I'll close that poll and share that.
00:18:23 00:18:24 Numbers are a little bit higher here,
00:18:24 00:18:29 so 25% have responded with yes, and 75% with no.
00:18:31 00:18:34 >> Amanda: Thanks, Pip, and let's say with this one,
00:18:34 00:18:36 we would generally find unauthorized disclosure
00:18:36 00:18:38 as the result of some kind of human error.
00:18:39 00:18:41 So, it would more likely affect
00:18:41 00:18:42 a smaller number of individuals
00:18:42 00:18:46 for the way information is sent to the wrong recipient,
00:18:46 00:18:49 and is either because of just a general human error
00:18:49 00:18:52 or because of particular policies
00:18:52 00:18:53 or procedures weren't followed.
00:18:55 00:18:58 The third kind of data breach is
00:18:58 00:19:01 the loss of personal information.
00:19:01 00:19:04 And the requirement here is that
00:19:04 00:19:06 the information must be lost in circumstances
00:19:06 00:19:11 where unauthorized access or disclosure is likely to occur.
00:19:11 00:19:14 So, if personal information is lost in a way
00:19:14 00:19:16 where there is no likelihood of it
00:19:16 00:19:20 ever being accessed by another individual,
00:19:20 00:19:22 it doesn't fall within the definition of
00:19:22 00:19:24 a data breach under this scheme.
00:19:24 00:19:26 So, that might be where information is
00:19:26 00:19:30 accidentally destroyed, but it can also include,
00:19:30 00:19:35 more generally, if a practice manager or a GP
00:19:36 00:19:40 leaves a laptop on the bus containing patient
00:19:40 00:19:43 personal information or patient files,
00:19:43 00:19:44 or if they lose their USB memory stick
00:19:44 00:19:46 containing personal information.
00:19:49 00:19:50 >> Pip: Thank you, Amanda.
00:19:50 00:19:52 We're gonna launch our last poll for this section
00:19:52 00:19:56 where we're asking people has anyone had an experience
00:19:56 00:19:59 of a loss of personal information in their practice?
00:20:06 00:20:09 Just a few more seconds until the last votes
00:20:09 00:20:10 of our poll come in.
00:20:14 00:20:19 And the results are just only 17% yes, and 83% no.
00:20:22 00:20:23 >> Amanda: Okay, great.
00:20:23 00:20:25 What I might turn to now then
00:20:25 00:20:28 is the second criteria that we have to look at
00:20:28 00:20:32 when determining whether a data breach is notifiable,
00:20:32 00:20:34 and that's where the data breach is likely to
00:20:34 00:20:37 result in serious harm to one or more individuals
00:20:37 00:20:40 whose personal information is involved in the data breach.
00:20:42 00:20:47 Now, the wording of the likely to result in serious harm
00:20:47 00:20:49 means that the risk of serious harm to an individual
00:20:49 00:20:51 has to be more probable than not,
00:20:51 00:20:55 rather than just possible, as a result of a data breach.
00:20:55 00:20:57 Serious harm is not defined in the Privacy Act,
00:20:57 00:21:01 but our guidance includes considering whether
00:21:01 00:21:04 it's likely to result in serious psychological,
00:21:04 00:21:07 emotional, physical, financial, reputational,
00:21:07 00:21:09 or other kinds of harm.
00:21:13 00:21:15 When considering from the perspective of
00:21:15 00:21:17 a reasonable person if the data breach
00:21:17 00:21:21 is likely to result in serious harm, what we recommend,
00:21:21 00:21:23 we think about is the kinds of information that
00:21:23 00:21:25 are involved in the data breach,
00:21:27 00:21:30 including how sensitive the personal information is.
00:21:30 00:21:32 Noting that health information is considered sensitive
00:21:32 00:21:36 under the Privacy Act, and may be likely to
00:21:36 00:21:39 result in different kinds of harm.
00:21:40 00:21:42 You should also consider whether it's protected,
00:21:42 00:21:44 whether the personal information is protected by
00:21:44 00:21:46 one or more security measures,
00:21:46 00:21:48 what kind of harm could result,
00:21:48 00:21:50 and other relevant matters which are set out
00:21:50 00:21:53 in section 26WG of the Privacy Act.
00:21:56 00:21:57 And then moving on from there,
00:21:57 00:21:59 there's the third consideration is
00:22:00 00:22:02 whether the likely risk of serious harm
00:22:02 00:22:04 can be prevented with remedial action.
00:22:06 00:22:10 So, for instance, the scheme provides this opportunity for
00:22:10 00:22:14 entities to take some kind of action to
00:22:14 00:22:17 prevent or reduce that risk of harm.
00:22:17 00:22:21 For instance, if you'd sent a document containing
00:22:21 00:22:24 sensitive personal information to the wrong recipient,
00:22:24 00:22:26 but that's a trusted recipient and they've confirmed that
00:22:26 00:22:29 they have deleted or destroyed the document,
00:22:30 00:22:32 and your assessment concludes that,
00:22:32 00:22:35 you can rely on that advice, and there's no longer
00:22:35 00:22:37 a likely risk of serious harm,
00:22:37 00:22:39 then notification would not be required.
00:22:40 00:22:42 I will just note here that remedial action
00:22:42 00:22:45 can actually include contacting the individuals
00:22:45 00:22:46 who were affected by the data breach.
00:22:46 00:22:50 It doesn't prevent you from informally advising them of
00:22:50 00:22:51 the circumstances of the data breach
00:22:51 00:22:56 as trying to remedy the likely risk of that harm.
00:22:58 00:23:01 So, the purpose for taking that remedial action is to
00:23:01 00:23:05 assist the individual and try and contain and mitigate
00:23:05 00:23:08 the risk of harm as a result of the data breach.
00:23:11 00:23:15 So, what do I do if an eligible data breach has occurred?
00:23:15 00:23:19 So, when unauthorized access, or unauthorized disclosure,
00:23:19 00:23:22 or loss of personal information occurs,
00:23:22 00:23:24 the first priority is to take immediate steps to
00:23:24 00:23:26 contain the data breach.
00:23:26 00:23:28 That is, take steps to prohibit further data
00:23:28 00:23:30 from being accessed or disclosed.
00:23:31 00:23:33 The next step is to assess the data breach,
00:23:33 00:23:36 to gather the facts and evaluate the risks,
00:23:36 00:23:38 including the potential harm to affected individuals,
00:23:38 00:23:40 and where possible, taking action to
00:23:40 00:23:42 remediate any risk of harm.
00:23:43 00:23:46 If serious harm is obvious on its face,
00:23:46 00:23:48 so if the circumstance of the data breach
00:23:48 00:23:50 mean that it's immediately obvious that
00:23:52 00:23:53 it's likely to result in serious harm to
00:23:53 00:23:56 affected individuals, then the third step,
00:23:56 00:23:58 which is notification must follow.
00:23:59 00:24:01 But sometimes serious harm might be suspected,
00:24:01 00:24:04 but not certain, and particularly in instances
00:24:04 00:24:06 where there's a cyber intrusion into your networks.
00:24:07 00:24:09 In these instances, an organization needs to
00:24:09 00:24:12 undertake an assessment to confirm whether or not
00:24:12 00:24:15 an eligible data breach has occurred,
00:24:15 00:24:17 which is one that meets that threshold test.
00:24:19 00:24:21 In that case, the business has to undertake
00:24:21 00:24:25 an assessment as expeditiously as possible,
00:24:25 00:24:28 and as (mumbling) provides that we're talking days to
00:24:28 00:24:31 do that assessment, rather than weeks.
00:24:33 00:24:35 If your practice experiences a data breach,
00:24:35 00:24:37 and after conducting an assessment you're satisfied that
00:24:37 00:24:39 all three criteria has been met,
00:24:39 00:24:43 then you must notify the OAIC and any individuals
00:24:43 00:24:46 that are at likely risk of harm, as soon as practical.
00:24:46 00:24:48 So, that means contacting your patients or customers.
00:24:50 00:24:52 The NDB scheme has a bit of flexibility about
00:24:52 00:24:55 how to notify individuals.
00:24:56 00:24:58 Firstly, you can notify all individuals
00:24:58 00:25:00 whose personal information was involved in
00:25:00 00:25:01 the eligible data breach.
00:25:02 00:25:05 Secondly, if you're able to, you can notify
00:25:05 00:25:07 only the individuals who you've identified
00:25:07 00:25:10 at likely risk of serious harm if they're (mumbling).
00:25:10 00:25:12 This tends to occur where there's different categories of
00:25:12 00:25:16 personal information involved, and you're able to assess
00:25:16 00:25:17 that one category of individuals is
00:25:17 00:25:19 at more risk than the others.
00:25:20 00:25:23 If those two options are not practicable,
00:25:23 00:25:26 then the scheme requires you to publish the notification
00:25:26 00:25:29 on your website, and also take reasonable steps to
00:25:29 00:25:32 tell the clients that with the aim of bringing it
00:25:32 00:25:33 to the attention of all individuals
00:25:33 00:25:35 at likely risk of serious harm.
00:25:35 00:25:37 So, that goes to the purpose of this scheme,
00:25:37 00:25:39 which is to ensure that individuals are aware of
00:25:39 00:25:42 data breaches that involve their personal information
00:25:42 00:25:43 where there is that risk.
00:25:45 00:25:49 So, notification can occur in a number of different ways,
00:25:49 00:25:53 including by letter, email, phone, or online.
00:25:54 00:25:57 It's up to the entity to think about what is appropriate,
00:25:57 00:25:59 and this will depend on their situation,
00:25:59 00:26:01 the severity of the data breach,
00:26:01 00:26:03 but also your normal means of communicating
00:26:03 00:26:05 with patients or individuals.
00:26:05 00:26:07 So, how would they expect to
00:26:08 00:26:09 receive that information from you?
00:26:11 00:26:13 You must also notify the Australian Information Commissioner
00:26:13 00:26:15 in the form of a statement,
00:26:15 00:26:16 and there are some statutory requirements
00:26:16 00:26:19 of the information that must be included in the statement,
00:26:19 00:26:20 which I'll go through shortly.
00:26:21 00:26:23 But I just wanted to quickly touch on
00:26:23 00:26:26 the fourth and most important step,
00:26:26 00:26:28 and that is to review the incident and consider
00:26:28 00:26:31 what actions can be taken to prevent future data breaches.
00:26:32 00:26:34 So, this can involve an investigation into
00:26:34 00:26:36 the cause of the data breach.
00:26:36 00:26:40 It can involve creating a remediation/prevention plan,
00:26:40 00:26:43 can involve an audit of your policies and processes,
00:26:44 00:26:48 and can in instances obviously, will involve staff training.
00:26:50 00:26:53 So, going through the required information,
00:26:53 00:26:55 the NDB scheme requires that your statement to
00:26:55 00:26:58 the commissioner includes the identity and contact details
00:26:58 00:27:02 of your practice, a description of the data breach,
00:27:02 00:27:04 the kind or kinds of information
00:27:04 00:27:06 that is involved in the data breach,
00:27:06 00:27:09 and recommendations about the steps individuals
00:27:09 00:27:12 should take in response to the data breach.
00:27:12 00:27:14 So, we have an online form on our website that
00:27:14 00:27:17 you can complete, and the link should now be sent to you
00:27:17 00:27:18 in your chat message box.
00:27:20 00:27:22 I will also note that we have some guidance
00:27:22 00:27:24 on our website about how to fill in the statement,
00:27:25 00:27:28 and our online form also asks you to provide
00:27:28 00:27:30 information about the incident voluntarily,
00:27:30 00:27:33 which (mumbling) affecting the notification.
00:27:37 00:27:41 So, if your practice deals with the My Health Record system,
00:27:41 00:27:44 you might be wondering how the two schemes work together.
00:27:44 00:27:47 So, do you have to notify breaches under both schemes,
00:27:47 00:27:48 and is the threshold the same?
00:27:50 00:27:53 So, broadly, the notifiable data breach scheme requirement
00:27:53 00:27:55 sit alongside the data breach reporting requirement
00:27:55 00:28:00 for the My Health Record system, but they do not overlap.
00:28:00 00:28:01 So, while there are similarities
00:28:01 00:28:04 between the reporting requirements of both schemes,
00:28:04 00:28:05 there are some important differences.
00:28:06 00:28:09 Firstly, data breaches notified
00:28:09 00:28:12 onto the My Health Record Act do not need to be recorded
00:28:12 00:28:14 onto the NDB scheme, and this is to prevent
00:28:14 00:28:16 duplication of reporting.
00:28:17 00:28:19 Another key difference is that every breach of
00:28:19 00:28:22 My Health Record data needs to be reported,
00:28:22 00:28:24 whereas under the NDB scheme, only data breaches
00:28:24 00:28:27 that are likely to result in serious harm
00:28:27 00:28:29 to affected individuals need to be reported.
00:28:32 00:28:35 Thirdly, breaches must be reported
00:28:36 00:28:39 as soon as practicable under the My Health Record Act,
00:28:39 00:28:41 even when remedial action to address the data breach
00:28:41 00:28:44 could be in progress or has already been taken.
00:28:45 00:28:49 So, if you're not dealing with My Health Record information,
00:28:49 00:28:51 and you're unsure whether a data breach
00:28:51 00:28:54 meets the notification threshold under the NDB scheme,
00:28:54 00:28:57 that's when you'll need to undertake an assessment.
00:29:00 00:29:03 >> Pip: Thank you very much, Amanda.
00:29:03 00:29:04 Oh, right. Continue.
00:29:05 00:29:06 >> Amanda: No (mumbling).
00:29:06 00:29:07 That was it. (laughs)
00:29:07 00:29:09 >> Pip: Okay.
00:29:09 00:29:10 We'll move on to the next slide,
00:29:10 00:29:12 and Penny will join us once again
00:29:12 00:29:14 and introduce a case study,
00:29:14 00:29:16 after which we will launch a poll
00:29:16 00:29:18 and have a bit of a discussion.
00:29:18 00:29:18 Thank you, Penny.
00:29:20 00:29:23 >> Penny: For the case study, we've got two case studies.
00:29:23 00:29:26 This first one is a GP surgery has been aware that
00:29:26 00:29:29 its customer database has been made publicly available
00:29:29 00:29:31 on the internet due to technical error.
00:29:31 00:29:34 It contains records of prescription drugs
00:29:34 00:29:36 that have been prescribed to patients.
00:29:36 00:29:38 Security consultants confirm the database
00:29:38 00:29:39 was only accessed a few times,
00:29:39 00:29:42 but they can't identify who accessed the data,
00:29:42 00:29:44 or if they kept a copy.
00:29:44 00:29:46 So, what we want you to think about here is
00:29:48 00:29:51 does this fit an eligible data breach?
00:29:51 00:29:53 Is it likely to result in serious harm?
00:29:55 00:29:56 And has the practice been able to prevent
00:29:56 00:29:59 likely risk of harm with remedial action?
00:29:59 00:30:01 So, the first question here is,
00:30:01 00:30:02 is this an eligible data breach?
00:30:02 00:30:06 And there's a poll in front for you to comment on.
00:30:09 00:30:10 >> Pip: Thank you, Penny.
00:30:11 00:30:13 The responses are still coming in.
00:30:13 00:30:14 We'll give it a second.
00:30:17 00:30:18 Close that off.
00:30:20 00:30:24 And 83% have responded that they believe
00:30:24 00:30:28 this is an eligible data breach, and 18% are unsure.
00:30:31 00:30:33 >> Amanda: And look, it depends on
00:30:33 00:30:36 the exact circumstances of the data breach.
00:30:37 00:30:39 But the OAIC (mumbling) consider
00:30:39 00:30:41 this is an eligible data breach,
00:30:41 00:30:45 and I'll go into the reasons why we would sort of,
00:30:45 00:30:47 on the available information, lean that way.
00:30:48 00:30:49 So, details of prescription drugs
00:30:49 00:30:51 are sensitive personal information.
00:30:51 00:30:53 Obviously, we all understand they can indicate treatment of
00:30:53 00:30:55 a range of medical conditions,
00:30:55 00:30:57 including mental health issues.
00:30:59 00:31:04 Based on if the GP surgery is unable to confirm
00:31:04 00:31:06 who accessed the database, and whether it would be
00:31:06 00:31:08 likely to be accessed by someone
00:31:09 00:31:11 who could use that information against the individuals,
00:31:11 00:31:14 then we would think that a breach of that kind
00:31:14 00:31:16 would be more likely to result in
00:31:16 00:31:18 serious harm to affected individuals.
00:31:19 00:31:21 What steps the GP surgery then has to take
00:31:21 00:31:24 will depend on the situation.
00:31:24 00:31:27 So, they would need to notify our office,
00:31:27 00:31:28 and all individuals whose personal information
00:31:28 00:31:31 was involved in the data breach.
00:31:31 00:31:33 If they were unable to get in contact with
00:31:33 00:31:34 a number of patients, for instance,
00:31:34 00:31:37 if the records were old, or if patients had not updated
00:31:37 00:31:40 or provided their details in the first place,
00:31:40 00:31:42 it may be necessary in that instance
00:31:42 00:31:44 to issue a more public notice.
00:31:44 00:31:46 For instance, on the website or in the surgery office.
00:31:52 00:31:55 And so, now we have a second case study,
00:31:55 00:31:57 and again, we want you to think about the same thing.
00:31:57 00:31:59 Is this a notifiable data breach?
00:31:59 00:32:01 Does it fit an eligible data breach?
00:32:02 00:32:04 Is it likely to result in serious harm,
00:32:04 00:32:06 and has the practice been able to prevent
00:32:06 00:32:09 the likely risk of harm with remedial action?
00:32:09 00:32:11 So, a staff left their iPad on a train.
00:32:11 00:32:13 The staff member's work email account
00:32:13 00:32:15 can be accessed on the device.
00:32:15 00:32:16 The staff member reports the loss
00:32:16 00:32:18 and arranges for IT to remotely delete
00:32:18 00:32:19 all the content from the device,
00:32:19 00:32:23 and IT confirm that the device has not been accessed.
00:32:23 00:32:26 Is this a notifiable data breach?
00:32:26 00:32:28 And the quick poll's come up on your screen
00:32:28 00:32:29 for you to respond.
00:32:37 00:32:40 >> Pip: Thank you everyone for participating in the poll.
00:32:41 00:32:43 I'll close off this final poll.
00:32:47 00:32:49 And the results are in.
00:32:49 00:32:52 11% say that this is an eligible data breach.
00:32:52 00:32:56 80 believe that it is not, and 9% are unsure.
00:33:00 00:33:01 >> Amanda: I think the majority of people here
00:33:01 00:33:04 don't think this is an eligible data breach,
00:33:04 00:33:06 and I would say notification is probably
00:33:06 00:33:09 not required in this situation.
00:33:09 00:33:12 So, that's having regard to the security protections
00:33:12 00:33:15 on the iPad, and the ability to take
00:33:15 00:33:18 remedial action in this instance.
00:33:18 00:33:21 So, if your IT department is confident that
00:33:21 00:33:23 the content could not have been accessed
00:33:23 00:33:25 in the short period between when the iPad was lost
00:33:25 00:33:29 and when it was erased, then notification is not necessary.
00:33:29 00:33:31 And that goes to what I was saying before
00:33:31 00:33:34 that if the information is lost,
00:33:35 00:33:37 but you're able to take that action to prevent it
00:33:37 00:33:40 from being subject to unauthorized access or disclosure,
00:33:40 00:33:42 then that means it's not notifiable.
00:33:42 00:33:44 And this is an example of how that action
00:33:44 00:33:47 can prevent serious harm following a data breach.
00:33:47 00:33:49 What we would say with this one is,
00:33:49 00:33:51 not only do you need to make sure you need to have
00:33:51 00:33:54 good technical security infrastructure in place,
00:33:54 00:33:57 you also need to make sure your staff
00:33:57 00:33:59 know what to do if something goes wrong,
00:33:59 00:34:02 and this comes back to staff awareness and education.
00:34:04 00:34:07 >> Pip: Thank you very much, Amanda.
00:34:07 00:34:08 >> Amanda: Oh. Sorry.
00:34:08 00:34:10 (people speaking over each other)
00:34:10 00:34:12 >> Pip: I was gonna hand over to you, anyway.
00:34:12 00:34:14 >> Penny: One of the questions that comes up for me
00:34:14 00:34:17 (mumbling) of us were unsure,
00:34:17 00:34:19 if we were unsure in this case,
00:34:19 00:34:21 I presume that we would be able to ring
00:34:21 00:34:22 the office at the OAIC and discuss that with them.
00:34:26 00:34:27 >> Amanda: Absolutely.
00:34:27 00:34:29 We have an inquiries line that
00:34:31 00:34:35 any entity can call for general advice about
00:34:35 00:34:38 the threshold of the NDB scheme,
00:34:38 00:34:41 and also to discuss our guidance on
00:34:41 00:34:43 making that kind of assessment.
00:34:43 00:34:45 Absolutely, if the healthcare provider is not sure,
00:34:45 00:34:46 they can contact us.
00:34:48 00:34:50 >> Penny: Thanks, Amanda.
00:34:50 00:34:52 So, the colleague has also got some
00:34:52 00:34:54 really excellent resources on this.
00:34:54 00:34:58 These two, the fact sheet and the flow chart
00:34:58 00:35:00 both probably contain a really good summary of
00:35:00 00:35:02 what's being discussed today, and have a lot of
00:35:02 00:35:04 information there to guide making decisions.
00:35:04 00:35:08 The fact sheet talks about how to define
00:35:08 00:35:12 a eligible data breach, and the flow chart
00:35:12 00:35:14 takes you through that, including the My Health Record.
00:35:14 00:35:17 So, they're both easily available on the colleague site.
00:35:18 00:35:21 There's also the background information
00:35:21 00:35:26 for keeping your information and resources private.
00:35:26 00:35:28 (mumbling) for a while, and most of you
00:35:28 00:35:29 are probably aware of.
00:35:29 00:35:32 So, the information security in general practice,
00:35:32 00:35:33 which talks about prevention, protection,
00:35:33 00:35:36 and preservation of data in general practice,
00:35:36 00:35:40 and is really worth having a look at,
00:35:40 00:35:42 and it comes with a number of templates.
00:35:42 00:35:44 And in privacy and managing health information
00:35:44 00:35:46 in general practice is also available.
00:35:47 00:35:52 The OAIC has also developed good information and resources.
00:35:53 00:35:56 So, you can see on the screen another flow chart,
00:35:56 00:35:58 and this is again, about what to do
00:35:58 00:36:00 in the case of a data breach.
00:36:00 00:36:04 So, it takes you through a suspected or known data breach,
00:36:04 00:36:07 how to contain it, how to assess it,
00:36:07 00:36:10 then to work out whether the serious harm is still likely,
00:36:10 00:36:13 and then if you need to notify, what you should do,
00:36:13 00:36:15 and takes you back to a review afterwards
00:36:15 00:36:18 to review your processes.
00:36:18 00:36:20 And there's the number for the OAIC on the front.
00:36:24 00:36:26 >> Pip: Thank you very much, Penny.
00:36:26 00:36:27 So, as promised at the start,
00:36:27 00:36:31 we have allocated some time for question and answers.
00:36:31 00:36:35 So, if you have a question for Penny or for Amanda,
00:36:35 00:36:37 if you could please type it into the question bar
00:36:37 00:36:39 on the control panel and press enter,
00:36:39 00:36:41 and we'll try to get to everyone's questions.
00:36:41 00:36:46 If not, we can be contacted at ehealth@racgp.org.au.
00:36:49 00:36:52 So, we have had some questions come through already.
00:36:54 00:36:57 What kind of penalties or enforcement action
00:36:57 00:37:00 can be taken in response to data breaches?
00:37:03 00:37:06 >> Amanda: (mumbling) I'll field this one.
00:37:06 00:37:09 So, in addition to receiving notifications
00:37:09 00:37:13 of eligible data breach, the OAIC plays an important role
00:37:13 00:37:15 in compliance of this scheme.
00:37:16 00:37:19 And the commissioner has a number of enforcement powers
00:37:19 00:37:22 that can be exercised in instances of non-compliance.
00:37:24 00:37:28 So, in terms of notifiable data breaches,
00:37:28 00:37:29 if we become aware of a data breach that
00:37:29 00:37:32 hasn't been notified by an entity,
00:37:32 00:37:34 and we have reasonable grounds to believe
00:37:34 00:37:37 it meets that threshold of serious harm,
00:37:37 00:37:39 we can direct an entity to notify.
00:37:41 00:37:46 If the entity doesn't comply with that direction,
00:37:46 00:37:49 then we have a number of different powers
00:37:49 00:37:53 which go from enforceable undertakings,
00:37:53 00:37:56 can include a determination by the commissioner.
00:37:56 00:37:58 In terms of fines, what the commissioner
00:37:58 00:38:01 has the ability to do is to seek civil penalties
00:38:01 00:38:02 in the federal court for up to
00:38:02 00:38:06 $2.1 million per breach for organizations,
00:38:06 00:38:10 and that's for serious or repeated privacy incidents.
00:38:11 00:38:14 And we also, the commissioner has the ability to seek
00:38:14 00:38:16 injunctive relief in the federal court
00:38:16 00:38:18 for an ongoing act or practice.
00:38:20 00:38:25 So, some of the, I guess, conditions of the NDB scheme
00:38:25 00:38:28 that could prompt regulatory action includes
00:38:28 00:38:32 a failure to conduct a reasonable and expeditious assessment
00:38:32 00:38:33 of a suspected data breach.
00:38:33 00:38:35 So, if you have reason to suspect that
00:38:35 00:38:38 unauthorized access or disclosure has occurred,
00:38:38 00:38:41 but you don't assess it, that's what's called
00:38:41 00:38:44 an interference with privacy under the Privacy Act.
00:38:44 00:38:47 A failure to notify individuals or the OAIC
00:38:47 00:38:52 as soon as practical is also a condition of the NDB scheme,
00:38:52 00:38:54 and as I said before, if you fail to comply with
00:38:54 00:38:56 the direction to notify from the office,
00:38:56 00:38:59 that can lead to further regulatory action.
00:38:59 00:38:59 But generally at this stage,
00:38:59 00:39:04 we're working with organizations and agencies
00:39:06 00:39:09 about the requirements of the NDB scheme,
00:39:09 00:39:13 but we will have that focus on ensuring compliance
00:39:13 00:39:15 through regulatory action if we need to.
00:39:18 00:39:19 >> Pip: Thank you, Amanda.
00:39:19 00:39:21 Penny, this might be a question for you.
00:39:21 00:39:22 Someone has asked whether we should
00:39:22 00:39:25 also notify our MDO, as well.
00:39:27 00:39:30 >> Penny: I think that's a very advisable thing to do,
00:39:30 00:39:35 and the MDO I know have got some documents available
00:39:35 00:39:36 on this topic, as well.
00:39:37 00:39:40 But I think particularly in terms of just
00:39:40 00:39:41 letting them know this is happening,
00:39:41 00:39:42 and getting extra advice,
00:39:42 00:39:44 I think that's a very valuable thing.
00:39:44 00:39:46 And also, one of the areas in which
00:39:46 00:39:48 I think that'll be particularly useful is in
00:39:48 00:39:53 how to notify those individuals that are being affected.
00:39:53 00:39:57 And most of us have had to manage issues with patients
00:39:57 00:40:00 around difficult processes in the past,
00:40:00 00:40:02 but this is going to be a new one for all of us,
00:40:02 00:40:04 and we're all gonna be learning from it.
00:40:04 00:40:07 But using those usual means of communication that
00:40:07 00:40:09 we would've previously, like (mumbling)
00:40:09 00:40:12 there's an email or online, depending on
00:40:12 00:40:14 what we usually used would be useful.
00:40:14 00:40:16 But I think the MDOs in particular
00:40:16 00:40:18 would be a good group to be contacting
00:40:18 00:40:19 in regard to this, as well.
00:40:19 00:40:24 But it can't get in the way of getting the notification
00:40:24 00:40:25 through to the OAIC.
00:40:25 00:40:27 We've only got a few days to do that (laughs),
00:40:27 00:40:28 so have to move quickly.
00:40:30 00:40:31 >> Pip: Thanks, Penny.
00:40:31 00:40:33 We've had a question where the patients
00:40:33 00:40:35 can report data breaches directly.
00:40:38 00:40:39 >> Amanda: This is Amanda.
00:40:40 00:40:44 In terms of the functions of our office,
00:40:44 00:40:48 we do receive referrals from members of the public
00:40:48 00:40:50 about a data breach they become aware of.
00:40:51 00:40:53 So, either they can report it to us
00:40:53 00:40:55 if they become aware of a data breach,
00:40:55 00:40:57 or they can make a complaint about a data breach
00:40:57 00:41:00 that involves their personal information.
00:41:00 00:41:01 To where they make a complaint,
00:41:01 00:41:04 we will treat that as a complaint under the Privacy Act,
00:41:04 00:41:07 and we have a statutory obligation to conciliate that.
00:41:07 00:41:09 So, we'll generally contact the respondent,
00:41:09 00:41:12 and try and conciliate that complaint.
00:41:12 00:41:14 In the case of what we call a referral,
00:41:15 00:41:17 we'll generally contact the respondent
00:41:17 00:41:19 to see if they're aware of the data breach,
00:41:19 00:41:21 and provide information about the requirements
00:41:21 00:41:23 if the notifiable data breaches scheme.
00:41:24 00:41:28 Like I said before, that may be one of the ways
00:41:28 00:41:29 we become aware of a data breach that
00:41:29 00:41:32 hasn't been notified to us.
00:41:32 00:41:34 So, that might be a prompt for regulatory action
00:41:34 00:41:38 if that involves, I guess, an awareness on the behalf
00:41:38 00:41:41 of the entity, but they haven't done that assessment.
00:41:43 00:41:45 >> Pip: Thank you, Amanda.
00:41:45 00:41:48 We have a question, and Amanda, this one
00:41:48 00:41:49 would likely be for you.
00:41:49 00:41:52 Prior to the notifiable data breaches coming in last year
00:41:52 00:41:55 in February, what are the steps required
00:41:55 00:41:58 if a malicious breach occurred prior to
00:41:58 00:42:00 the institution of the scheme?
00:42:02 00:42:03 >> Amanda: Okay.
00:42:03 00:42:07 So, pre-22nd of February, 2018,
00:42:07 00:42:11 we ran a voluntary data breach notification scheme
00:42:11 00:42:14 where regulated entities could
00:42:14 00:42:15 let us know about data breaches,
00:42:15 00:42:17 and we provided advisable guidance.
00:42:17 00:42:21 So, to be specific, the NDB scheme only applies to
00:42:21 00:42:23 instances of unauthorized disclosure
00:42:23 00:42:26 or unauthorized access that occurred
00:42:26 00:42:29 on or after the 22nd of February.
00:42:29 00:42:31 So, for disclosures, that's quite clear.
00:42:31 00:42:35 However, if the instance of unauthorized access
00:42:35 00:42:39 or disclosure occurred over that date, so it was ongoing,
00:42:39 00:42:42 then it would be covered by the NDB scheme.
00:42:42 00:42:45 So, if you become aware of something that occurred
00:42:45 00:42:50 prior to the scheme, you can notify our office,
00:42:52 00:42:56 or we would generally suggest that the focus should be
00:42:56 00:42:58 looking at do you need to notify individuals
00:42:58 00:42:59 as a matter of best practice,
00:42:59 00:43:01 where it's not a requirement of the scheme,
00:43:01 00:43:06 but is there an advantage in letting individuals know?
00:43:06 00:43:08 Are they at risk of serious harm that
00:43:08 00:43:10 they could mitigate or prevent
00:43:10 00:43:12 through taking their own steps
00:43:12 00:43:13 in response to that data breach?
00:43:14 00:43:16 But yeah, generally, the NDB scheme
00:43:16 00:43:19 only applies to that unauthorized access or disclosure
00:43:19 00:43:22 that occurred on or after the 22nd of February.
00:43:22 00:43:24 So, prior to that, it was a voluntary scheme.
00:43:26 00:43:28 >> Pip: Thank you very much.
00:43:28 00:43:30 Penny, a question for you.
00:43:30 00:43:34 How do we decide who is authorized to have access to files?
00:43:34 00:43:36 Should all receptionists have access,
00:43:36 00:43:39 or just the practice manager, or just clinical staff?
00:43:42 00:43:43 >> Penny: Well, in terms of files,
00:43:43 00:43:46 I guess it depends on what we're actually doing.
00:43:47 00:43:51 When we set up the software, we actually set it up
00:43:51 00:43:53 so that people log in under their own name
00:43:53 00:43:56 and their own file, so there's an ability to track
00:43:56 00:43:57 what people are doing and what they have.
00:43:57 00:44:00 So, at the moment, the receptionists
00:44:00 00:44:04 and the practice staff usually have access to the files,
00:44:04 00:44:08 but they're not able to access them in the same way.
00:44:08 00:44:13 So, I think in terms of building your security level,
00:44:13 00:44:16 and working out who has access to what,
00:44:16 00:44:19 you need to actually work fairly closely with your IT group
00:44:19 00:44:23 and set up a fairly good practice security governance,
00:44:23 00:44:25 and then work out who should have what.
00:44:25 00:44:27 Because in some practices, you have other allied health
00:44:27 00:44:30 also accessing patient files.
00:44:30 00:44:32 I know where I work, we have physios that actually
00:44:32 00:44:36 have some access to our general practice software.
00:44:36 00:44:39 So, I think again, it's all about working out
00:44:39 00:44:43 a good structure to start with around security governance.
00:44:43 00:44:46 Get your IT (mumbling) and look at
00:44:46 00:44:49 preventing and protecting data from the beginning.
00:44:52 00:44:53 >> Pip: Thank you, Penny.
00:44:53 00:44:55 We now have a question from someone
00:44:55 00:44:57 who I imagine would've answered yes to
00:44:57 00:44:59 some of the earlier questions.
00:44:59 00:45:03 What if we have received a patient file not intended for us?
00:45:03 00:45:05 We did not cause the data breach,
00:45:05 00:45:09 but are we supposed to notify, or are we just to contain
00:45:09 00:45:12 and then let the original entity notify?
00:45:16 00:45:18 >> Amanda: So, in this case,
00:45:18 00:45:21 it's kind of a multiple issue here.
00:45:23 00:45:26 You don't have an obligation to notify under the NDB scheme
00:45:26 00:45:27 if you weren't the entity that
00:45:27 00:45:30 held the information to begin with.
00:45:30 00:45:32 As a matter of best practice,
00:45:32 00:45:34 I would probably let the entity know that
00:45:34 00:45:36 they disclosed that information to you incorrectly,
00:45:37 00:45:41 and as health service providers,
00:45:41 00:45:43 you have an obligation when you receive information that
00:45:43 00:45:45 you didn't solicit to consider separately
00:45:45 00:45:48 under Australian Privacy Principle 4
00:45:48 00:45:50 whether you could've solicited that information,
00:45:50 00:45:54 and if not, to take steps to delete or destroy it.
00:45:55 00:45:59 So, you can let us know about a particular data breach
00:45:59 00:46:01 if you think it should be reported.
00:46:01 00:46:05 But generally, we would say you've got separate obligations
00:46:05 00:46:07 to assess whether you can keep that information
00:46:07 00:46:09 or delete or destroy it.
00:46:09 00:46:11 And it's probably best to let the original entity know
00:46:11 00:46:15 if they aren't aware of that disclosure,
00:46:15 00:46:18 and it's open to say there are these assessment obligations
00:46:18 00:46:23 under the NDB scheme, as well, if they're not across that.
00:46:24 00:46:26 But generally, we do receive referrals
00:46:26 00:46:29 from lots of different members of the public and entities
00:46:29 00:46:30 about these kinds of issues,
00:46:30 00:46:32 but that's what we would do in that instance
00:46:32 00:46:35 is contact the original entity.
00:46:35 00:46:37 Make sure they're aware of the disclosure,
00:46:37 00:46:39 and that they were taking steps to
00:46:39 00:46:41 prevent it from occurring again.
00:46:43 00:46:44 >> Pip: Thanks, Amanda.
00:46:44 00:46:45 I know we touched on this earlier,
00:46:45 00:46:47 but if we could just clarify
00:46:47 00:46:51 what the timeframe is in which a practice
00:46:51 00:46:53 would be required to notify of a data breach.
00:46:55 00:46:57 >> Amanda: Absolutely, and this is something that
00:46:57 00:46:59 we've found is there can be a bit of confusion about.
00:47:00 00:47:05 So, the timeframes in the NDB scheme are you have to conduct
00:47:05 00:47:10 an assessment of a suspected data breach within,
00:47:10 00:47:12 or take all reasonable steps to conduct that assessment
00:47:12 00:47:14 within 30 calendar days.
00:47:14 00:47:17 So, that's the only hard timeframe that there is.
00:47:17 00:47:19 And that only applies if you suspect that
00:47:19 00:47:22 the data breach is likely to result in serious harm,
00:47:22 00:47:23 but you're not sure.
00:47:24 00:47:27 If on first discovering the data breach
00:47:27 00:47:31 it's quite clear that it meets that threshold
00:47:31 00:47:34 that it's a serious data breach that needs to be notified,
00:47:34 00:47:37 then the requirement is to notify our office and individuals
00:47:37 00:47:38 as soon as practicable.
00:47:40 00:47:43 We generally expect that to be quite prompt,
00:47:43 00:47:46 unless there's reasons, quite good reasons for a delay.
00:47:47 00:47:49 But it doesn't have a particular,
00:47:51 00:47:53 there isn't a date timeframe
00:47:53 00:47:55 the way that there is with the assessment process.
00:47:57 00:48:00 But in general, we expect, if you have all the information
00:48:00 00:48:02 before you to assess that it's a serious data breach
00:48:02 00:48:04 that needs notification, that you will take
00:48:04 00:48:06 all steps to do that as quickly as you can.
00:48:10 00:48:12 >> Pip: Thank you very much.
00:48:12 00:48:14 Maybe Penny, this one might be for you.
00:48:14 00:48:16 Do you have any advice on how to communicate
00:48:16 00:48:19 a particularly bad breach to a patient?
00:48:22 00:48:24 >> Penny: I think again, well that could actually
00:48:24 00:48:27 go back to the suggestion of
00:48:27 00:48:30 contacting the MDO, as well, for advice.
00:48:30 00:48:34 But I think that as GPs, we are used to managing
00:48:34 00:48:37 issues with patients, and I think we know our patients
00:48:37 00:48:39 and we know our sort of context.
00:48:39 00:48:43 And there will be expectations on the part of the patient
00:48:43 00:48:45 as to how they would expect to be notified.
00:48:45 00:48:48 It will depend on the severity I think
00:48:48 00:48:50 of the information that's being released,
00:48:50 00:48:51 and the knowledge of the patient,
00:48:51 00:48:54 and the family, and the likely risk.
00:48:54 00:48:57 But I think that the usual means of communicating
00:48:57 00:49:01 would also be used here, and I think personal contact phone
00:49:02 00:49:04 would usually be something that we would use in our practice
00:49:04 00:49:06 for something serious that happened.
00:49:07 00:49:10 But then also, confirmation with email or letter,
00:49:10 00:49:12 depending on what the expectations of the patient are.
00:49:12 00:49:16 I think it's very, very individual, and sometimes,
00:49:16 00:49:19 it may require more than one means of communicating.
00:49:19 00:49:21 Sometimes it may require getting the patient
00:49:21 00:49:25 in to talk to them about it and help them work through it.
00:49:27 00:49:28 Each case will be different.
00:49:28 00:49:30 >> Pip: Thank you very much.
00:49:31 00:49:32 Amanda, this will be a question for you.
00:49:32 00:49:35 Do you have any examples of data breaches
00:49:35 00:49:37 that have been well handled?
00:49:40 00:49:41 >> Amanda: Yes. Yeah, we do.
00:49:43 00:49:47 I guess I would note here that
00:49:48 00:49:51 the way an organization handles a data breach,
00:49:51 00:49:54 both responds to it, notifies individuals,
00:49:55 00:49:58 can go quite a way in terms of
00:49:58 00:50:01 preserving that organization's reputation,
00:50:01 00:50:04 but also, demonstrates a willingness to be open
00:50:04 00:50:07 and transparent about these kinds of issues.
00:50:08 00:50:10 I think this is a growing issue
00:50:10 00:50:13 where data breaches are occurring more frequently,
00:50:13 00:50:17 and I think as Penny said at the beginning of the webinar,
00:50:17 00:50:20 this is nothing that any entity's exempt from.
00:50:20 00:50:23 In terms of case studies that we can talk to,
00:50:23 00:50:25 and this occurred prior to
00:50:25 00:50:27 the notifiable data breaches scheme,
00:50:27 00:50:29 but it is a good example,
00:50:29 00:50:31 is the Red Cross blood services data breach
00:50:31 00:50:33 in October of 2016.
00:50:34 00:50:37 So, for those that aren't familiar with it,
00:50:37 00:50:39 a file containing the information of approximately
00:50:39 00:50:43 550,000 perspective blood donors was saved to
00:50:43 00:50:46 a publicly accessible part of the donate blood website.
00:50:47 00:50:50 The data file was discovered and accessed by
00:50:50 00:50:53 an unknown individual or an anonymous individual
00:50:53 00:50:56 who was acting as what we call a white hatch asset.
00:50:58 00:51:02 It was a result of an error by a third party provider
00:51:02 00:51:06 that managed the donate blood website and web server.
00:51:07 00:51:10 So, in that particular case, we did open an investigation
00:51:10 00:51:13 with the blood service, but the Red Cross
00:51:13 00:51:17 did take immediate steps to contain the data breach.
00:51:17 00:51:20 It took responsibility for the data breach,
00:51:20 00:51:24 including responsibility for the actions of its contractor,
00:51:24 00:51:28 and it was transparent with affected individuals,
00:51:28 00:51:31 but also the public about what had occurred,
00:51:31 00:51:33 and they notified and provided assistance to
00:51:33 00:51:34 the affected individuals.
00:51:36 00:51:41 So, in that case, the lesson that we saw with that one
00:51:42 00:51:45 is that organizations and health service providers,
00:51:45 00:51:47 in particular, can maintain trust by being prepared
00:51:47 00:51:50 and responding to data breaches effectively.
00:51:51 00:51:54 And having a plan in place and having that
00:51:54 00:51:55 staff awareness and training about
00:51:55 00:51:57 how to respond to those data breaches,
00:51:59 00:52:02 particularly as that one included information that
00:52:02 00:52:07 was jointly held with a contractor, so that's an example.
00:52:07 00:52:08 And we've seen this particularly,
00:52:10 00:52:13 in the notifications we've received into the NDB scheme,
00:52:15 00:52:16 that you also need to be prepared for
00:52:16 00:52:21 how you deal with information that is jointly held.
00:52:21 00:52:24 How you prepare about communicating with your contractors
00:52:24 00:52:25 in the event of a data breach,
00:52:25 00:52:28 and how you assign the assessment
00:52:28 00:52:30 and notification obligations, as well.
00:52:34 00:52:36 >> Pip: Thank you very much, Amanda.
00:52:36 00:52:39 That actually brings us to the end of our webinar.
00:52:39 00:52:41 So, would like to thank both of you
00:52:41 00:52:44 for taking us through that information this evening.
00:52:46 00:52:47 >> Penny: Great.
00:52:47 00:52:48 Thank you very much, Pip.
00:52:48 00:52:50 >> Amanda: Thanks, Pip.
00:52:50 00:52:51 >> Pip: Pleasure.
00:52:51 00:52:52 So, we'd just like to remind everyone that
00:52:52 00:52:55 this webinar was delivered as part of
00:52:55 00:52:58 the monthly RACGP eHealth webinar series.
00:52:58 00:53:00 This topic of notifiable data breach
00:53:00 00:53:03 is our first for the year.
00:53:03 00:53:05 So, we'll be running education each month,
00:53:05 00:53:07 two to four sessions each month.
00:53:07 00:53:10 In March, we'll be talking about My Health Record
00:53:10 00:53:13 and some medico legal concerns for general practice,
00:53:13 00:53:15 and you can access the registration link
00:53:15 00:53:17 via the RACGP website.
00:53:18 00:53:20 We hope that you've enjoyed the presentation
00:53:20 00:53:22 and found the information useful tonight,
00:53:22 00:53:25 and we'll be sending everyone an email after the webinar
00:53:25 00:53:27 so that you have the opportunity to provide us
00:53:27 00:53:29 with some feedback, and also,
00:53:29 00:53:31 to provide you links with the resources that
00:53:31 00:53:34 we've discussed in the presentation tonight.
00:53:34 00:53:37 And as we said before, if you have any other questions,
00:53:37 00:53:40 you can email the practice technology and management team
00:53:40 00:53:42 at any time with any of your questions
00:53:42 00:53:46 at ehealth@racgp.org.au.
00:53:47 00:53:49 So, thank you once again,
00:53:49 00:53:51 and I hope you all have a lovely evening.
Embed
Copy and paste the embed code above
Share
Copy and paste the embed code above