Holdsworth House Medical Practice (‘HHMP’) is committed to protecting the privacy of patient information and to handling your personal information in a responsible manner in accordance with the Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the Australian Privacy Principles and relevant State and Territory privacy legislation.
A data breach occurs when personal information that HHMP holds is subject to unauthorised access or disclosure, or is lost. A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems. HHMP is committed to the Australian Privacy Principles and our ongoing efforts to ensure these are complied with minimises the likelihood of a data breach.
The Notifiable Data Breaches (‘NDB’) Scheme that is outlined in the Privacy Act requires HHMP to notify affected individuals and the Privacy Commissioner of ‘eligible data breaches’ which occurs when certain criteria has been met. In instances when it is not clear if a suspected data breach meets the specified criteria HHMP will conduct a thorough assessment and respond appropriately.
Data Breach Response
Effective data breach response is about reducing or removing harm to affected individuals and protecting the interests of HHMP. Eligible data breaches are dealt with on a case by case basis however typically follow a four step process:
- Contain: If HHMP confirms that a data breach has occurred we will take immediate action to limit the data breach to prevent any further compromise of personal information.
- Assess: HHMP will gather and evaluate as much information about the data breach as this will enable us to understand the risk of harm to individuals and help HHMP to determine the steps to limit the impact of a data breach.
- Notify: If HHMP believes that the breach fits the definition of a notifiable data breach a statement will be prepared for the Privacy Commissioner and the affected individuals will be notified.
- Review: Senior Management will undertake a comprehensive review of the incident and take the relevant actions to prevent further future breaches
Assessing a suspected data breach
If HHMP suspects it has experienced an eligible data breach it will act quickly to determine if one has occurred. Assessments are typically completed using the following three stage process:
- Initiate: HHMP will decide whether an assessment is necessary and identify which person or group is responsible for completing it. This is typically Senior Management and the IT Project Co-ordinator.
- Investigate: HHMP will expeditiously gather relevant information about the suspected breach to both determine if the breach occurred and if it would result in serious harm to an individual.
- Evaluate: HHMP will make a decision about whether the identified breach is an eligible data breach and notify individuals and the Privacy Commissioner as required. HHMP will take all reasonable steps to complete the assessment quickly up to a maximum of 30 calendar days.
Notifying individuals about an eligible data breach
If HHMP experiences an eligible data breach its first priority is to contain the breach and take remedial action. If serious harm cannot be mitigated by remedial action HHMP will notify the affected individuals at risk of serious harm and provide a statement to the Privacy Commissions.
If an eligible data breach has been confirmed HHMP will notify individuals affected as soon as practicable after completing the official statement prepared for notifying the Privacy Commissioner.
Notification has the practical benefit of providing individuals with the opportunity to take steps to protect their personal information following a data breach, such as by changing account passwords or being alert to possible scams resulting from the breach. It is important that staff are capable of engaging with individuals who have been affected by a data breach with sensitivity and compassion, in order not to exacerbate or cause further harm.
Notification of an eligible data breach must include:
- A description of the data breach
- The kind of information involved in the data breach
- Recommendations about the steps that individuals should take in response to the data breach
For a copy of our full data breach policy, please contact email@example.com. Please also direct any queries, complaints, or requests for access to medical records to firstname.lastname@example.org.