All private sector health service providers have obligations under the Notifiable Data Breaches scheme, which came into effect on 22 February 2018.

This webinar is designed to assist GPs and general practice teams to understand the scheme and their obligations relating to suspected and confirmed data breaches.

This webinar was delivered by the Royal Australian College of General Practitioners (RACGP) in conjunction with the Office of the Australian Information Commissioner (OAIC) in February 2019.

21 Feb 2019

Slide 1

>> Pip: Welcome to today's webinar, Notifiable Data Breaches Scheme, information for general practice. My name's Pip, and I'm the project coordinator for the RACGP Practice Technology and Management Team, and I will be your host for today. I'm joined by Dr. Penny Burns, who will deliver the presentation for you today, and Amanda Baird, who is the director of dispute resolution from the Office of the Australian Information Commissioner, or the OAIC, who will present the information to you today in today's webinar.

Slide 2

A little bit more about Dr. Penny Burns. Penny is a general practitioner based in Sydney. She's worked for over 20 years in urban and rural general practice, and is a member of the RACGP Expert Committee for Practice Technology and Management. She's been interested in computer and technology use in general practice since the early '90s. Penny is interested in the use of technology to improve outcomes in learning. Over the last year, she's been involved in delivering education sessions as part of the My Health Record in General Practice National Education Awareness campaign, and she is currently part of the CSIRO Primary Care Data Quality Content Working Group, which examines the use of data in general practice, and is also deputy chair of the Disaster Management Specific Interest Group at the RACGP. Penny and Amanda, welcome to the webinar.

>> Penny: Thanks, Pip.

>> Pip: Thank you. Penny, Amanda, myself, and the RACGP would like to thank everyone today for taking the time out of your busy schedules to participate in this webinar. Before we begin, we'd like to make an acknowledgement to country.

Slide 3

I would like to begin by acknowledging the traditional owners of the land on which we are meeting here today, and to pay my respects to their elders, past and present.

Slide 4

>> Penny: Today, the aim is to cover what is in the Notifiable Data Breaches Scheme, and how to apply it to general practice. A little bit of statistics to make it relevant to healthcare provisions, what is an eligible data breach, and what to do if you experience one. Data breaches in the My Health Record system, which are slightly different, and then we'll do some case studies, and a poll, and some questions.

Slide 5

The learning outcomes for this sessions are to be able to describe a notifiable data breach, to look at identifiers in which one has occurred so you're prepared to respond. Summarise what actions are required if a notifiable data breach occurs, and the difference between response for a data breach relating to My Health Record, or a notifiable data breach under the scheme, and then discuss how the NDB applies to general practice.

Slide 6

So, what is a data breach? A data breach occurs when personal information held by an organisation is accessed by an unauthorised party, it's disclosed to an unauthorised party, or it's just lost. So, a data breach occurs when personal information held by an organisation enables an individual to be identified, and this can be related to names, or Medicare numbers, or addresses, or phone contacts. The information will be personal information. The information may not by itself however, be obvious, but in combination with other information that's released, it may be, the relevant individual may be identified, or reasonably identifiable.

So, when in doubt, the suggestion is to err on the side of caution and treat the information as personal information. Some of the examples are that we got an email containing test results have been sent to the wrong recipient. A spreadsheet of patient information made publicly available. A staff member accessing a patient's information without authorisation, or even if patient files are locked up in someone's bag and may have ended up somewhere else in public. All of those are potential data breaches.

Slide 7

So, what is the notifiable data breach scheme? It's only new. It came into effect on the 22nd of February, 2018. And it applies to all agencies and organisations with existing personal information, security obligations under the Privacy Act, and that includes general practice. It's a legal requirement to notify individuals in the OAIC of notifiable data breaches, and they require state fines if it's not done in a very timely fashion.

So, the NDB outlines three criteria that must be met before a data breach is reported to the OAIC, and they have specific requirements on when they be reported to them. And we're very lucky to have Amanda Baird, the assistant director of the dispute resolution from the OAIC to cover these in more detail.

Slide 8

So, does the NDB scheme apply to general practice? The NDB scheme applies to all private sector health providers. If you provide a health service, and you hold health information, you're covered by the Privacy Act, even if that's not your primary activity. The definition of private health service providers is quite broad, so some examples would be general practice. Other traditional health service providers such as private hospitals, day surgeries, pharmacists, specialists, allied health professionals. Also, complementary therapists, such as naturopaths and chiropractors. Even gyms and weight loss clinics, child care centers and private schools. This definition of a health service provider under the Federal Privacy Act does not include public hospitals. These are regulated by the relevant law in the state or the territory.

Slide 9

So, why is the NDB scheme important to general practice? General practices hold a lot of identifying personal information of patients, such as names, date of birth, address, telephone number, et cetera, et cetera. This information may be vulnerable to unauthorised access, unintended authorised disclosure. For example, a staff member accessing a patient file unintentionally, or a staff member sending personal patient information to an incorrect recipient, or leaving a computer open on a desk for a patient or unauthorised staff member to read the notes.

We know from the data collected since February 2018 that healthcare providers are a significant source of data breaches. And handling of personal information Confidentiality's actually been something that GPs have been very aware of, and it's been a strong part of medical treatment amongst general practice, and GPs are a highly trusted group of individuals. But this trust will now also extend to data security, and it's really important that general practices are able to understand their responsibility to protect this personal information for their patients.

The main purpose of the Notifiable Data Breaches Scheme is to ensure that individuals are made aware when their personal information is caught up in a data breach, and serious harm is likely to result. So, it's essential for practices to proactively engage with patient's privacy expectations and the expectations of the regulators.

Slide 10

>> Pip: Thank you very much, Penny. So, right now we'll have Amanda from the OAIC joining the webinar to talk about some of the statistics around notifiable data breaches. Thanks, Amanda. Hello, Amanda. Are you online?

>> Amanda: Oh, I'm sorry. looks like it was muted. Thank you for that overview, Penny. I'll just run through some of the statistics we've seen in the Notifiable Data Breaches Scheme, and particularly, the last quarter that we've reported on from October to December 2018. And our full report is available on our website for this quarter.

So, as we can see on this slide, the top five industry sectors to report data breaches in that quarter are healthcare providers, finance, legal accounting and management, education and personal services. We've seen a notable increase in entities' awareness that their new responsibilities under the Notifiable Data Breaches Scheme, and the health sector is leading the way with regard to the number of notifications. In that last quarter, we saw about 262 data breach notifications, which is up on the previous quarter.

The purpose for our quarterly statistical reports is to build a picture of the trends in personal information security risk that are likely to result in serious harm to individuals. And over time, we hope they can help us point out and proactively assistmanaging these risks. As shown in our chart, health service providers were responsible for 21% of the notifications, and this is consistent with international trends that we've seen in other data protection agencies to-date. And the OAIC is working with healthcare callers providing vast guidance on data breach prevention strategies. What I might just note here, as well, is that the high number of notifications in the health sector might be influenced by a range of factors, including the factors, as Penny outlined, the broad requirement for all private sector health service providers to comply with the Privacy Act, regardless of science or turnover. And this compares to other businesses which are mostly exempt from the obligations under the Privacy Act if their turnover is less than three million a year. More generally, we find as well, the health sector seems to have a greater level of responsibility and awareness of their privacy obligations, and this is a good thing, but it can also lead to over-notification, which I will come back to later.

Slide 11

So, the source of data breaches for the October to December quarter across all sectors, we saw human error and malicious and criminal attacks accounting for the majority of notifiable data breaches. For the health sector, we saw 54% were caused by human error, and 46% were caused by malicious or criminal attacks. Looking first at human error in the healthcare sector, the ratio of 54% is much higher than the economy-wide average of 33%.

Slide 12

So, breaking down human error data breaches into more detail, we can see that personal information sent to the wrong recipient by email is the most common type of human error data breach for the health sector, and this also is extended to sending personal information via email, mail, fax, or some other form of communication. That's fairly consistent across the quarters that we've seen. There were also a significant number of situations where people failed to use the BCC function when sending emails, thereby disclosing personal information to a wider group of individuals. And we've also seen lost paperwork with storage devices, as well as unintended release or publication of information.

Slide 13

Turning to malicious or criminal attacks, 46% of reported breaches were attributed to this particular source. So, this can include cyber incidents, such as compromised credentials through phishing or spear phishing attacks, ransomware, malware, or brute force attacks, where it's an automated system of guessing a username and password combination. But this particular source also includes the theft of paperwork or data storage devices, rogue employee or insider threat, where an individual employee deliberately accesses or discloses personal information, but also social engineering and impersonation. So, where an individual impersonates another to gain access to their personal information.

Slide 14

Some of the key lessons we asked the health providers arising out of the NDB scheme are firstly, to reduce risk by addressing human error. So, the findings of our quarterly reports support the need for organisations to promote staff awareness about secure information handling, and were relevant to the technological solutions that will alert the staff. So, our offices worked with the Australian Cybersecurity Center on preparing some useful tips and resources for improving data security in this regard, and those are available on our website.

Another important lesson is to implement an effective data breach strategy. The faster a data breach can be identified and contained, the lower the cost to customers or patients, and the organisation itself.

Thirdly, I would highlight that recent notifications to our office have demonstrated the importance of considering how you will work with third parties if the data breach involves personal information that you hold jointly. Either in a joint venture or with a contractor. For the health sector, this can include for example, an entity that provides online services that integrate with your practice management software, or another contractor that you share personal information with. So, the important thing in this instance is to be aware of where the personal information you jointly hold is, and what are the arrangements that you have in place if a data breach occurs.

And the fourth lesson from the first six months of the NDB scheme, is there an attitude to notification? And this is of particular importance to the health sector. So, generally, better safe than sorry might seem like the best approach to data breach notification, but over-notifying is something that we've seen fairly often in the health sector, and it can lead to data breach fatigue for individuals, which can make them complacent about the risks of a serious data breach. Given the time-sensitive nature of data breaches, understands the question of whether to report or not can cause a dilemma, particularly if the data breach is not that clear. But we do want to stress that not all data breaches have to be reported to our office. Those that need to be reported are those that reach the threshold test, and are considered eligible data breaches under the scheme, and we'll spend some time exploring that now.

Slide 15

So, what constitutes an eligible data breach? To determine whether a data breach needs to be reported, three criteria must be satisfied. So, the first requirement is that there must be a data breach as defined in the Privacy Act. So, that is it must be personal information. That's information about an individual or where that individual is reasonably identifiable, or is specifically identified, and that information must have been subject to a data breach.

Slide 16

So, turning to the next slide, a data breach under the NDB scheme involves either unauthorised access to the personal information. So, this can include situations where security or practice systems are compromised by a third party. For example, by a hacker through malware or ransomware, or through stolen credentials used to access a password system. And as Penny outlined before, it can also include when a staff member has read a patient's file without authorisation.

>> Pip: Thanks, Amanda. What we're gonna do now is launch another poll, and we're gonna ask those listening if they've experienced any of these examples as we go through.

Poll 1

So, I'll launch this poll now, and our question is has anyone had an experience of unauthorised access in their practice? So, we were talking about that criteria that Amanda's just described around unauthorised access in their practice. We'll just leave it open for a few more seconds. I can still see results coming in. And I'll close that poll and share it with you. And we can see that 11% have responded with yes, and 89% no.

>> Amanda: I think with this one, unauthorised access can sometimes be quite difficult to determine, and sometimes it does require quite technical expertise to identify. And so, with unauthorised access we see it usually is a result of a malicious or criminal attack or a cyber incident.

The second kind of data breach is one that involves unauthorised disclosure. So, an unauthorised disclosure is where information is released from the control of the entity itself, which distinguishes it from unauthorised access. So, this can include when a staff member sends personal patient information in an email to the wrong recipient. It can include if a spreadsheet of patient personal information is accidentally made public on the internet.

Poll 2

>> Pip: Okay, so we will launch another poll, and so we're going to ask here, has anyone had an experience of unauthorised disclosure of personal information in their practice? So, this is an example of unauthorised disclosure of personal information. Most people have now responded, so I'll close that poll and share that. Numbers are a little bit higher here, so 25% have responded with yes, and 75% with no.

>> Amanda: Thanks, Pip, and let's say with this one, we would generally find unauthorised disclosure as the result of some kind of human error. So, it would more likely affect a smaller number of individuals for the way information is sent to the wrong recipient, and is either because of just a general human error or because of particular policies or procedures weren't followed.

The third kind of data breach is the loss of personal information. And the requirement here is that the information must be lost in circumstances where unauthorised access or disclosure is likely to occur. So, if personal information is lost in a way where there is no likelihood of it ever being accessed by another individual, it doesn't fall within the definition of a data breach under this scheme. So, that might be where information is accidentally destroyed, but it can also include, more generally, if a practice manager or a GP leaves a laptop on the bus containing patient personal information or patient files, or if they lose their USB memory stick containing personal information.

Poll 3

>> Pip: Thank you, Amanda. We're gonna launch our last poll for this section where we're asking people has anyone had an experience of a loss of personal information in their practice? Just a few more seconds until the last votes of our poll come in. And the results are just only 17% yes, and 83% no.

>> Amanda: Okay, great.

Slide 17

What I might turn to now then is the second criteria that we have to look at when determining whether a data breach is notifiable, and that's where the data breach is likely to result in serious harm to one or more individuals whose personal information is involved in the data breach. Now, the wording of the likely to result in serious harm means that the risk of serious harm to an individual has to be more probable than not, rather than just possible, as a result of a data breach. Serious harm is not defined in the Privacy Act, but our guidance includes considering whether it's likely to result in serious psychological, emotional, physical, financial, reputational, or other kinds of harm.

When considering from the perspective of a reasonable person if the data breach is likely to result in serious harm, what we recommend, we think about is the kinds of information that are involved in the data breach, including how sensitive the personal information is. Noting that health information is considered sensitive under the Privacy Act, and may be likely to result in different kinds of harm. You should also consider whether it's protected, whether the personal information is protected by one or more security measures, what kind of harm could result, and other relevant matters which are set out in section 26WG of the Privacy Act.

Slide 18

And then moving on from there, there's the third consideration is whether the likely risk of serious harm can be prevented with remedial action. So, for instance, the scheme provides this opportunity for entities to take some kind of action to prevent or reduce that risk of harm. For instance, if you'd sent a document containing sensitive personal information to the wrong recipient, but that's a trusted recipient and they've confirmed that they have deleted or destroyed the document, and your assessment concludes that, you can rely on that advice, and there's no longer a likely risk of serious harm, then notification would not be required. I will just note here that remedial action can actually include contacting the individuals who were affected by the data breach. It doesn't prevent you from informally advising them of the circumstances of the data breach as trying to remedy the likely risk of that harm. So, the purpose for taking that remedial action is to assist the individual and try and contain and mitigate the risk of harm as a result of the data breach.

Slide 19

So, what do I do if an eligible data breach has occurred? So, when unauthorised access, or unauthorised disclosure, or loss of personal information occurs, the first priority is to take immediate steps to contain the data breach. That is, take steps to prohibit further data from being accessed or disclosed. The next step is to assess the data breach, to gather the facts and evaluate the risks, including the potential harm to affected individuals, and where possible, taking action to remediate any risk of harm. If serious harm is obvious on its face, so if the circumstance of the data breach mean that it's immediately obvious that it's likely to result in serious harm to affected individuals, then the third step, which is notification must follow. But sometimes serious harm might be suspected, but not certain, and particularly in instances where there's a cyber intrusion into your networks. In these instances, an organisation needs to undertake an assessment to confirm whether or not an eligible data breach has occurred, which is one that meets that threshold test. In that case, the business has to undertake an assessment as expeditiously as possible, and asprovides that we're talking days to do that assessment, rather than weeks. If your practice experiences a data breach, and after conducting an assessment you're satisfied that all three criteria has been met, then you must notify the OAIC and any individuals that are at likely risk of harm, as soon as practical. So, that means contacting your patients or customers.

The NDB scheme has a bit of flexibility about how to notify individuals. Firstly, you can notify all individuals whose personal information was involved in the eligible data breach. Secondly, if you're able to, you can notify only the individuals who you've identified at likely risk of serious harm if they're This tends to occur where there's different categories of personal information involved, and you're able to assess that one category of individuals is at more risk than the others. If those two options are not practicable, then the scheme requires you to publish the notification on your website, and also take reasonable steps to tell the clients that with the aim of bringing it to the attention of all individuals at likely risk of serious harm. So, that goes to the purpose of this scheme, which is to ensure that individuals are aware of data breaches that involve their personal information where there is that risk. So, notification can occur in a number of different ways, including by letter, email, phone, or online. It's up to the entity to think about what is appropriate, and this will depend on their situation, the severity of the data breach, but also your normal means of communicating with patients or individuals. So, how would they expect to receive that information from you? You must also notify the Australian Information Commissioner in the form of a statement, and there are some statutory requirements of the information that must be included in the statement, which I'll go through shortly. But I just wanted to quickly touch on the fourth and most important step, and that is to review the incident and consider what actions can be taken to prevent future data breaches. So, this can involve an investigation into the cause of the data breach. It can involve creating a remediation/prevention plan, can involve an audit of your policies and processes, and can in instances obviously, will involve staff training.

Slide 20

So, going through the required information, the NDB scheme requires that your statement to the commissioner includes the identity and contact details of your practice, a description of the data breach, the kind or kinds of information that is involved in the data breach, and recommendations about the steps individuals should take in response to the data breach. So, we have an online form on our website that you can complete, and the link should now be sent to you in your chat message box. I will also note that we have some guidance on our website about how to fill in the statement, and our online form also asks you to provide information about the incident voluntarily, whichaffecting the notification.

Slide 21

So, if your practice deals with the My Health Record system, you might be wondering how the two schemes work together. So, do you have to notify breaches under both schemes, and is the threshold the same? So, broadly, the notifiable data breach scheme requirement sit alongside the data breach reporting requirement for the My Health Record system, but they do not overlap. So, while there are similarities between the reporting requirements of both schemes, there are some important differences. Firstly, data breaches notified onto the My Health Record Act do not need to be recorded onto the NDB scheme, and this is to prevent duplication of reporting. Another key difference is that every breach of My Health Record data needs to be reported, whereas under the NDB scheme, only data breaches that are likely to result in serious harm to affected individuals need to be reported. Thirdly, breaches must be reported as soon as practicable under the My Health Record Act, even when remedial action to address the data breach could be in progress or has already been taken. So, if you're not dealing with My Health Record information, and you're unsure whether a data breach meets the notification threshold under the NDB scheme, that's when you'll need to undertake an assessment.

>> Pip: Thank you very much, Amanda. Oh, right. Continue.

>> Amanda: No That was it.

Slide 22

>> Pip: Okay. We'll move on to the next slide, and Penny will join us once again and introduce a case study, after which we will launch a poll and have a bit of a discussion. Thank you, Penny.

>> Penny: For the case study, we've got two case studies. This first one is a GP surgery has been aware that its customer database has been made publicly available on the internet due to technical error. It contains records of prescription drugs that have been prescribed to patients. Security consultants confirm the database was only accessed a few times, but they can't identify who accessed the data, or if they kept a copy. So, what we want you to think about here is does this fit an eligible data breach? Is it likely to result in serious harm? And has the practice been able to prevent likely risk of harm with remedial action? So, the first question here is, is this an eligible data breach? And there's a poll in front for you to comment on.

Poll 4

>> Pip: Thank you, Penny. The responses are still coming in. We'll give it a second. Close that off. And 83% have responded that they believe this is an eligible data breach, and 18% are unsure.

>> Amanda: And look, it depends on the exact circumstances of the data breach. But the OAIC consider this is an eligible data breach, and I'll go into the reasons why we would sort of, on the available information, lean that way. So, details of prescription drugs are sensitive personal information. Obviously, we all understand they can indicate treatment of a range of medical conditions, including mental health issues. Based on if the GP surgery is unable to confirm who accessed the database, and whether it would be likely to be accessed by someone who could use that information against the individuals, then we would think that a breach of that kind would be more likely to result in serious harm to affected individuals. What steps the GP surgery then has to take will depend on the situation. So, they would need to notify our office, and all individuals whose personal information was involved in the data breach. If they were unable to get in contact with a number of patients, for instance, if the records were old, or if patients had not updated or provided their details in the first place, it may be necessary in that instance to issue a more public notice. For instance, on the website or in the surgery office.

Slide 23

And so, now we have a second case study, and again, we want you to think about the same thing. Is this a notifiable data breach? Does it fit an eligible data breach? Is it likely to result in serious harm, and has the practice been able to prevent the likely risk of harm with remedial action? So, a staff left their iPad on a train. The staff member's work email account can be accessed on the device. The staff member reports the loss and arranges for IT to remotely delete all the content from the device, and IT confirm that the device has not been accessed. Is this a notifiable data breach? And the quick poll's come up on your screen for you to respond.

Poll 5

>> Pip: Thank you everyone for participating in the poll. I'll close off this final poll. And the results are in. 11% say that this is an eligible data breach. 80 believe that it is not, and 9% are unsure.

>> Amanda: I think the majority of people here don't think this is an eligible data breach, and I would say notification is probably not required in this situation. So, that's having regard to the security protections on the iPad, and the ability to take remedial action in this instance. So, if your IT department is confident that the content could not have been accessed in the short period between when the iPad was lost and when it was erased, then notification is not necessary. And that goes to what I was saying before that if the information is lost, but you're able to take that action to prevent it from being subject to unauthorised access or disclosure, then that means it's not notifiable. And this is an example of how that action can prevent serious harm following a data breach. What we would say with this one is, not only do you need to make sure you need to have good technical security infrastructure in place, you also need to make sure your staff know what to do if something goes wrong, and this comes back to staff awareness and education.

>> Pip: Thank you very much, Amanda.

>> Amanda: Oh. Sorry.

>> Pip: I was gonna hand over to you, anyway.

Slide 24

>> Penny: One of the questions that comes up for me of us were unsure, if we were unsure in this case, I presume that we would be able to ring the office at the OAIC and discuss that with them.

>> Amanda: Absolutely. We have an enquiries line that any entity can call for general advice about the threshold of the NDB scheme, and also to discuss our guidance on making that kind of assessment. Absolutely, if the healthcare provider is not sure, they can contact us.

>> Penny: Thanks, Amanda. So, the College has also got some really excellent resources on this. These two, the fact sheet and the flow chart both probably contain a really good summary of what's being discussed today, and have a lot of information there to guide making decisions. The fact sheet talks about how to define a eligible data breach, and the flow chart takes you through that, including the My Health Record. So, they're both easily available on the College site.

Slide 25

There's also the background information for keeping your information and resources private. for a while, and most of you are probably aware of. So, the information security in general practice, which talks about prevention, protection, and preservation of data in general practice, and is really worth having a look at, and it comes with a number of templates. And in privacy and managing health information in general practice is also available. The OAIC has also developed good information and resources. So, you can see on the screen another flow chart, and this is again, about what to do in the case of a data breach. So, it takes you through a suspected or known data breach, how to contain it, how to assess it, then to work out whether the serious harm is still likely, and then if you need to notify, what you should do, and takes you back to a review afterwards to review your processes. And there's the number for the OAIC on the front.

Q & A

>> Pip: Thank you very much, Penny. So, as promised at the start, we have allocated some time for question and answers. So, if you have a question for Penny or for Amanda, if you could please type it into the question bar on the control panel and press enter, and we'll try to get to everyone's questions. If not, we can be contacted at ehealth@racgp.org.au. So, we have had some questions come through already. What kind of penalties or enforcement action can be taken in response to data breaches?

>> Amanda: I'll field this one. So, in addition to receiving notifications of eligible data breach, the OAIC plays an important role in compliance of this scheme. And the commissioner has a number of enforcement powers that can be exercised in instances of non-compliance. So, in terms of notifiable data breaches, if we become aware of a data breach that hasn't been notified by an entity, and we have reasonable grounds to believe it meets that threshold of serious harm, we can direct an entity to notify. If the entity doesn't comply with that direction, then we have a number of different powers which go from enforceable undertakings, can include a determination by the commissioner. In terms of fines, what the commissioner has the ability to do is to seek civil penalties in the federal court for up to $2.1 million per breach for organisations, and that's for serious or repeated privacy incidents. And we also, the commissioner has the ability to seek injunctive relief in the federal court for an ongoing act or practice. So, some of the, I guess, conditions of the NDB scheme that could prompt regulatory action includes a failure to conduct a reasonable and expeditious assessment of a suspected data breach. So, if you have reason to suspect that unauthorised access or disclosure has occurred, but you don't assess it, that's what's called an interference with privacy under the Privacy Act. A failure to notify individuals or the OAIC as soon as practical is also a condition of the NDB scheme, and as I said before, if you fail to comply with the direction to notify from the office, that can lead to further regulatory action. But generally at this stage, we're working with organisations and agencies about the requirements of the NDB scheme, but we will have that focus on ensuring compliance through regulatory action if we need to.

>> Pip: Thank you, Amanda. Penny, this might be a question for you. Someone has asked whether we should also notify our MDO, as well.

>> Penny: I think that's a very advisable thing to do, and the MDO I know have got some documents available on this topic, as well. But I think particularly in terms of just letting them know this is happening, and getting extra advice, I think that's a very valuable thing. And also, one of the areas in which I think that'll be particularly useful is in how to notify those individuals that are being affected. And most of us have had to manage issues with patients around difficult processes in the past, but this is going to be a new one for all of us, and we're all gonna be learning from it. But using those usual means of communication that we would've previously, like there's an email or online, depending on what we usually used would be useful. But I think the MDOs in particular would be a good group to be contacting in regard to this, as well. But it can't get in the way of getting the notification through to the OAIC. We've only got a few days to do that, so have to move quickly.

>> Pip: Thanks, Penny. We've had a question where the patients can report data breaches directly.

>> Amanda: This is Amanda. In terms of the functions of our office, we do receive referrals from members of the public about a data breach they become aware of. So, either they can report it to us if they become aware of a data breach, or they can make a complaint about a data breach that involves their personal information. To where they make a complaint, we will treat that as a complaint under the Privacy Act, and we have a statutory obligation to conciliate that. So, we'll generally contact the respondent, and try and conciliate that complaint. In the case of what we call a referral, we'll generally contact the respondent to see if they're aware of the data breach, and provide information about the requirements if the Notifiable Data Breaches Scheme. Like I said before, that may be one of the ways we become aware of a data breach that hasn't been notified to us. So, that might be a prompt for regulatory action if that involves, I guess, an awareness on the behalf of the entity, but they haven't done that assessment.

>> Pip: Thank you, Amanda. We have a question, and Amanda, this one would likely be for you. Prior to the notifiable data breaches coming in last year in February, what are the steps required if a malicious breach occurred prior to the institution of the scheme?

>> Amanda: Okay. So, pre-22nd of February, 2018, we ran a voluntary data breach notification scheme where regulated entities could let us know about data breaches, and we provided advisable guidance. So, to be specific, the NDB scheme only applies to instances of unauthorised disclosure or unauthorised access that occurred on or after the 22nd of February. So, for disclosures, that's quite clear. However, if the instance of unauthorised access or disclosure occurred over that date, so it was ongoing, then it would be covered by the NDB scheme. So, if you become aware of something that occurred prior to the scheme, you can notify our office, or we would generally suggest that the focus should be looking at do you need to notify individuals as a matter of best practice, where it's not a requirement of the scheme, but is there an advantage in letting individuals know? Are they at risk of serious harm that they could mitigate or prevent through taking their own steps in response to that data breach? But yeah, generally, the NDB scheme only applies to that unauthorised access or disclosure that occurred on or after the 22nd of February. So, prior to that, it was a voluntary scheme.

>> Pip: Thank you very much. Penny, a question for you. How do we decide who is authorised to have access to files? Should all receptionists have access, or just the practice manager, or just clinical staff?

>> Penny: Well, in terms of files, I guess it depends on what we're actually doing. When we set up the software, we actually set it up so that people log in under their own name and their own file, so there's an ability to track what people are doing and what they have. So, at the moment, the receptionists and the practice staff usually have access to the files, but they're not able to access them in the same way. So, I think in terms of building your security level, and working out who has access to what, you need to actually work fairly closely with your IT group and set up a fairly good practice security governance, and then work out who should have what. Because in some practices, you have other allied health also accessing patient files. I know where I work, we have physios that actually have some access to our general practice software. So, I think again, it's all about working out a good structure to start with around security governance. Get your ITand look at preventing and protecting data from the beginning.

>> Pip: Thank you, Penny. We now have a question from someone who I imagine would've answered yes to some of the earlier questions. What if we have received a patient file not intended for us? We did not cause the data breach, but are we supposed to notify, or are we just to contain and then let the original entity notify?

>> Amanda: So, in this case, it's kind of a multiple issue here. You don't have an obligation to notify under the NDB scheme if you weren't the entity that held the information to begin with. As a matter of best practice, I would probably let the entity know that they disclosed that information to you incorrectly, and as health service providers, you have an obligation when you receive information that you didn't solicit to consider separately under Australian Privacy Principle 4 whether you could've solicited that information, and if not, to take steps to delete or destroy it. So, you can let us know about a particular data breach if you think it should be reported. But generally, we would say you've got separate obligations to assess whether you can keep that information or delete or destroy it. And it's probably best to let the original entity know if they aren't aware of that disclosure, and it's open to say there are these assessment obligations under the NDB scheme, as well, if they're not across that. But generally, we do receive referrals from lots of different members of the public and entities about these kinds of issues, but that's what we would do in that instance is contact the original entity. Make sure they're aware of the disclosure, and that they were taking steps to prevent it from occurring again.

>> Pip: Thanks, Amanda. I know we touched on this earlier, but if we could just clarify what the timeframe is in which a practice would be required to notify of a data breach.

>> Amanda: Absolutely, and this is something that we've found is there can be a bit of confusion about. So, the timeframes in the NDB scheme are you have to conduct an assessment of a suspected data breach within, or take all reasonable steps to conduct that assessment within 30 calendar days. So, that's the only hard timeframe that there is. And that only applies if you suspect that the data breach is likely to result in serious harm, but you're not sure. If on first discovering the data breach it's quite clear that it meets that threshold that it's a serious data breach that needs to be notified, then the requirement is to notify our office and individuals as soon as practicable. We generally expect that to be quite prompt, unless there's reasons, quite good reasons for a delay. But it doesn't have a particular, there isn't a date timeframe the way that there is with the assessment process. But in general, we expect, if you have all the information before you to assess that it's a serious data breach that needs notification, that you will take all steps to do that as quickly as you can.

>> Pip: Thank you very much. Maybe Penny, this one might be for you. Do you have any advice on how to communicate a particularly bad breach to a patient?

>> Penny: I think again, well that could actually go back to the suggestion of contacting the MDO, as well, for advice. But I think that as GPs, we are used to managing issues with patients, and I think we know our patients and we know our sort of context. And there will be expectations on the part of the patient as to how they would expect to be notified. It will depend on the severity I think of the information that's being released, and the knowledge of the patient, and the family, and the likely risk. But I think that the usual means of communicating would also be used here, and I think personal contact phone would usually be something that we would use in our practice for something serious that happened. But then also, confirmation with email or letter, depending on what the expectations of the patient are. I think it's very, very individual, and sometimes, it may require more than one means of communicating. Sometimes it may require getting the patient in to talk to them about it and help them work through it. Each case will be different.

>> Pip: Thank you very much. Amanda, this will be a question for you. Do you have any examples of data breaches that have been well handled?

>> Amanda: Yes. Yeah, we do. I guess I would note here that the way an organisation handles a data breach, both responds to it, notifies individuals, can go quite a way in terms of preserving that organisation's reputation, but also, demonstrates a willingness to be open and transparent about these kinds of issues. I think this is a growing issue where data breaches are occurring more frequently, and I think as Penny said at the beginning of the webinar, this is nothing that any entity's exempt from. In terms of case studies that we can talk to, and this occurred prior to the Notifiable Data Breaches Scheme, but it is a good example, is the Red Cross blood services data breach in October of 2016. So, for those that aren't familiar with it, a file containing the information of approximately 550,000 perspective blood donors was saved to a publicly accessible part of the donate blood website. The data file was discovered and accessed by an unknown individual or an anonymous individual who was acting as what we call a white hatch asset. It was a result of an error by a third party provider that managed the donate blood website and web server. So, in that particular case, we did open an investigation with the blood service, but the Red Cross did take immediate steps to contain the data breach. It took responsibility for the data breach, including responsibility for the actions of its contractor, and it was transparent with affected individuals, but also the public about what had occurred, and they notified and provided assistance to the affected individuals. So, in that case, the lesson that we saw with that one is that organisations and health service providers, in particular, can maintain trust by being prepared and responding to data breaches effectively. And having a plan in place and having that staff awareness and training about how to respond to those data breaches, particularly as that one included information that was jointly held with a contractor, so that's an example. And we've seen this particularly, in the notifications we've received into the NDB scheme, that you also need to be prepared for how you deal with information that is jointly held. How you prepare about communicating with your contractors in the event of a data breach, and how you assign the assessment and notification obligations, as well.

>> Pip: Thank you very much, Amanda. That actually brings us to the end of our webinar. So, would like to thank both of you for taking us through that information this evening.

>> Penny: Great. Thank you very much, Pip.

>> Amanda: Thanks, Pip.

>> Pip: Pleasure. So, we'd just like to remind everyone that this webinar was delivered as part of the monthly RACGP eHealth webinar series. This topic of notifiable data breach is our first for the year. So, we'll be running education each month, two to four sessions each month. In March, we'll be talking about My Health Record and some medico legal concerns for general practice, and you can access the registration link via the RACGP website. We hope that you've enjoyed the presentation and found the information useful tonight, and we'll be sending everyone an email after the webinar so that you have the opportunity to provide us with some feedback, and also, to provide you links with the resources that we've discussed in the presentation tonight. And as we said before, if you have any other questions, you can email the practice technology and management team at any time with any of your questions at ehealth@racgp.org.au. So, thank you once again, and I hope you all have a lovely evening.