An experienced aged care lawyer is warning service providers of their legal risk ahead of incoming changes to privacy legislation.
Aged care providers may be at legal risk unless they are “vigilant and aware of the latest computer and privacy threats to them and their residents,” said Craig Subocz, a senior associate at Russell Kennedy Lawyers.
Mr Subocz will discuss privacy and security breaches in health and aged care in a seminar on 30 November and webinar on 1 December in light of incoming requirements to report data breaches to affected individuals and the Privacy Commissioner.
“From February 2018, you have a statutory obligation to report a data breach. This poses a real risk to your standing if handled incorrectly,” Mr Subocz told Australian Ageing Agenda.
Mr Subocz is calling on providers to start taking steps now to prepare for the new obligation.
“Prevention is better than cure and all services should assess and update privacy policies, review contracts with key suppliers, train staff, and develop and test data breach planning,” he said.
The Privacy Act 1988 regulates the handling of personal information, which is deemed as capable of identifying a person, regardless of whether the information is true or not.
Most aged care providers must comply with the Privacy Act as their annual turnover exceeds $3 million and/or they provide a health service.
The Act mandates compliance with 13 Australian privacy principles, which deal with collection, use, disclosure, accuracy, security and disposal of personal information including sensitive information.
The new reporting obligations are contained in the Privacy Amendment (Notifiable Data Breaches) Act 2017 and must be adhered to from 23 February 2018.
“In judging if notification is required, it is important to take remedial action to prevent serious harm to any affected individual before the individual suffers the harm,” Mr Subocz said.
Personal information is handled, used and disclosed every day and it is the responsibility of aged care organisations to protect it, he said.
In the webinar, Mr Subocz will present three case studies of personal information being inadvertently disclosed or threatened and show how aged care services could also fall foul of new requirements.
The first involves disclosure of an individual’s health information to the police by a doctor which the Privacy Commissioner found to be an interference with the patient’s privacy.
“This scenario could easily apply in aged care – for example in the case of a relative seeking information about a resident,” Mr Subocz said.
The second case involves an Australian Red Cross Blood Service’s (ARC) contractor’s employee uploading the ARC’s database of 550,000 blood donor records to a publicly available website.
Although it was the result of a one-off human error and not authorised by ARC, it was found that the ARC had failed to take reasonable steps to protect personal information or to destroy or de-identify information when no longer needed.
“Aged care services need to regularly check and review their records management, storage and disposal, and those of any external contractor,” Mr Subocz said.
The final case involves the disruption of an entire hospital network by WannaCry ransomware exploiting vulnerabilities in Microsoft Windows.
It raised the questions about easy-to-guess passwords, failures in regularly upgrading software when patches are available, and maintaining current cyber-protection software, such as anti-spyware, anti-virus and firewalls.
“This is also important when considering or using external cloud-based systems for data storage,” Mr Subocz said.
Information on the seminar and webinar is available here.
Comment below to have your say on this story
Send us your news and tip-offs to email@example.com