1. Definitions
“Privacy Laws” means the Privacy Act, the National Privacy Principles contained in schedule 3 to the Privacy Act and all other applicable laws, regulations, registered privacy codes, privacy policies and contractual terms in respect of the processing of Personal Information.
“Personal Information” means information or an opinion (including information or an opinion forming part of a database), whether recorded in a material form or not, about a natural person whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
“Health information” means any ‘personal information’ about your health or disability. It includes information or opinion about your illness, injury, or disability.
“Notifiable Data Breach (NDB)” The Privacy Act requires certain entities to notify individuals and the Commissioner about data breaches that are likely to cause serious harm. The requirements of the NDB scheme are contained in Part IIIC of the Privacy Act and apply to breaches that occur on or after 22 February 2018.
2. Purpose
HealthTrack Medical Systems holds and processes personal health data on behalf of its staff and clients, a valuable asset that needs to be suitably protected. Every care is taken to protect personal data from incidents (either accidental or deliberate) to avoid a security breach that could compromise data. Compromise of information, confidentiality, integrity, or availability may result in harm to individuals, reputational damage, detrimental effect on service provision, legislative noncompliance, and/or financial costs including significant fines from the Information Commissioner’s Office.
The company is obliged under the “Privacy Laws” to have in place systems designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility. This Policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents.
The ‘Privacy Act’ makes notification mandatory unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Health Data processors must notify any breach to their clients. Health service providers and data processors are therefore encouraged to put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary.
3. Scope
This Policy relates to all personal health data and other sensitive data controlled or processed by the company regardless of format.
This Policy applies to all employees, contractors, consultants, temporary staff, and other workers at HealthTrack Medical Systems and data processors working for, or on behalf of the company.
3.1 Types of Personal Data Breaches
3.1.1 Confidentiality breach
Where there is an unauthorised or accidental disclosure of, or access to, personal data. For example:
- personal data accidentally being sent to someone (either internally or externally) who does not have a legitimate need to see it.
- client database being compromised, for example being accessed by another client.
- paper records containing personal data being left unprotected for anyone to see, for example: files left out when the owner is away from their desk and at the end of the day, papers not properly disposed of in confidential shredding bins, papers left at printers.
- staff accessing or disclosing personal data outside the requirements or authorisation of their job.
- being deceived by a third party into improperly releasing the personal data of another person.
3.1.2 Availability breach
Where there is an accidental or unauthorised loss of access to, or destruction of, personal data. For example:
- loss or theft of laptops, mobile devices, or paper records containing personal data.
- the loss of personal data due to unforeseen circumstances such as a fire or flood.
- when there has been a permanent loss of, or destruction of, personal data.
3.1.3 Integrity breach
Where there is an unauthorised or accidental alteration of personal data. For example:
- The removal or false alteration of individuals’ mobile numbers or email addresses
It should also be noted that, depending on the circumstances, a breach can concern confidentiality, availability, and integrity of personal data at the same time, as well as any combination of these.
4. Policy
On discovery of a data breach the following actions should be taken:
- Containment and recovery
- Assessing the risk
- Notification of breach to the Commissioner’s Office
- Evaluation and response.
4.1 Containment and Recovery
The individual committing the breach or having identified a possible breach should immediately inform their manager or the Information Security Officer.
The immediate priority is to contain the breach and limit its scope and impact.
- Where personal data has been seen, accessed, or been sent to someone who does not have a legitimate need to see it, staff should contact the recipient and
- tell the recipient not to pass it on or discuss it with anyone else.
- tell the recipient to destroy or delete the personal data they have received and get them to confirm in writing that they have done so.
- warn the recipient of any implications if they further disclose the data
- Where data has been lost, altered, or has become unavailable, then access to the data should be resumed as quickly as possible via backup copies of the data if necessary.
- Where the data controller is a HealthTrack Medical Systems client, the client’s Data Protection Officer or person responsible for receiving breach notifications is to be given an initial notification stating what recovery processes are being performed with further information about the breach provided in phases as information becomes available. This is important to assist the controller to meet their notification requirements to the Commissioner.
A Breach Notification incident should be logged on the Internal IT Support system (see the Information Security Incident Logging Policy) stating:
- date and time of the breach.
- date and time breach detected.
- who committed the breach.
- details of the breach.
- number of data subjects involved (an approximation is sufficient).
- details of actions already taken in relation to the containment and recovery.
4.2 Assessing the Risk
Senior management or a nominated person will investigate the breach and prepare a Breach Report.
This report will consider the following:
- How the breach occurred.
- The type of personal data involved.
- The number of data subjects affected by the breach.
- Who the data subjects are.
- The sensitivity of the data breached.
- What harm to the data subjects can arise? For example, the breach could result in identity theft or fraud, physical harm, psychological distress, humiliation, or damage to reputation
- What could happen if the personal data is used inappropriately or illegally?
- For personal data that has been lost or stolen, are there any protections in place such as encryption?
- The measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
- Whether the breach should be notified to the ICO – if NOT the reasoning behind this decision including reasons why the breach is unlikely to result in a risk to the rights and freedoms of individuals
4.3 Breach notification
Under the “Privacy Laws” once an entity has reasonable grounds to believe there has been an eligible data breach, the entity must, as soon as practicable, decide about which individuals to notify, prepare a statement for the Commissioner and notify individuals of the contents of this statement.
The Senior Leadership Team will determine whether the breach is one that is required to be notified to the Commissioner.
The ‘Breach Report’ about an eligible data breach must include:
- the identity and contact details of the entity (s 26WK(3)(a))
- a description of the eligible data breach (s 26WK(3)(b))
- the kind or kinds of information involved in the eligible data breach (s 26WK(3)(c))
- what steps the entity recommends that individuals take in response to the eligible data breach (s 26WK(3)(d))
4.3.1 To the Commissioner’s Office
When notifying a breach to the Commissioner the Breach Report must include the name and contact details of a responsible HealthTrack officer, a description of the eligible data breach, the kind or kinds of information involved, and what steps the entity recommends that individuals at risk of serious harm take in response to the eligible data breach (s 26WK(3)).
4.3.2 To the affected individuals
The NDB scheme provides flexibility — there are three options for notifying individuals at risk of serious harm, depending on what is ‘practicable’ for the entity (s 26WL(2)).
Whether a particular option is practicable involves a consideration of the time, effort, and cost of notifying individuals at risk of serious harm in a particular manner. These factors should be considered in light of the capabilities and capacity of the entity.
Option 1 — Notify all individuals
If it is practicable, HealthTrack can notify each of the individuals to whom the relevant information relates (s 26WL(2)(a)). That is, all individuals whose personal information was part of the eligible data breach.
This option may be appropriate, and the simplest method, if an entity cannot reasonably assess which individuals are at risk of serious harm from an eligible data breach that involves personal information about many people, but where the entity has formed the view that serious harm is likely for one or more of the individuals.
The benefits of this approach include ensuring that all individuals who may be at risk of serious harm are notified and allowing them to consider whether they need to take any action in response to the eligible data breach.
Option 2 — Notify only those individuals at risk of serious harm
If it is practicable, HealthTrack can notify only those individuals who are at risk of serious harm from the eligible data breach (s 26WL(2)(b)).
That is, individuals who are likely to experience serious harm because of the eligible data breach. If an entity identifies that only a particular individual, or a specific subset of individuals, involved in an eligible data breach is at risk of serious harm, and can specifically identify those individuals, only those individuals need to be notified.
The benefits of this targeted approach include avoiding unnecessary distress to individuals who are not at risk, limiting possible notification fatigue among members of the public, and reducing administrative costs, where it is not required by the NDB scheme.
Option 3 — Publish notification
If neither option 1 nor 2 above are practicable, for example, if HealthTrack does not have up-to-date contact details for individuals, then the entity must:
- publish a copy of the statement on its website if it has one
- take reasonable steps to publicise the contents of the statement (s 26WL(2)(c))
It is not enough to simply upload a copy of the statement prepared for the Commissioner on any webpage of the entity’s website. Entities must also take proactive steps to publicise the substance of the eligible data breach (and at least the contents of the statement), to increase the likelihood that the eligible data breach will come to the attention of individuals at risk of serious harm.
While the Privacy Act does not specify the amount of time that an entity must keep the statement accessible on their website, the Commissioner would generally expect that it is available for at least 6 months.
4.4 Evaluation and response
Once the breach has been dealt with the cause of the breach needs to be considered. There may be a need to update policies and procedures, or to conduct additional training.