In recognition of Privacy Awareness Week we’ve put together this quick guide on what aged care providers must do to prepare for and respond to data breaches.

What is a Data Breach?

According to the Office of the Australian Information Commissioner (OAIC), a data breach happens when “personal information is accessed or disclosed without authorisation or is lost”.

Some data breaches are very minor and can be dealt with internally on a case-by-case basis. But some data breaches are serious and have to be dealt with in accordance with privacy laws. These serious kinds of data breaches are called “eligible data breaches”.

An “eligible data breach” happens when:

• personal information has been lost, or accessed or disclosed without authorisation, and
• this is likely to result in serious harm to one or more individuals, and
• your organisation has tried some remedial action, but you have not been able to prevent the likely risk of serious harm.

Serious harm includes serious physical, psychological, emotional, financial, or reputational harm.

If you know or suspect that an “eligible data breach” has happened, you must report it to the OAIC and to affected individuals. More on this below under “What Do I Have to Do?”

Causes of Data Breaches

The latest OAIC survey, revealed that the top five industry sectors to report data breaches, in order, were:

• health service providers (with almost a quarter of the notifications)
• finance
• insurance
• retail
• the Australian Government.

The sources of the data breaches were:

• Malicious or criminal attack – 67%
• Human error – 30%
• System fault – 3%

Cyber security incidents accounted for 44 per cent of data breaches, with phishing, compromised or stolen credentials, and ransomware, accounting for over 80 per cent of these incidents. The remainder of cyber security incidents were a result of hacking (10 per cent), malware (five per cent) and brute force attack (three per cent).

Almost half of the human error breaches were caused by personal information being sent to the wrong recipient, usually by email. About 20 per cent of breaches were caused by unintended release or publication of personal information. Other breaches resulted from loss of paperwork or data storage devices, unauthorised verbal disclosure, or failure to use BCC when sending emails.

The survey revealed that data breaches are increasing. Breaches caused by human error were up by 36 per cent from the previous survey. Malicious or criminal attacks increased by 12 per cent.

What Do I Have to Do?

As an aged care provider, you should:

• prepare by putting policies and procedures in place to protect the personal information you collect and hold
• have a data breach response plan
• respond quickly to data breaches
• if necessary, notify the OAIC and affected individuals.

Preparing for the Inevitable - Data Breach Response Plan

You should have a data breach response plan and procedures in place to respond quickly and effectively should a data breach occur. The plan should include:

• who to contact if a data breach occurs
• potential strategies for containing or remediating a common data breach
• any specialist resources that could be called on to assist with containing the data breach
• who should conduct an investigation and assessment of the extent and likelihood of harm
• any additional resources which may be required to investigate or assess the impact of the data breach to determine whether it is likely, or not likely, that serious harm may result
• which external parties should be notified (e.g., police, insurers, cybersecurity agencies, and lawyers) and when they should be notified
• who will make the decision to notify those external parties
• who will be responsible for communicating with affected individuals, and what will trigger the communication
• how affected individuals will be contacted
• who will make the decision that it is likely to be an eligible data breach and that the OAIC and affected individuals should be notified
• review procedures after the incident has been finalised, to identify any changes required to policies and procedures.

Responding to Data Breaches

Once someone in your aged care home becomes aware of a data breach:

• trigger the data breach response plan
• if possible, take immediate steps to prevent or fix the breach to minimise the risk of harm (i.e., take steps to “remediate” the breach)
• if you suspect that the breach will cause serious harm (but you’re not sure), then you must investigate. The OAIC says you must conduct the investigation as soon as possible and conclude it within 30 days
• if there is a risk of serious harm and your efforts to remediate it have failed, you must notify the OAIC and the affected parties
• investigate and make any changes so that there is less chance of that type of breach happening again.

Notifying the OAIC and Affected Individuals

As noted above, if there is a risk of serious harm and your efforts to remediate it have failed, you must notify the OAIC and the affected parties.

The content of the notification to the OAIC and to affected individuals is very specific and set out in legislation. Refer to the OAIC website.

Things to bear in mind:

• you must notify those individuals who are at risk of serious harm as a result of the data breach
• you may also choose to notify all affected or potentially affected individuals
• it is best to notify individuals early instead of waiting until a full investigation and assessment has concluded, as this may also assist in reducing damage or harm by enabling the individuals to take action to protect themselves
• you must provide any advice on what those individuals could themselves do to reduce the risk of harm, for example, by changing passwords.

If it is not practicable for you to notify each affected individual, you must publish a statement on your website and take reasonable steps to publicise its contents. The information on the website must contain at least the same details as those provided to the OAIC.

Serious penalties apply for failing to comply with any of the requirements relating to the investigation, assessment, timelines, and notification.

Aged Care Quality Standards, Mandatory Quality Indicators (QIs) and Serious Incident Response Scheme (SIRS)

Privacy requirements appear throughout the Aged Care Quality Standards and feature particularly in the overarching Standard 1: Consumer Dignity and Choice. Under that Standard, providers must ensure that “each consumer’s privacy is respected and personal information kept confidential”.

The Mandatory QIs and the SIRS require providers to report certain incidents. Data breach is not a Mandatory QI or a reportable incident under the SIRS. However, when gathering data and reporting under either of these schemes, providers should ensure that consumers’ privacy is protected.

The QI Manual states that, when gathering data on any of the QIs, providers must ensure that residents’ privacy is protected and data “does not contain any personal information about any of the care recipients”. In practice this means that when you record your QI data you should remove names and any identifying details. You could do this, for example, by referring to “Resident 1” rather than “Joanne Smith”. Your aim is to create a situation where a person reading the data cannot tell which specific residents are being referred to.

Additional Cyber Security Support

The Australian Cyber Security Centre is the Australian Government’s technical authority on cyber security. It is designed to provide a single point of advice and assistance on cyber security. The Centre’s support includes a 24-hour Australian Cyber Security Hotline (1300 292 371), technical advice and assistance in case of cyber security incidents, and publishing alerts, technical advice, advisories and notification on significant cyber security threats.

Next Steps for Aged Care Providers

• Cultivate awareness among employees regarding their responsibilities in handling personal information with care. In particular, remind employees to check the recipient carefully before sending personal information by email.
• Educate employees about the appropriate channels for reporting data breaches promptly.
• Have an up-to-date data breach response plan.
• Obtain advice, if required, to ensure that your cyber security measures match your resources and operational needs.

About the Authors

Svetlana Pozydajew

Svetlana is Principal Consultant Workplace Relations at Ideagen CompliSpace and Ideagen CompliSpace’s Privacy Officer. She has over 25 years of experience in strategic and operational human resource management, workplace health and safety, and design and implementation of policies and change management programs. She has held national people management responsibility positions in the public and private sectors. Svetlana holds an LLB, Masters in Management (MBA), Master of Arts in Journalism, and a Certificate in Governance for not-for-profits.

Mark Bryan

Mark is a Legal Content Consultant at Ideagen CompliSpace and the editor for ACE. Mark has worked as a Legal Policy Officer for the Commonwealth Attorney-General’s Department and the NSW Department of Justice. He also spent three years as lead editor for the private sessions narratives team at the Royal Commission into Institutional Responses to Child Sexual Abuse. Mark holds a bachelor’s degree in Arts/Law from the Australian National University with First Class Honours in Law, a Graduate Diploma in Writing from UTS and a Graduate Certificate in Film Directing from the Australian Film Television and Radio School.