The Office of the Australian Information Commissioner has released its draft guide (PDF) on how mandatory data breach notifications should be handled under the personally controlled electronic health record (PCEHR) system, and is once again polling the public on whether its approach to the issue is adequate.
The draft guide states that organisations dealing with eHealth records must notify the System Operator (SO) — currently, the Secretary of the Department of Health and Ageing — and the OAIC, as soon as they are aware of a data breach occurring. The SO is the only entity that is permitted to inform customers of the breach.
The SO is able to put in place administrative sanctions and cancel, suspend, or vary the offending service provider's registration in the PCEHR system, but it is unable to put in place civil penalties. Instead, the role of issuing penalties will be given to the OAIC, which will for the first time, under the PCEHR legislation, be able to fine organisations for not reporting data breaches. Penalties will be AU$11,000 for an individual, and up to AU$55,000 for organisations.
Unless the organisation is a state or territory entity (which is only required to report breaches to the SO), failing to report to both the SO and the OAIC constitutes as a failure to notify.
If the SO, itself, is involved in a data breach, it must report it to the OAIC, but there are no penalties if the SO fails to do so. However, the OAIC is free to investigate the SO if it suspects that a breach has occurred and has not been reported.
The guide also sets out the two situations that the OAIC believes constitutes a notifiable data breach. The first is where a person uses, discloses or collects health information from an eHealth record in an unauthorised manner; while the second is where the security or integrity of the PCEHR system has been compromised, for example, by an external attack on a health portal.
When reporting a data breach, under the current draft, organisations will need to include a minimum level of detail, including what information was affected, how many individuals were affected, what caused the breach, what it has done to try to contain the breach, and whether there were any steps in place to prevent the breach in the first place.
The draft guide specifies the minimum level of detail that the SO must provide affected customers when notifying them. The notification includes much of the information that is reported from the offending organisation to the OAIC and SO, but also has the requirement to inform affected customers of what steps they can take to reduce the risk of harm to themselves, a point of contact with the SO or breached organisation, and how they can make a complaint to the organisation responsible of the SO.
The guide also outlines the actions that a breached organisation should follow to remedy the situation.
The OAIC is now polling the public for feedback on whether the guide will help service providers fulfil their obligations to report data breaches. It has released a consultation paper, which raises a number of issues it believes the public may be interested in commenting on. In particular, it is looking to the public to raise any additional steps or factors that should be considered when responding to a breach, and any other policies the OAIC could take to help affected organisations meet their reporting obligations.
Those interested in submitting comments on the draft guide will have until September 25 to do so.
The OAIC only last week released its broader draft enforcement guidelines on how it will enforce privacy regulation related to the PCEHR system and whether they are adequate.