The Privacy Commissioner issues the Guide to mandatory data breach notification in the PCEHR system
September 13, 2015 |
On Friday the Privacy Commissioner published its Guide to mandatory data breach notification in the PCEHR system.
It provides:
1. Introduction
The PCEHR system and breach notification
The Personally Controlled Electronic Health Record (PCEHR) system, established by the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act), is designed to facilitate access, by the consumer and treating healthcare providers, to a summary of health information about an individual. The information is drawn from a number of different sources with individuals controlling what information is included on their record and who may access it.
In recognition of the special sensitivity of health information, the PCEHR Act makes it mandatory for certain entities (outlined below under Who should use this guide?) to notify the Office of the Australian Information Commissioner (OAIC) and the PCEHR System Operator of a data breach involving the PCEHR system. Breach notification provides an important feedback loop for the System Operator’s maintenance of system security, and enables swift containment of a breach and preventative action. It also ensures that oversight bodies (such as the OAIC) are made aware of a breach and can investigate the matter where appropriate.
Further information on the legislative framework and regulatory approach for data breach notification is set out in Appendix A.
Who should use this guide?
This guide is for registered repository operators (RROs), registered portal operators (RPOs) and the PCEHR System Operator. It explains how RROs, RPOs and the System Operator can meet their mandatory data breach notification obligations under the PCEHR Act.
The guide does not apply to registered healthcare providers, unless the healthcare provider is also an RRO or RPO. Registered healthcare providers have separate reporting obligations under their participation agreement with the System Operator.
A healthcare provider wishing to report a data breach to the OAIC should consult the OAIC’s voluntary data breach notification guide: A guide to handling personal information security breaches.
RROs or RPOs that are state or territory authorities or instrumentalities of a state or territory have slightly different data breach notification obligations under the PCEHR Act (they must report data breaches to the System Operator but not to the OAIC). State and territory entities may also voluntarily report data breaches to their local privacy regulator in addition to reporting to the System Operator. However, although not aimed at them, this guide will be useful for state and territory entities, as the obligations imposed on state and territory entities and other RROs or RPOs are similar overall.
What is a data breach?
Under s 75 of the PCEHR Act, there are two types of data breach:
- An RRO, RPO or the System Operator becomes aware that a person has or may have contravened the PCEHR Act in a manner involving an unauthorised collection, use or disclosure of health information included in a consumer’s PCEHR
- An RRO, RPO or the System Operator becomes aware that an event has occurred or circumstances have arisen that compromise or may compromise the security or integrity of the PCEHR system.
RROs, RPOs and the System Operator must report a data breach if it directly involved, may have involved, or may involve them. In this guide, we call this a ‘notifiable data breach’ because a breach of this kind must be notified to the OAIC and the System Operator (as relevant).
For more information about what a notifiable data breach is, see Part 2.
What is data breach notification?
In general, data breach notification refers to an organisation or an agency notifying affected individuals and the appropriate privacy regulator of a breach involving personal information. It is usually one of a number of steps taken to address a data breach.
Under the PCEHR Act, an RRO or RPO must report a notifiable data breach to the OAIC and the System Operator. Guidance on the notification requirements for RROs and RPOs is given in Part 3. The System Operator must also report a notifiable data breach to the OAIC. The System Operator is also responsible for notifying affected consumers of a breach. For more information about the System Operator’s breach notification obligations, see Part 4.
What is the purpose of data breach notification?
Providing notification of a data breach involving personal information is consistent with good privacy practice, and is mandatory under the PCEHR Act for RROs, RPOs and the System Operator. The purpose of notification is to allow affected consumers to take any necessary action to protect their information and ensure the ongoing security and integrity of, and confidence in, the PCEHR system, in recognition of the sensitivity of the information it contains.
The PCEHR Act requires RROs, RPOs and the System Operator to take certain actions in response to a breach. These requirements aim to ensure that breaches are dealt with effectively and are prevented in future.
The purpose of notifying the OAIC
The OAIC is the regulator for the privacy aspects of the PCEHR system. By notifying our office, you allow us to determine the seriousness of the breach and decide whether an investigation is warranted. This is also an opportunity for you to explain to the OAIC what steps you have taken, or are taking, to contain the breach. With this information, the OAIC will be better equipped to provide advice on responding to the breach, and to address questions and complaints directed to our office from concerned members of the public.
More information about what information should be included in a notification to the OAIC can be found in Part 3. To find out more about the role of the OAIC, see Part 6.
The purpose of notifying the System Operator
By notifying the System Operator of a breach, you allow it to determine whether it needs to take corrective actions to help mitigate any loss or damage that may result from the breach. This ensures a coordinated approach to dealing with the breach. Depending on the nature of the breach, it may also allow the System Operator to warn other RROs and RPOs of a possible data security threat. Notifying the System Operator also allows the System Operator to notify the affected consumers or the general public as required so they can take any necessary steps to protect their information.
The purpose of the System Operator notifying affected consumers
The purpose of notifying affected consumers of a breach is first and foremost to keep consumers informed of how they may have been affected by a breach, and to enable them to take steps to mitigate any risks. Being open and transparent with individuals about the handling of their personal information is recognised as a fundamental privacy principle.
The System Operator is responsible for notifying affected consumers of a data breach. If a RRO or a RPO is the subject of a data breach, they must ask the System Operator to inform affected consumers. Breach notification to consumers should include explaining what has been done to try to avoid or remedy any actual or potential harm. Where personal information has been compromised, notification can be essential in helping individuals to regain control of that information.
More information
For more information about how to protect personal information, including through the development of a data breach response plan, see the OAIC’s Guide to securing personal information.
For more information about breach notification generally (such as voluntarily notifying regulators and individuals of a privacy breach that is not notifiable under the PCEHR Act), see the OAIC’s Data breach notification – A guide to handling personal information security breaches.
2. Notifiable data breaches
This part of the guide explains in more detail what a notifiable data breach is and gives some examples. As noted above, there are two types of data breaches under the PCEHR Act. Firstly, where there has or may have been an unauthorised collection, use or disclosure of health information included in a consumer’s PCEHR; secondly, where an event has occurred or circumstances have arisen that compromise or may compromise the security or integrity of the PCEHR system.
RROs, RPOs and the System Operator must report a data breach if it directly involved, may have involved, or may involve them.
A notifiable data breach may be intentional or accidental.
1. Unauthorised collection, use or disclosure
Part 4 of the PCEHR Act specifies when a collection, use or disclosure of health information in a consumer’s PCEHR is authorised. This includes collection, use and disclosure:
- for the purpose of providing healthcare to the consumer (in line with access controls set by the consumer or default access controls as applicable) (s 61)
- (disclosure) to a consumer’s nominated representative (in line with access controls set by the consumer or default access controls as applicable) (s 62)
- for the management or operation of the PCEHR system, if the consumer would reasonably expect it to be handled for that purpose, or in response to a request by the System Operator for the purpose of performing a function of the System Operator(s 63)
- in the case of a serious threat to an individual’s life, health or safety or to public health or public safety (provided certain conditions are met) (s 64)
- where required or authorised by another law (s 65)
- with the consumer’s consent (s 66)
- by the consumer (with regard to their own information) (s 67)
- for purposes relating to the provision of indemnity cover (s 68).
The PCEHR Act also authorises the System Operator to disclose health information in the following circumstances:
- to a court or tribunal when ordered or directed by the court or tribunal (s 69)
- for certain law enforcement purposes (s 70).
Any collection, use or disclosure of health information included in a consumer’s PCEHR within the PCEHR system that is not covered by these provisions will be unauthorised. For RROs, RPOs and the System Operator, an unauthorised collection, use or disclosure of health information included in a consumer’s PCEHR is a notifiable data breach that must be reported.
Unauthorised uses may include improperly accessing, viewing, modifying or deleting information included in a consumer’s PCEHR.
2. Compromise of the security or integrity of the PCEHR system
Events or circumstances that compromise or may compromise the security or integrity of the system must be reported under the PCEHR Act (even if there has not been an actual or potential contravention of the PCEHR Act involving unauthorised collection, use or disclosure of health information contained in a consumer’s PCEHR).
The PCEHR Act defines the ‘PCEHR system’ more widely than the database holding individual PCEHRs. See the glossary for the full definition.
Data breaches not covered by the PCEHR Act
There are some situations in which a breach does not have to be reported under the PCEHR Act. This could include, for example, where a data breach has not occurred through the use of the PCEHR system but rather through the use of an RRO’s or RPO’s local records (for example, an in-house IT system).
A breach does not have to be reported under the PCEHR Act if it does not involve an RRO or RPO or the System Operator. As noted above, the breach notification provisions in the PCEHR Act only apply to RROs, RPOs and the System Operator if a notifiable breach occurs that involves them. Involvement in a notifiable data breach generally means that the breach occurred:
- because of the actions of a member of staff (or a contractor) of the entity
- in connection with the entity’s access to or use of the PCEHR system
- in relation to the entity’s IT or other systems which directly feed into or interoperate with the PCEHR system.
Example: The System Operator receives a complaint from a registered consumer claiming that her audit log is showing activity in her PCEHR that does not seem right. The audit log also shows that she has accessed her record when she claims she has not. The System Operator temporarily suspends access to the complainant’s registration and consequently access to their record while it investigates the complaint. The System Operator’s review of the security protecting the record does not show any evidence that system security has been compromised. Further investigations by the System Operator and advice from the complainant suggest that a breach may have occurred in relation to the complainant’s home computer. As the System Operator was not directly involved in this breach (it involved the complainant’s home IT system rather than the System Operator’s system), the System Operator does not have to report the breach to the OAIC.
3. Reporting requirements for RROs and RPOs
When to report a notifiable data breach
RROs and RPOs must report all notifiable data breaches that they are involved in, may be involved in or may have been involved in.
The reporting obligation is triggered when the entity becomes aware that a notifiable data breach has occurred.
For notifiable data breaches involving possible PCEHR Act contraventions, the obligation to report is triggered when the RRO or RPO becomes aware that a person has, or may have, contravened the PCEHR Act as a result of the unauthorised collection, use or disclosure of health information included in a consumer’s PCEHR.
For notifiable data breaches relating to security or integrity of the PCEHR system, the obligation is triggered when the System Operator, RRO or RPO becomes aware that an event has occurred or circumstances have arisen that expose or place at risk (or may expose or place at risk) the features or functions of the PCEHR system that go to the ongoing operation of the system and the protection of the records contained in the system.
As the reporting obligation is triggered by awareness of the occurrence of the relevant event or circumstances, any subsequent steps by the entity to rectify a problem or contain a breach do not relieve the entity of the obligation to report the breach if the event or circumstances did compromise or may have compromised the system at the time the entity became aware of it.
RROs and RPOs must report notifiable data breaches as soon as practicable after becoming aware of the breach. However, reporting the breach should not be at the expense of initial efforts to contain it. The OAIC recognises that some information about the breach may not be available when an initial report is made. This should not delay reporting, as further information can be provided when it becomes available.
If there is uncertainty about whether the breach is notifiable under the PCEHR Act, the OAIC recommends reporting the breach. The OAIC’s response to the breach will not necessarily be different if the breach report is voluntary or mandatory, but reporting the breach will mean that entities can be confident that they are meeting their obligations under the PCEHR Act.
Who to report a notifiable data breach to
RROs and RPOs must report notifiable data breaches to both the OAIC and the System Operator. RROs and RPOs cannot notify affected consumers directly about the breach, but must ask the System Operator to do this on their behalf. This is a separate step to reporting the notifiable data breach and must be carried out as soon as practicable after becoming aware of the breach.
How to report a notifiable data breach
Reporting of notifiable data breaches should preferably be in writing, although notification by other means will also meet the requirements to notify as set out in the PCEHR Act. In urgent cases, the OAIC encourages preliminary notification followed by more detailed notification.
The OAIC plans to have a notification form available on its website. Once available we will prefer you to use that form.
If you are not using the data breach notification form, you can notify the OAIC of breaches using the following contact details:
Telephone: 1300 363 992
Email: enquiries@oaic.gov.au
Post: GPO Box 5218, Sydney NSW 2001
Facsimile: 02 9284 9666.
As a separate step, you must contact the System Operator by email at pcehr.compliance@health.gov.au to provide the same details and, if known, tell the System Operator who the affected individuals are so that the System Operator can notify them of the breach. See Part 5 for more information about notification of affected individuals.
If you do not use the form to notify the OAIC, you should make sure the notification you provide through other means (such as via email, hard copy correspondence or telephone) includes all of the information listed below.
What to include in a breach notification
Use of the OAIC’s mandatory data breach notification form (once available) will assist you to provide the correct information. If not using the form, notifications to the OAIC and the System Operator should include the following details (where applicable):
- a description of the breach outlining the suspected unauthorised collection, use or disclosure or threat to the security or integrity of the PCEHR system
- the type of personal information involved
- how many consumers were or may have been affected
- when the breach occurred
- what caused the breach
- whether the breach was inadvertent or intentional
- when and how you became aware of the breach
- whether the breach has been contained
- what action has been taken or is being taken to mitigate the effect of the breach and/or prevent further breaches
- whether the breach appears to stem from a systemic issue or an isolated trigger
- any other entities involved
- whether your organisation has experienced a similar breach in the past
- any measures that were already in place to prevent the breach
- whether a data breach response plan was in place, and if it has been activated
- the name and contact details of an appropriate person within your organisation
- any other relevant factors.
The appropriate amount of detail to include in the notification will depend on the nature of the breach. Where an entity identifies that a breach is minor, isolated or contained, it may be appropriate for the entity to focus on providing a brief overview of the breach, the consequences (if any) of the breach and the follow-up actions taken by the entity. In contrast, where an entity identifies that a breach is serious, widespread or ongoing (for example, because the breach affects or potentially affects a large number of individuals; the effect of the breach is or is likely to be significant for the individuals; or the factors leading to the breach have not yet been identified or addressed), more detailed information will be required in the notification.
As noted below, if the OAIC considers that further details are needed about the data breach and related issues, it will ask you to provide additional information.
Do not include information about the identities of affected individuals in your notification. You should provide this information separately to the System Operator as part of the process set out in Part 5 of this guide.
What happens when you report a notifiable data breach to the OAIC
The OAIC will assess each notification it receives to determine:
- if it contains sufficient information about the breach
- if appropriate action has been or is being taken
- if further action is warranted.
The OAIC will then consider whether the circumstances warrant opening an investigation (see Part 6), or whether to provide advice about further steps the entity could take in relation to the breach.
What happens if a notifiable data breach is not reported
The Information Commissioner has the power to seek a civil penalty if an RRO or RPO fails to report a notifiable data breach, or does not report a notifiable data breach as soon as practicable. This includes where an RRO or RPO:
- fails to report a breach as soon as practicable after becoming aware of it
- reports a breach to only the System Operator but not to the OAIC, or vice versa.
The civil penalty is an amount up to 100 penalty units (currently $18,000 for an individual and $90,000 for a body corporate).
The Information Commissioner has prepared the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 which outline the Commissioner’s approach to the use of enforcement powers under the PCEHR Act and related legislation.
4. The System Operator’s requirements for notifiable data breaches
Notifying the OAIC about breaches the System Operator is involved in
The System Operator must report all notifiable data breaches it is involved in, may be involved in, or may have been involved in, to the OAIC. The System Operator should apply the same guidance on notification obligations, and follow the same reporting process and requirements, that are set out above in the section for RROs and RPOs.
There is no penalty if the System Operator fails to report a notifiable data breach to the OAIC. However, the OAIC may investigate if it has reason to suspect that a notifiable data breach has not been reported.
Notifying consumers about notifiable data breaches
Section 75 of the PCEHR Act requires that consumers affected by a notifiable data breach are notified of the breach. Only the System Operator is responsible for notifying consumers of a breach.
The System Operator must notify all affected consumers if:
- The System Operator has been involved in a notifiable data breach
- An RRO or RPO has been, or may be involved in a notifiable data breach, has reported the breach to the System Operator, and has asked the System Operator to notify consumers.
If a significant number of consumers are affected, the System Operator must notify the general public, in addition to notifying the affected consumers individually.
The System Operator must notify all affected consumers of the data breach. This includes notifying consumers who have cancelled their PCEHR but are affected by the breach.
The System Operator should issue notifications to consumers as soon as practicable after becoming aware of the breach, to help consumers mitigate the effects of the breach.
The information in a notification to affected consumers should assist them to reduce or prevent any harm that could be caused by the breach. The information that should be included, and the method of notification, will depend on what the SO considers practicable under the circumstances of the particular breach. However, as a guide, the types of information that could be included and recommended notification methods are outlined in Data breach notification — A guide to handling personal information security breaches.
5. Responding to a notifiable data breach
The PCEHR Act requires RROs, RPOs and the System Operator to take the following steps as soon as practicable after becoming aware of a breach (in addition to reporting the breach).
Entities that fail to carry out these steps will not be subject to a civil penalty, but they may be subject to an investigation under the PCEHR Act or the Privacy Act. Depending on the circumstances, they may also have their registration under the PCEHR system varied, cancelled or suspended by the System Operator.
RROs and RPOs should undertake steps 1 and 2, as detailed below, either simultaneously or in quick succession and ask the System Operator to undertake step 3 at the same time or as soon as possible. The System Operator should endeavour to undertake steps 1, 2 and 3 either simultaneously or in quick succession.
In addition, the entity should have an existing data breach response plan that reflects and implements these steps in the context of that specific entity. A data breach response plan is a document which sets out the framework for an entity’s response to a data breach. For example, a plan could set out contact details for appropriate staff to be notified, clarify the roles and responsibilities of staff, and document processes which will assist the agency or organisation to contain breaches, coordinate investigations and breach notifications, and cooperate with external investigations. A data breach response plan that includes procedures and clear lines of authority may assist in ensuring a quick response to breaches, and in providing greater potential for containing breaches and mitigating harm.
Step 1: Contain the breach and undertake a preliminary assessment
Action | Details |
---|---|
Contain the breach | Take whatever steps are appropriate to immediately contain the breach. |
This could include, for example, stopping the unauthorised practice, shutting down the repository or portal that was breached, if appropriate. If it is not practical to shut down the repository or portal, or if this would result in loss of evidence, then it may be necessary to revoke or change computer access privileges or address weaknesses in physical or electronic security.
Assess whether steps can be taken to mitigate the harm consumers may suffer as a result of a breach.Undertake a preliminary assessment of the causesQuickly appoint someone to lead the initial assessment (if you have a data breach response plan in place, you may already have identified a breach response team). This person should be suitably experienced and have sufficient authority to conduct the initial investigation, gather any necessary information and make initial recommendations. A more detailed evaluation may subsequently be required.
The preliminary assessment should consider the following questions:
- what personal information was or may have been involved in the breach?
- what was the cause of the breach?
- what is the extent of the breach?
- what harm or humiliation to individuals could be caused by the breach?
Ensure that all relevant parties are notified as soon as practicableDetermine who needs to be made aware of the breach (internally and externally) at this preliminary stage.
As required under s 75(2), the OAIC and/or System Operator must be notified as soon as practicable. Affected consumers will also need to be notified by the System Operator (these are mandatory requirements under the PCEHR Act).
Escalate the matter internally as appropriate. Inform the person or group within the entity responsible for privacy compliance and/or inform relevant internal investigation units.
Other mattersEnsure appropriate records of the suspected breach are maintained, including the steps taken to rectify the situation and the decisions made.
Step 2: Evaluate any risks that may be related to or arise from the breach
(a) Consider the type of personal information involved
Considerations | Comments and examples |
---|---|
Does the type of personal information that has been compromised create a greater risk of harm? | Some information is more likely to cause a consumer harm if it is compromised, whether that harm is physical, financial or psychological.For example, an inappropriate disclosure of a consumer’s health information may pose a greater risk of harm or humiliation to a consumer than, for instance, their name or address in isolation.
A combination of personal information typically creates a greater risk of harm than a single piece of personal information. If there have been other breaches, the combined information disclosed could increase the risk. |
Who is affected by the breach? | Does the breach affect individual consumers, a large number of consumers, contractors, service providers, or other entities? |
(b) Determine the context of the breach
Considerations | Comments and examples |
---|---|
What is the context of the personal information involved?What parties have gained unauthorised access to the affected information? | The sensitivity of personal information also depends on the context. For example, disclosing information to others known to the individual is more likely to cause humiliation. As outlined above, some types of personal and health information are likely to be more sensitive than others. |
How could the personal information be used? | Could the information be used for fraudulent or other harmful purposes, such as to cause significant embarrassment to the affected consumer?Could the compromised information be easily combined either with other compromised information or with publicly available information to create a greater risk of harm to the consumer? |
(c) Establish the cause and extent of the breach
Considerations | Comments and examples |
---|---|
Is there a risk of ongoing breaches or further exposure of the information? | What was the extent of the unauthorised collection, use or disclosure of personal information, including the number and nature of likely recipients and the risk of further access, use or disclosure, including via mass media or online? |
Is the personal information adequately encrypted, de-identified or otherwise not easily accessible? | Is the information rendered unreadable by security measures that protect the stored information? Is the information displayed or stored in such a way that it cannot be used if breached? |
What was the source of the breach? | For example, did it involve external or internal malicious behaviour, or was it an internal processing error? Does the information seem to have been lost or misplaced?The risk of harm to the consumer may be less where the breach is unintentional or accidental, rather than intentional or malicious. |
What steps have already been taken to mitigate the harm? | Has the breach been contained? Has the full extent of the breach been assessed? Are further steps required? |
Is this a systemic problem or an isolated incident? | When checking the source of the breach, it is important to check whether any similar breaches have occurred in the past, or could occur in future if changes are not made. Sometimes, a breach can signal a deeper problem. This may also reveal that more information has been affected than initially thought, potentially heightening the risk. |
How many consumers are affected by the breach? | If the breach is a result of a systemic problem, there may be more consumers affected than first anticipated.Even where the breach involves accidental and unintentional misuse of information, if the breach affects many consumers, this may create greater risks that the information will be misused. The entity’s response should be proportionate.
While the number of affected individuals can help gauge the severity of the breach, it is important to remember that even a breach involving the personal information of only one or two consumers can be serious, depending on the information involved. |
(d) Assess the risk of harm to the affected consumers
Considerations | Comments and examples |
---|---|
Who is the recipient of the information? | Is there likely to be any relationship between the unauthorised recipients of the information and the affected consumers?For example, was the disclosure to an unknown party or to a person with whom the individual has a difficult relationship, or was the recipient a trusted, known entity or person that would reasonably be expected to return or destroy the information without disclosing or using it? For example, was the information disclosed to a former authorised representative of the consumer or to another party bound by professional duties of confidentiality or ethical standards? |
What harm to consumers could result from the breach? | Examples include:
|
(e) Assess the risk of other harms
Considerations | Comments and examples |
---|---|
Other possible harms, including to the entity that suffered the breach | Examples include:
|
Step 3: Ask the System Operator to notify affected consumers and the general public
Considerations | Comments |
---|---|
When to notify | Under s 75(4), it is mandatory to notify all affected consumers of a notifiable data breach as soon as practicable. |
Who should notify consumers? | Only the System Operator can notify affected consumers about notifiable data breaches.Where an RRO or RPOs is involved in a breach, it must ask the System Operator to notify all affected consumers. The System Operator must comply with the request.
If the System Operator is involved in a breach, it must notify affected consumers. |
Who should be notified? | All affected consumers should be notified about a notifiable data breach.Where a significant number of consumers are affected, the System Operator must also notify the general public. |
Step 4: Take steps to prevent or mitigate the effects of further breaches
Good privacy practice is not just important for ensuring compliance with the requirements of the PCEHR Act and Privacy Act. If an entity mishandles the personal information of its clients or customers, this can cause loss of trust and considerable harm to the entity’s reputation. Additionally, if personal information that is essential to an entity’s activities is lost or altered, this can have a serious impact on its capacity to perform its functions or activities.
With this in mind, after assessing the causes of the breach and any associated risks, the RRO, RPO or System Operator should set up a plan of action to prevent further breaches, as well as a data breach response plan to respond to future breaches, or review existing plans. Planning should include actions that are proportionate to the significance of the breach, and take into account whether it was a systemic breach or an isolated event.
For suggested preparations for responding to a data breach and tips for preventing future breaches see Data breach notification – A guide to handling personal information security breaches. For more general information on steps and strategies to take protect personal information see the OAIC’s Guide to securing personal information. The Guide to securing personal information outlines appropriate security safeguards for personal information such as the use of privacy enhancing technologies, conducting privacy impact assessments, policy development, complaint handling, contract management and staff training.
6. Regulation of notifiable data breach reporting
Enforcement
The OAIC has the role of receiving breach notifications from RROs, RPOs and the System Operator, and can seek a civil penalty if an RRO or RPO does not report a notifiable data breach. The functions and enforcement powers available under the PCEHR Act give the Information Commissioner the ability to:
- use existing Privacy Act investigative and enforcement mechanisms, including Commissioner initiated investigations, conciliation of complaints, formal determinations and audits/assessments
- accept voluntary enforceable written undertakings from an entity requiring them to take or refrain from taking specified action(s) to comply with the PCEHR Act. These may be enforced by the courts
- seek an injunction (order) from the courts to prohibit or require particular conduct
- seek a civil penalty from the courts.
The Information Commissioner has published the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 which outline the Commissioner’s approach to the use of enforcement powers under the PCEHR Act and related legislation. The Guidelines are available on the OAIC’s website.
Investigations in relation to notifiable data breaches
The OAIC may conduct investigations and take enforcement action relating to notifiable data breaches in relation to:
- a reporting entity’s compliance with its notifiable data breach reporting obligations (described in this guide)
- a possible data breach by an entity.
Investigating notifiable data breach reporting obligations
If it appears that an entity may not have complied with its notifiable data breach reporting obligations, the OAIC may open a Commissioner initiated investigation. The OAIC may be alerted to this possibility by, for example, media coverage, anonymous tip offs, individual complaints where no corresponding notifiable data breach report has been received, or notifiable data breaches that are reported to the System Operator but not the OAIC (or vice versa). Even if the OAIC does not investigate a possible breach (see below), it may still investigate the reporting entity’s compliance with its data breach reporting obligations.
Investigating possible notifiable data breaches
If the OAIC receives complaints from affected consumers about a possible data breach, it will consider whether to open an investigation, but in some situations it will not investigate. For example, it will generally not investigate where:
- the complainant has not complained to the entity first and given it the opportunity to respond (generally within 30 days of the complaint being made)
- the entity has adequately dealt with the matter
- the complaint was made more than 12 months after the complainant became aware of the matter
- the complaint is frivolous, vexatious, misconceived or lacking in substance.
Where the consumer has been unable to resolve the matter with the reporting entity directly, the OAIC may attempt to resolve the matter by conciliation between the parties. Where appropriate, the Commissioner may make determinations requiring certain remedies. Determinations can be enforced by the Federal Court or Federal Circuit Court of Australia.
If the OAIC receives a notifiable data breach report but receives no complaint from the affected individual(s), it will assess whether a Commissioner initiated investigation into the breach is warranted. The criteria the OAIC may use to open a Commissioner initiated investigation include:
- the significance of the breach and sensitivity of the personal information involved
- whether a large number of consumers have been, or are likely to be affected, and the possible consequences for those consumers
- the likelihood that the breach is due to systemic issues within the reporting entity
- how the reporting entity has responded to the data breach, including whether the entity has followed the response requirements of the PCEHR Act
- the systems and processes the reporting entity had in place before the breach occurred
- whether the breach has been adequately dealt with in the OAIC’s opinion
- the progress of the entity’s own investigation into the matter. If the OAIC receives a notifiable data breach report while the entity’s internal investigation is underway, the OAIC may wait until the internal investigation is complete
- whether another body, such as the police, is investigating the breach.
This is not an exhaustive list and the Information Commissioner may take any other relevant matters into account when deciding whether to open a Commissioner initiated investigation.
7. Data breach response process diagram
System Operator, RRO or RPO becomes aware of a data breach
Notifiable data breach
The PCEHR Act requires reporting entities to report data breaches under the PCEHR system where they become aware that:
- a person has or may have contravened the PCEHR Act involving an unauthorised collection, use or disclosure of health information in a consumer’s eHealth record; or
- an event occurs or circumstances have arisen which has or may compromise the security or integrity of the PCEHR system
and the entity is, has been or may be involved in the contravention or event.
Report the data breach
The data breach must be reported as soon as practicable.
RROs and RPOs must report notifiable data breaches to both the System Operator and the OAIC (state and territory entities are only required to report breaches to the System Operator).
The System Operator must report all notifiable data breaches it is involved in, may be involved in or may have been involved in to the OAIC.
Other key steps in responding to a notifiable data breach
These steps should be undertaken simultaneously or in quick succession
Step 1: Contain the breach as much as reasonably practicable and undertake a preliminary assessment of the causes
- Take immediate steps to contain breach.
- Designate person/team to coordinate response.
Step 2: Evaluate the risks associated with the breach
- Consider what personal information is involved.
- Determine whether the context of the information is important.
- Establish the cause and extent of the breach.
- Identify the risk of harm.
Step 3: Notify affected consumers and the general public
- RROs and RPOs must ask the System Operator to notify all affected consumers (and the general public where appropriate) of the breach on their behalf. The System Operator must comply with the request.
- The System Operator must notify all affected consumers (and the general public where appropriate) of the breach.
Step 4: Review the incident and take action to prevent future breaches
- Establish a management team and fully investigate the breach.
- Review or develop the data breach response plan.
- Implement measures to prevent further breaches, such as privacy enhancing technologies.
- Regularly review internal policies, procedures and staff training practices.
- Review service delivery partners and conduct due diligence where services are contracted.
Other breach notification processes
- A privacy breach has occurred that does not involve the PCEHR system.
Entities should follow the OAIC’s Data breach notification — A guide to handling personal information security breaches when considering reporting data breaches voluntarily
Maintain information security
To protect information from misuse, loss and unauthorised access, modification or disclosure, reporting entities should consider:
- the sensitivity of the personal information
- the harm likely to flow from a security breach
- developing a compliance and monitoring plan
- regularly reviewing their information security measures.
8. Compliance checklist
This checklist is only a summary of reporting entities’ key data breach obligations under s 75 of the PCEHR Act. Penalties, including civil penalties, may apply for non-compliance with data breach notification obligations.
For RROs, RPOs and the System Operator:
- We have reported the breach as soon as practicable after becoming aware of it.
- We have taken steps to contain the breach (as far as is reasonably practicable).
- We have undertaken a preliminary assessment of the causes of the breach.
- We have evaluated any risks that may be related to or arise from the breach.
- We have taken steps to prevent or mitigate the effects of further breaches.
For RROs and RPOs who are a State/Territory authority:
- We have reported the breach to the System Operator.
- We have told the System Operator which consumers were affected and asked the System Operator to notify those consumers of the breach.
For other RROs and RPOs:
- We have reported the breach to both the OAIC and the System Operator.
- We have told the System Operator which consumers were affected and asked the System Operator to notify those consumers of the breach.
For the System Operator:
- I have reported the breach to the OAIC.
- I have notified the affected consumers (and the general public if a significant number of consumers are affected).
Glossary
Consumer means an individual who has received, receives or may receive healthcare. The terms ‘consumer’ and ‘individual’ are used interchangeably throughout this guide.
Data breach means, in general terms, when personal information is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse. This term is not defined in the PCEHR Act, however it has entered into common usage in Australia and in various other jurisdictions. ‘Notifiable data breach’ is used in this guide to describe particular kinds of data breaches (see definition below).
Entity has the meaning set out in s 5 of the PCEHR Act:
- a person; or
- a partnership; or
- any other unincorporated association or body; or
- a trust; or
- a part of an entity (under a previous application of this definition).
In this guide, ‘reporting entity’ refers to specific kinds of entities (see definition below).
Health information has the meaning set out in s 5 of the PCEHR Act (which is broadly similar to the definition under the Privacy Act):
- information or an opinion about:
- the health or a disability (at any time) of an individual; or
- an individual’s expressed wishes about the future provision of health services to him or her; or
- healthcare provided, or to be provided, to an individual;
that is also personal information; or
- other personal information collected to provide, or in providing, healthcare; or
- other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
- genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
Healthcare provider organisation has the meaning set out in s 5 of the PCEHR Act:
an entity that has conducted, conducts, or will conduct, an enterprise that provides healthcare (including healthcare provided free of charge).
Note: Because of paragraph (e) of the definition of entity, a healthcare provider organisation could be a part of an entity.
A healthcare provider organisation could be an individual, such as a sole practitioner.
The National Repositories Service is a data repository which will store certain key records that form part of a registered consumer’s PCEHR, including a consumer’s shared health summary.
Notifiable data breach is used in this guide to refer to the events described in s 75(1) of the PCEHR Act. For more information, see Part 2.
Notification to the OAIC means notification in writing.
OAIC means the Office of the Australian Information Commissioner.
PCEHR means a personally controlled electronic health record.
PCEHR Act means the Personally Controlled Electronic Health Records Act 2012 (Cth).
PCEHR system means a system:
- that is for:
- the collection, use and disclosure of information from many sources using telecommunications services and by other means, and the holding of that information, in accordance with consumers’ wishes or in circumstances specified in this Act; and
- the assembly of that information using telecommunications services and by other means so far as it is relevant to a particular consumer, so that it can be made available, in accordance with the consumer’s wishes or in circumstances specified in this Act, to facilitate the provision of healthcare to the consumer or for purposes specified in this Act; and
- that involves the performance of functions under this Act by the System Operator.
Personal information has the meaning as set out in s 6 of the Privacy Act:
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
Privacy Act means the Privacy Act 1988 (Cth).
A registered portal operator (RPO) means a person that:
- is the operator of an electronic interface that facilitates access to the PCEHR system; and
- is registered as a portal operator under s 49 of the PCEHR Act.
A registered repository operator (RRO) means a person that:
- holds, or can hold, records of information included in personally controlled electronic health records for the purposes of the PCEHR system; and
- is registered as a repository operator under s 49 of the PCEHR Act.
Reporting entity is used in this guide to refer to a registered portal operator, registered repository operator, or the System Operator.
A state or territory entity means a state or territory authority or instrumentality. ‘State or territory authority’ is defined in s 6 of the Privacy Act.
The System Operator manages and operates the core aspects of the PCEHR system. The Secretary of the Department of Health is currently the System Operator.
A use of health information included in a consumer’s PCEHR is defined under the PCEHR Act to include:
- accessing the information;
- viewing the information;
- modifying the information; and
- deleting the information.
NB: Unless otherwise stated terms used in this guide have the same meaning as in the PCEHR Act.
Appendix A: Data breach notification: legislative framework and regulatory approach
The breach notification provisions in the PCEHR Act
The breach notification provisions are outlined in s 75 of the PCEHR Act. In summary, s 75 sets out:
- which entities have mandatory notification obligations
- what contraventions, events or circumstances constitute a notifiable data breach under the PCEHR Act
- when and to whom an RRO, RPO or the System Operator should report a notifiable data breach
- the other actions these entities must take in response to such a breach.
Sections 75(2) and 79 of the PCEHR Act establish civil penalties for the failure of an RRO or RPO to report a notifiable data breach to the System Operator and the OAIC as soon as practicable after becoming aware of the breach.
Entities to which the breach provisions apply
Sections 75(1)(a) and (b) state that the breach notification provisions apply to an entity if the entity is, or has at any time been, the System Operator, an RRO or an RPO and the entity becomes aware of a notifiable data breach.
Types of data breaches that must be reported
Under 75(1)(b) and (c), a notifiable data breach occurs if an RRO, RPO or the System Operator becomes aware that:
- a person has, or may have, contravened the PCEHR Act in a manner involving an unauthorised collection, use or disclosure of health information included in a consumer’s PCEHR; or
- an event has occurred or circumstances have arisen (regardless of whether there has been a contravention of the PCEHR Act) that compromise, or may compromise, the security or integrity of the PCEHR system; and
- the contravention, event or circumstances directly involved, may have involved or may involve the RRO, RPO or System Operator.
When and to whom an RRO, RPO or the System Operator must report a breach
Section 75(2)(b) states that an RRO or RPO must notify both the System Operator and the Information Commissioner as soon as practicable after becoming aware of the contravention, event or circumstances (the notifiable data breach).
Section 75(3) states that the System Operator must notify the Information Commissioner as soon as practicable after becoming aware of a notifiable data breach, if the breach directly involved, may have involved or may involve the System Operator.
Other actions that must be taken to deal with a breach
Section 75(4) states that an RRO, RPO or the System Operator must also, as soon as practicable after becoming aware of a notifiable data breach:
- so far as is reasonably practicable, contain the breach and undertake a preliminary assessment of the causes
- evaluate any risks that may be related to or arise out of the breach
- if the entity is the System Operator
- notify all affected consumers
- if a significant number of consumers are affected, notify the general public
- if the entity is an RRO or RPO – ask the System Operator
- to notify all affected consumers
- if a significant number of consumers are affected, to notify the general public
- take steps to prevent or mitigate the effects of further contraventions, compromise or possible compromise of the security or integrity of the PCEHR system.
Part 5 provides more information on how RROs, RPOs and the System Operator can meet their obligations under s 75(4).
The PCEHR Act and the Privacy Act
The handling of a consumer’s health information using the PCEHR system may be covered by both the Privacy Act and the PCEHR Act. The Information Commissioner has enforcement powers under both Acts and may choose to investigate a notifiable data breach under either Act depending on the circumstances. For more information about the role of the Information Commissioner in regulating the privacy aspects of the PCEHR system, see below and Part 6.
The Privacy Act
The Privacy Act regulates the handling of personal information by the System Operator and all private sector healthcare provider organisations. More generally, the Privacy Act applies to private sector organisations (not including small businesses) and Australian government, and Norfolk Island agencies.
The Privacy Act establishes a number of privacy principles that regulate the collection, use, disclosure and secure storage of personal information. A breach of a privacy principle by an entity is an ‘interference with the privacy of an individual’ for the purposes of the Privacy Act. Under the Privacy Act, the OAIC can investigate complaints about alleged interferences with the privacy of an individual.
The interaction of the Privacy Act and the PCEHR Act
Parts 4 and 5 of the PCEHR Act contain provisions that regulate the collection, use and disclosure of personal information by participants. This creates some overlap between the PCEHR Act and the privacy principles in the Privacy Act.
There are two main ways that the Privacy Act and PCEHR Act manage this overlap.
First, certain privacy principles in the Privacy Act contain exceptions to allow collection, use or disclosure of personal information where it is required or authorised by law. For example, disclosure of personal information that is otherwise prohibited under the Privacy Act would be allowable if it were required by the PCEHR Act. Other privacy principles in the Privacy Act, such as those relating to collection notices, data security and data accuracy, continue to apply.
Second, the PCEHR Act states that any breach of that Act in connection with health information included in a consumer’s PCEHR is an ‘interference with privacy of the consumer’ for the purposes of the Privacy Act. This triggers the Information Commissioner’s enforcement and investigation powers under the Privacy Act. The PCEHR Act contains additional enforcement powers that recognise and aim to protect the sensitivity of health information.
Whether the PCEHR Act applies to a particular act or practice will depend on whether the act or practice was related to the PCEHR system. For example, general handling of health information that does not use the PCEHR system, such as within an entity’s own IT system or paper records, will not be covered by the PCEHR Act, but is likely to be covered by the Privacy Act (because the entity will be handling personal information).
Information security provisions in the Privacy Act and the PCEHR Act
RROs, RPO and the System Operator should take care to comply with their information security obligations under the Privacy Act. Entities that have complied with their security obligations will be less likely to experience a notifiable data breach. If a breach does occur, the Information Commissioner may ask the entity to demonstrate how it met its Privacy Act obligations.
Security principles under the Privacy Act generally require organisations (such as some RROs and RPOs) and agencies (such as the System Operator) to take reasonable steps to protect the information they hold from misuse and loss and from unauthorised access, modification or disclosure.
These security principles operate in addition to any specific security provisions contained in the PCEHR Act and subordinate legislation. Complying with the provisions of the PCEHR Act may help an entity meet its security obligations under the Privacy Act, however the entity must also take all ‘reasonable steps’ to secure the information, as required by the Privacy Act. More information about how to comply with security principles in the Privacy Act can be found in the OAIC’s Guide to securing personal information.
Role of the Information Commissioner under the PCEHR system
The OAIC is an independent statutory agency headed by the Information Commissioner. The Information Commissioner is supported by the Privacy Commissioner, the Freedom of Information Commissioner and the staff of the OAIC. The OAIC regulates the Privacy Act and Freedom of Information Act 1982 (Cth), and works to advance the development of consistent, workable information policy across all Australian Government agencies.
The OAIC regulates the handling of personal information in the PCEHR system by individuals, Australian government agencies, private sector organisations and some state and territory agencies (in particular circumstances). The OAIC has been given a range of functions and powers to carry out its regulatory role in the PCEHR system.
The OAIC’s functions and powers in relation to notifiable data breaches include:
- accepting reports about notifiable data breaches
- providing advice to reporting entities
- conducting investigations to assess reporting entities’ compliance with their obligations under the PCEHR Act
- investigating reported breaches
- taking enforcement action, where the circumstances warrant it.
The regulatory section of this guide (see Regulation of notifiable data breach reporting) sets out the circumstances in which the OAIC will conduct an investigation about a notifiable data breach and the OAIC’s enforcement powers. What happens when you report a notifiable data breach to the OAIC? outlines the actions the OAIC may take when it receives a report, including its role in providing advice to reporting entities about complying with their obligations under the Act.
For more information about the regulation of data breach notification, see Part 6.
Role of the System Operator
The System Operator manages and operates core aspects of the PCEHR system. The functions of the System Operator are set out in s 15 of the PCEHR Act and include:
- registration of consumers, healthcare providers, repository operators, portal operators and contracted service providers
- maintaining the National Repositories Service, system access controls, a clinical document index service and audit service
- establishing a complaint handling framework
- education of participants in the system.
The System Operator also receives notifiable data breaches from RROs and RPOs. It will liaise with the OAIC and may investigate breaches, take corrective actions and help the reporting entity to mitigate any loss or damage that may result from the breach. The System Operator is required to notify affected consumers of a breach and, where a significant number of consumers are affected, the general public. The System Operator cannot seek civil penalty orders if a reporting entity fails to report a notifiable data breach to it, but it may cancel, suspend or vary the registration of an RRO or RPO.
If the System Operator has or may have been involved in a notifiable data breach, it must report the breach to the Information Commissioner. For more information about the System Operator’s breach notification obligations, see Part 4.
[…] The Privacy Commissioner issues the Guide to mandatory data breach notification in the PCEHR system […]