IMPORTANT: Notifiable data breaches
From Thursday 22 February 2018, businesses that keep data on their clients will need to inform the Office of the Australian Information Commissioner and all of its affected clients if there is an ‘eligible data breach’ (a data breach that is likely to result in serious harm), also known as being "hacked". Unauthorised breaches include instances where:
- there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or
- such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.
- there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.
Relevant data can include data such as identifying information, payment details, case notes and records of communications between you and the client.
A real risk of "serious harm" can include physical, psychological, emotional, economic and financial harm, and also includes serious harm to reputation.
All social workers who keep client files need to be aware of the Privacy Amendment (Notifiable Data Breaches) Act 2017 and your obligations.
The office of the Australian Information Commissioner released a guide titled Data breach preparation and response - A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) (Privacy Act).
The guide consolidates information provided in the Data breach notification - A guide to handling personal information security breaches released in 2014, the Guide to developing a data breach response plan released in 2016, and the resources published to assist entities in complying with the Notifiable Data Breaches (NDB) scheme last year. In addition to outlining the key requirements relating to data breaches in the privacy Act, including personal information security requirements and the obligations of the Notifiable Data Breaches scheme, the guide covers other key considerations in developing a robust data breach response strategy. This includes key steps to take when a breach occurs, the capabilities of staff, and governance processes.
Information about how to comply to the new legislation is available here.
We would advise that social workers in private practice consider taking out cyber risk insurance to ensure you are covered in the event of client files kept on electronic devices being compromised.
Failures to comply with the Notifiable Data Breach scheme can attract fines up to $2.1 million.