Going, going, gone are the days of completely paper-based medical practices. Technology is everywhere in the modern office, with digital records and communication becoming the new norm. With technology, there comes breaches. Whether it is the ever-present threat of hackers or even something as inadvertent as a wrong email address, in the sphere of medical practices, the data held contains highly sensitive information about individuals; and a breach of this information could have disastrous consequences.

If you are working as a Practice Manager in the private health sector, you may already have an understanding of the NDB scheme (Notifiable Data Breach scheme). If not, read on to find out more about this critical component to your practice. 

Introduced to the Privacy Act 1988 in 2017, the Notifiable Data Breach scheme was created to ensure that mandatory notification and control requirements are put in place, for any serious breaches of personal information that is held by an organisation. A data breach can occur when personal information is lost; or has had unauthorised access or disclosure, whether that be purposeful in its intent or inadvertent. 

• Unauthorised access to or unauthorised disclosure of personal information or loss of personal information
• The breach may cause serious harm, including physical, psychological, emotional, financial or reputational, to one or more individuals
• The practice/business has not been able to prevent the risk of harm with remedial action

According to the OAIC (Office of the Australian Information Commissioner), the scheme applies to any Australian Government agencies, private sector and not-for-profit organisations with an annual turnover of more than $3 million. The Act also covers some small businesses, with an annual turnover of $3 million or less, that includes all private sector health service providers, such as day surgeries, medical practitioners and allied health professionals, to name a few. 

Firstly, it’s a legal obligation. However, to limit the harm caused to individual/s, retain the integrity of your business and preserve your client/patient trust-relationship, it is something to take seriously, no matter the legal ramifications. 

In a medical practice, given the sensitive nature of data held by the business, it is imperative to create a data breach response plan framework so that steps can be taken quickly if a breach occurs, or is suspected. As the Practice Manager, it is likely that you will work with the directors of the business on the particulars of the plan. It will then be your responsibility to make staff aware of where they can access a copy of the plan; who is responsible for implementing the plan; and the roles and responsibilities of each staff member. 

The OAIC outline four key steps to responding to data breaches, once one has been identified:

• Contain: Contain the breach to prevent any further loss or compromise of personal information
• Assess: Gather facts, evaluate the data breach and any immediate/ongoing risks. Where possible, take immediate remedial action
• Notify: Notify individuals and, if required, the Commissioner. If the breach is eligible under the scheme, notifying the Commissioner will be mandatory
• Review: Review the incident/breach and consider what steps can be taken to prevent it happening again in the future

As noted earlier, not all breaches are deemed eligible for official reporting under the scheme but the OAIC is here to help. 

The OAIC’s role in the scheme includes:

• Receipt of notifications of eligible data breaches
• Encouragement of compliance with the NDB scheme
• Offering advice and guidance to regulated organisations; and 
• Providing information to the community about the NDB scheme

Further information and resources about the Notifiable Data Breach Scheme can be found on the OAIC website.

Practices Managers Australia is the ultimate resource for Practice Managers looking to advance their skills and provide relevant news, industry related information and insights in the areas that matter to you. Get in touch with us today on 03 9946 7333 or info@practicemanagersaustralia.com.au.