Tag: Privacy Commissioner

1
Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on
2
OAIC releases draft guide for conducting big data activities
3
Hold the phone…is “metadata” personal information? Who knows?

Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on

By Cameron Abbott, Rob Pulham, Michelle Aggromito and Rebecca Gill

It’s been a little over a year since the notifiable data breach scheme was introduced in Australia. The Office of the Australian Information Commissioner (OAIC) issued its Notifiable Data Breaches Scheme 12-month Insights Report on 13 May 2019, detailing its insights to come out of the scheme’s operation over the past 12 months. As regular readers would no doubt be aware, the health sector was one of the top industry sectors to report breaches in the first 12 months of the scheme’s operation.

Here’s the health sector at a glance:

  • Of the 964 eligible data breaches notified to the OAIC from 1 April 2018 to 31 March 2019, health information breaches accounted for 249 notifications (just over a quarter of all notifications). This is consistent with international trends which often show the health sector as a leading reporter of data breaches.
  • Human error was the leading cause of data breaches in the health sector, accounting for 55% of the breaches. This figure was relatively higher when compared to the average rate of data breaches in other industries due to human error (35%).
  • Human error in the health industry typically involved sending personal information to the wrong recipients via email and other forms communication.

Of itself, these figures seem to paint a grim picture for the health sector, which is the leading reporter of data breaches in Australia. However, there may be a silver lining for health organisations. As the Report identifies, the statistics arguably reflect the health sector’s preparedness to report data breaches. This potentially suggests a greater maturity and understanding of their obligations than other sectors that deal with less sensitive data, and could well be influenced by the more regulated nature of the sector, as well as the fact that the sector routinely deals with sensitive health information which inherently carries higher risk of causing serious harm if misused.

For more insights into health information and the scheme, check out our blog posts “My Health Records – to opt-in, or to opt-out? That is the question” and “Mandatory data breach reporting in 60 seconds”, or feel free to contact us for any assistance or information.

OAIC releases draft guide for conducting big data activities

By Cameron Abbott and Simon Ly

Last week the OAIC released their consultation draft Guide to big data and the Australian Privacy Principles, with feedback on the Guide open until 26 July 2016.

The main purpose of the Guide is to facilitate big data activities while protecting personal information (being information or an opinion about an identified individual, or an individual who is reasonably identifiable). The Guide addresses issues such as notice and consent, retention minimisation and use limitation in regards to such data. Whilst not legally binding, the Guide will be referred to by the Privacy Commissioner in undertaking its functions under the Privacy Act.

One of the key aspects dealt with in the Guide is that entities should consider undertaking big data activities on an anonymised manner by de-identifying personal information. If so, this has the favourable outcome that such data will not be considered personal information so accordingly less onerous obligations apply under the Privacy Act to such data. Of course, if this is the case it also lessens the chance that personal information will be compromised should a data breach occur (speaking of which, we note OAIC’s April 2016 guide to deal with data breaches). However, in our experience most of our clients want to analyse and then drill down to take actions or campaigns in relation to a then identified group of customers.

The Guide also highlights how big data interacts with the APPs as well as discussing other related concepts, such as “privacy by design” frameworks. For more information, you can access the OAIC’s consultation draft Guide here.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.