Legal aspects of design Presented by Karen Keogh, Partner, HWL - - PowerPoint PPT Presentation

Legal aspects of design

Presented by Karen Keogh, Partner, HWL Ebsworth Lawyers Wednesday, 11 April 2018

Introduction

• Privacy by Design
• Security by Design
• Risk Management by Design

2

Is it really an issue?

3

Privacy Law

• The Privacy Act 1988 (Cth)

– Regulates how personal information is handled in Australia – Applies to private businesses:

• with a greater annual

turnover than $3,000,000, or

• provide health services

and hold health information, or

• are contracted service

provider for a Commonwealth contract (whether or not a party to the contract).

• Australian Privacy Principles

Open and Transparent Anonymity / Pseudonymity Collection Unsolicited information Notification Use or Disclosure Direct Marketing Cross-Border disclosure Government identifiers Quality Security Access Correction

4

Privacy by Design

• “Instead of having settings spread across nearly 20 different

screens, they’re now accessible from a single place”

(It’s Time to Make our Privacy Tools Easier to Find 28.03.18)

• The object of this principle is to ensure that APP entities

manage personal information in an open and transparent way.

(APP 1)

5

Privacy by Design

• Foundational Principles

– Proactive – Privacy as default – Embed privacy to design – Retain full functionality – Ensure end to end security – Maintain visibility and transparency – Respect user privacy

6

Privacy by Design

• Health Industry

– UK ICO reports health incidents ↑ 22%

• Data posted or faxed to incorrect person
• Data sent by email to incorrect recipient
• Loss of theft of paperwork
• Digital Health Industry

– Data breach notifications

• 35 mandatory digital health notifications to OAIC 2016/17
• Notifiable Data Breaches Scheme from 22 February 2018

7

Red Cross Data Breach

Red Cross failed to implement contractual requirements Employee of contractor saved data to part of the web server which was publicly available Information retained at backend where part

• f the web server is

publicly accessible OAIC was satisfied steps were taken to appropriately rectify the data breach Red Cross retained effective ownership although it did not physically hold the personal information A data breach is not necessarily a breach of

• APP11. Here, it was

Donate Blood Website

Privacy by Design

• Data Analytics

– Valuable commodity

• FB market cap fell $47 billion from 01/03 to 01/04

– De identification

• De-Identification Decision-Making Framework (OAIC / CSIRO Data 61)

– Privacy Impact Assessment

• OAIC Privacy Impact Assessment eLearning

(www.oaic.gov.au/agencies-and-organisations/training-resources/)

9

Security by Design

• There are only two types of companies: those that have been

hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.

(Robert Mueller, former Director, FBI)

10

Security by Design

Liability

To avoid: (a) Statutory liability (Company/Personal) (b) Regulatory liability (c) Third party claims must implement measures to protect personal data (both technical and

• rganisational)

Data Breach

Insurance

Training

• n potential

security breaches Response Plan Ad blocking; Anti-virus software; Back up

Security by Design

• APRA regulated entities
• Board ultimately responsible for information security
• Must have:

– Information security policy framework – Direction on the responsibilities of all parties – Controls on information assets managed by related /third parties – Evaluate design and operating effectiveness of related /third party – Information security incident plan Notify APRA of an information security incident no later than 24 hours

Prudential Standard CPS 234

12

Security by Design

• Only retain data for as long as necessary (APP 11)

– Note: State based health records legislation

• Check third party contracts
• Check own and third party cyber insurance

Practical tips

13

Risk Management by Design

National Digital Health Strategy

• Strategic Priorities

– Better availability and access to prescriptions and medicines information – A workforce confidently using digital health technologies to deliver health and care

• Framework for Action

– Minimise medication errors (Providers) – Amend regulatory framework (States) – Participate in training & education (Providers) – Support & evaluate, education & training (States)

14

Risk Management by Design

• Issue

– Did the introduction of the TrakCare electronic medical record system to Macquarie University Hospital cause or contribute to the death

• Finding

– Whilst TrakCare did not cause … death, the initial prescription error was made easier due to a function of TrakCare of great utility – the ability to open and close different patient records from a single terminal. Prior to the introduction of electronic medical records, it was much more difficult to chart medication on the wrong patient file

Lau Inquest

15

Risk Management by Design

• Yet…

– The main reason for the failure … the persistent failure to critical thinking by those involved in the care and treatment of …

• Recommendations

– Working party to consider lessons learnt and to include IT representatives, anaesthetists, nursing staff, pharmacy, patient safety & quality manager

Lau Inquest

16

17

Team Contacts

Karen Keogh Partner P +61 2 9334 8884 E kkeogh@hwle.com.au

18

Adelaide | Brisbane | Canberra | Darwin | Hobart | Melbourne | Norwest | Perth | Sydney