Privacy and Information Sharing Presentation to South Australian - - PowerPoint PPT Presentation

OAIC

Privacy and Information Sharing

Presentation to South Australian Network of Drug and Alcohol Services Stephanie Otorepec, A/g Director, Regulation & Strategy Branch

OAIC

The role of the OAIC

The Office of the Australian Information Commissioner is:

• the regulator of the Privacy Act 1988, and
• the independent regulator of the privacy aspects
• f the Healthcare Identifiers service and the My

Health Record system

OAIC

OAIC’s regulatory and enforcement powers

Regulatory powers

• Conciliate or determine complaints

(with compensation)

• Receive / investigate data

breaches

• Conduct assessments of entities
• Investigate on own initiative
• Create enforceable codes
• Require Privacy Impact

Assessments

Enforcement powers

• Accept an enforceable

undertaking

• Make a determination following a

complaint or CII

• Bring proceedings to enforce a

determination

• Apply to the court for an

injunction

• Apply to the court for a civil

penalty

OAIC

The Australian Privacy Principles

13 principles that outline how personal information should be collected, used, disclosed and secured

OAIC

The Australian Privacy Principles (APPs) 13 APPs in total

• Principles apply to Government agencies and private sector
• rganisations (referred to as ‘APP entities’)
• Structured to reflect the information life cycle — planning,

collection, use and disclosure, quality and security, access and correction

• OAIC’s APP guidelines

OAIC

The Australian Privacy Principles (APPs)

• APP 1 – privacy policies
• APP 2 – anonymity
• APP 3 – collection of information
• APP 4 – dealing with information
• APP 5 – notification
• APP 6 – use or disclosure
• APP 7 – direct marketing
• APP 8 – cross-border disclosure
• APP 9 – gov’t related identifiers
• APP 10 – quality of information
• APP 11 – security of

information

• APP 12 – access to information
• APP 13 – correction of

information

OAIC

All healthcare organisations are required to comply with Australian Privacy Principles due to the nature of the information they handle – which is categorised as ‘sensitive information’. Health information is any information about a person’s health

• r disability, and any other personal information collected while

receiving a health service. Sensitive information is generally afforded a higher level of privacy protections under the APPs.

As healthcare providers, you will be subject to Privacy Act

OAIC

Relevant APPs in the context of health

• Collection (including consent) (APP 3)
• Notification (APP 5)
• Use and disclosure (APP 6)
• Security obligations (including destruction)

(APP 11)

• Access and correction (APPs 12 and 13)

OAIC

Consent to collect health/sensitive information

APP 3 – collection

• Outlines when an APP entity can collect personal

information – higher standards apply to collection of sensitive information

• 2 main elements to meet when collecting sensitive

information: 1. the information is reasonably necessary and directly related to the entity’s function, and 2. the individual (in which the information relates to) must consent to the collection.

OAIC

Consent to provide data to the PHN

The four key elements of consent are:

• the individual is adequately informed before giving consent
• the individual gives consent voluntarily
• the consent is current and specific, and
• the individual has the capacity to understand and

communicate their consent. ! IMPORTANT that your client understands they're not under

• bligation to provide information – consent must be freely

given

OAIC

When is consent voluntary?

Factors relevant to deciding whether consent is voluntary include:

• the alternatives open to the individual, if they choose not to

consent

• the seriousness of any consequences if an individual refuses to

consent

• any adverse consequences for family members or associates of

the individual if the individual refuses to consent.

OAIC

Notification

APP 1 – privacy policies

• states that organisations must have a clearly expressed and

up to date privacy policy about the management of personal information) APP 5 – notification

• APP entities to take reasonable steps either to notify the

individual of certain matters or to ensure the individual is aware of those matters

OAIC

Matters that you must notify about under APP 5

• The matters include: the APP entity’s identity and contact details; the

fact and circumstances of collection; whether the collection is required

• r authorised by law; the purposes of collection; the consequences if

personal information is not collected; the entity’s usual disclosures of personal information of the kind collected by the entity; information about the entity’s APP Privacy Policy; whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

OAIC

Use and disclosure of information collected – APP 6 Sensitive information can generally only be used for the same purpose it was collected for, unless the person consents or an exception applies. Information can only be used for a secondary purpose, where it is directly related to the original purpose.

OAIC

Keeping information secure, and destruction

• bligations

APP 11

• APP 11 provides that an APP entity must take reasonable

steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. APP 11 only applies to personal information that an APP entity holds. An entity holds personal information ‘if the entity has possession or control of a record that contains the personal information’.

• There are also destruction obligations

OAIC

Access for your clients

APP 12

• APP 12 requires an APP entity that holds personal

information about an individual to give the individual access to that information on request, allowing a client to check and validate any data held about them

OAIC

Correction

APP 13

• APP 13 requires an APP entity to take reasonable steps to

correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading

OAIC

What could happen if I breach the APPs?

• Under the Privacy Act, it is considered an

‘interference with privacy’

• OAIC’s complaint-handling abilities

OAIC

The Notifiable Data Breaches scheme

OAIC

The Notifiable Data Breaches scheme

• Commenced 22 February 2018.
• Visit www.oaic.gov.au/ndb for the OAIC’s

guidance on the scheme’s requirements.

• Part IIIC of the Privacy Act 1988 — the

scheme applies to businesses and government agencies with personal information security obligations.

• These entities must notify individuals

affected by an ‘eligible data breach’, which is a breach that is likely to result in serious harm. The OAIC must also be notified.

OAIC

Identifying an eligible data breach

• An eligible data breach occurs when three criteria are met:
• 1. There is a data breach – being unauthorised access to, or

unauthorised disclosure of personal information, or a loss of personal information, that an entity holds

• 2. This is likely to result in serious harm to one or more individuals,

and

• 3. The entity has not been able to prevent the likely risk of serious

harm with remedial action.

OAIC

What is the harm threshold?

• ‘Serious harm’ can be psychological,

emotional, physical, reputational, or other forms of harm

• Understanding whether serious harm is

likely or not requires an evaluation of the context of the data breach.

OAIC

If you suspect a data breach which may meet the threshold of ‘likely to result in serious harm’, you must conduct an assessment

• Generally, there is a maximum of 30 days to conduct this
• assessment. This begins from when you become aware of a

potential breach.

• It is not expected that every data breach will require an

assessment that takes 30 days to complete before notification

• ccurs. You must notify as soon as practicable when you believe

an eligible data breach has occurred.

• You can divide an assessment into three stages: (1) Initiate; (2)

Investigate; (3) Evaluate.

OAIC

Notifying affected individuals – choose what is appropriate and practicable

There are three options for notification:

• 1. Notify everyone
• 2. Notify only people who are at

likely risk of serious harm.

• 3. Publish your notification, and

publicise it with the aim of bringing it to the attention of all individuals at likely risk of serious harm.

OAIC

Notifying affected individuals

Your notification must include:

• The identity and contact details of you

agency/organisation

• A description of the eligible data breach
• The kind or kinds of information involved in

the eligible data breach

• What steps your agency/organisation

recommends that individuals take in response to the eligible data breach.

OAIC

Data breaches affecting multiple organisations

• Where data is jointly held by two or more

bodies, both are generally responsible for complying with NDB for that record.

• Bodies should establish clear procedure for

complying with the scheme – ie enter into service agreements, or other contractual arrangements

• This could also include communications

plans, and who will be responsible for what (ie conducting audits, responsibility for containment, notification etc)

OAIC

Looking at an example

• Australian Red Cross Blood Service
• Serious data breach experienced in 2016
• Key steps taken – immediate action taken to notify individuals

and contain the breach

• Moral of the story - Outcomes can be positive if proactive

action is taken

OAIC

Data breach preparation and response

• See the OAIC’s guide: Data breach preparation

and response — A guide to managing data breaches in accordance with the Privacy Act 1988.

• What goes in a DBN response plan?
• Both security and privacy measures
• Who’s responsible for what
• Clear lines of accountability

OAIC

Personal information vs de- identified information

OAIC

What is personal information?

‘Personal information’ is defined as any ‘information or an

• pinion about an identified individual, or an individual who is

reasonably identifiable’:

• whether the information or opinion is true or not, and
• whether the information or opinion is recorded in a material

form or not (s 6(1)).

• (NOTE: Personal information is the broadest term under the

Privacy Act, and includes health/sensitive information!)

OAIC

When is information ‘de-identified’? De-identified information is information that is no longer about an identified or reasonable identifiable person. In a nutshell - If there’s no reasonable chance that you could determine which person a piece of information is about - it is de-identified.

OAIC

Why de-identify? De-identification as a privacy enhancing tool

When done well, it can:

• Allow you to do things you couldn’t otherwise do if prevented by

the APPs (ie you collected info for one purpose, and want to use it for another, unrelated purpose)

• help your entity meet obligations under the Privacy Act,
• build trust in your data governance practices

OAIC

How is de-identification achieved?

De-identification involves two steps:

• 1. Removal of identifiers
• 2. the removal or alteration of other information that could

potentially be used to re-identify an individual, and/or the use of controls and safeguards in the data access environment to prevent re-identification

OAIC

OAIC resources on de-identification

• The De-Identification Decision-Making

Framework

• De-Identification and the Privacy Act 1988

OAIC

OAIC resources

• Preparing for the NDB scheme –

OAIC webinar

• APP guidelines
• FAQs for health service providers

about the Privacy Act and other related legislation

• My Health Record resources

OAIC OAIC

Questions?

OAIC

Contact us

• enquiries@oaic.gov.au
• 1300 363 992
• www.oaic.gov.au

• aic.gov.au