APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!

Similar documents
A Homeopath Registered Homeopath

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

NDIS Quality and Safeguards Commission. Incident Management System Guidance

DATA PROTECTION POLICY THE HOLST GROUP

Data Breach Incident Management Policy

Government data matching and the Privacy Act 1988 (Cth)

ADMA Briefing Summary March

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

Data Breach Notification: what EU law means for your information security strategy

Schedule Identity Services

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework

FIRESOFT CONSULTING Privacy Policy

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Information Governance Incident Reporting Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

SYDNEY FESTIVAL PRIVACY POLICY

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Privacy Impact Assessment

Motorola Mobility Binding Corporate Rules (BCRs)

Policy on Privacy and Management of Personal Information

UWC International Data Protection Policy

KIN GROUP PTY LTD PRIVACY POLICY

University of Wisconsin-Madison Policy and Procedure

TABLE OF CONTENTS. Page

INFORMATION SECURITY AND RISK POLICY

Policy & Procedure Privacy Policy

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

IDENTITY ASSURANCE PRINCIPLES

UWTSD Group Data Protection Policy

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

New Zealand Telecommunications Forum. Code for Vulnerable End Users of Telecommunication Services. ( Vulnerable End User Code )

Data Privacy Breach Policy and Procedure

General Data Protection Regulation (GDPR) The impact of doing business in Asia

PS Mailing Services Ltd Data Protection Policy May 2018

Digital Health Cyber Security Centre

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

Privacy & Information Security Protocol: Breach Notification & Mitigation

DATA BREACH POLICY [Enniskillen Presbyterian Church]

Privacy Policy First National Group of Independent Real Estate Agents Limited ACN

Privacy Breach Policy

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Terms & Conditions. Privacy, Health & Copyright Policy

Data Loss Assessment and Reporting Procedure

Data Breach Notification Policy

2.1 The type of personal information that auda collects about you depends on the type of dealings you have with us. For example, if you:

Information Security Policy

Security and Privacy Governance Program Guidelines

Information Bulletin

Made In Hackney Data Protection Policy Last Updated:

Stopsley Community Primary School. Data Breach Policy

Breach Notification Form

TIX Privacy Policy. 1. Scope of this Privacy Policy. 2. What personal information does TIX collect? Updated 7 September 2015

Schedule EHR Access Services

GDPR Compliance. Clauses

It s still very important that you take some steps to help keep up security when you re online:

Information Governance Incident Reporting Procedure

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

Islam21c.com Data Protection and Privacy Policy

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

Security and Privacy Breach Notification

Privacy Breach Response and Reporting

Adopter s Site Support Guide

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

SOUTHFIELD SCHOOL PROCEDURE FOR RECEIVING AND RESPONDING TO SUBJECT ACCESS REQUESTS

INVESTIGATION REPORT , , ,

Big data privacy in Australia

ISSUES FOR RESPONSIBLE USER-CENTRIC IDENTITY

Data Protection Policy

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

This policy should be read in conjunction with LEAP s Conflict of Interest Policy.

Xpress Super may collect and hold the following personal information about you: contact details including addresses and phone numbers;

Information Security Strategy

MODEL COMPLAINTS SYSTEM AND POLICY THE OMBUDSMAN'S GUIDE TO DEVELOPING A COMPLAINT HANDLING SYSTEM

LCU Privacy Breach Response Plan

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Summary Analysis: The Final HIPAA Security Rule

Data Protection Policy

Building a Privacy Management Program

Site Builder Privacy and Data Protection Policy

Data Leak Protection legal framework and managing the challenges of a security breach

The University of British Columbia Board of Governors

Information Security Incident Response and Reporting

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

FLIPOUT Privacy Charter. We will handle any information we collect about you in accordance with our privacy Policy

Habitat for Humanity Singapore Ltd

Comment on Exposure Draft, IFRS Practice Statement: Application of Materiality to Financial Statements

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

Dated 3 rd of November 2017 MEMORANDUM OF UNDERSTANDING SIERRA LEONE NATIONAL ehealth COORDINATION HUB

Policy Objectives (the Association) Privacy Act APPs Policy Application ACTU The Police Association Website

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Transcription:

enquiries@privacy.org.au http://www.privacy.org.au/ 28September2012 APFsubmission draftmandatorydatabreachnotification intheehealthrecordsystemguide. The Australian Privacy Foundation (APF) is the country's leading privacy advocacy organisation. I write as Chair of the Health Sub Committee of the APF. The APF is glad of this opportunity to influence the vital Mandatory data breach notification in the ehealth record system draft guide, September 2012. We are keen to support the development of a national ehealth data breach notification platform to support community trust in a secure and privacyenhancing Personally Controlled Electronic Health Record (PCEHR) system. The APF policy document Protections Against ehealth Data Breaches responds to stimulus questions asked in the Mandatory data breach notification in the ehealth record system consultation paper, 28 August 2009. 1 The APF document establishes the standard individuals expect the Australian government to implement and anything less is considered unacceptable. The document is appended to this submission and provides a response to stimulus questions about reporting and notification obligations as well as other key matters. FEEDBACK ABOUT OTHER MATTERS RESPONDING TO STIMULUS QUESTIONS. Notifiable data breaches As the APF policy document suggests, a notifiable data breach arises simply where any person in an organisation becomes aware that unauthorised collection, use or disclosure of health information has, or probably has, occurred. The APF opposes any definition of a notifiable breach that has a narrower scope than our policy statement.

Language and Format The language and format are not transparent and are confusing in places. The term ehealth record system is not applied consistently throughout the document. Does the expression ehealth record system refer to the PCEHR system or a providers own system? For instance, on pages 3 and 4, Data breaches that are out of scope, we are confused by what appears to be inconsistent application of the same term. On the one hand, the section refers to ehealth systems that are not connected to the national system in the first paragraph and example box. On the other hand, in the final paragraph the section refers to private healthcare provider ehealth systems, whether the system feeds into the national system or not. The APF requests clarification of the term ehealth record system in the draft guide. We also request clarification of whether private healthcare provider ehealth systems that feed into the national system are subject to mandatory data breach notification legislation and guidelines. The APF welcomes the outline of the Role of the System Operator (SO) section, on page 6, although this is not sufficiently detailed. For example, it requires the SO to notify affected individuals and the general public of breaches affecting a significant number of people. There is no definition or example provided of how many records may be breached before this is considered significant. Neither is there any explanation of the methods or mechanisms the SO should use to notify affected individuals and the general public of breaches. Moreover, the section refers to reporting these and other breaches to the Office of the Australian Information Commissioner (OAIC). However the ehealth record system OAIC Enforcement Guidelines consultation paper, August 2012, clearly states the OAIC may choose not to act on proven breaches and not to publish information about said breaches. These guidelines indicate the role of the SO in the draft under discussion is irrelevant to consumers concerns about rectifying breaches of records held in the PCEHR system. The APF asks for the terms significant and notify to be defined in practical terms. We also express concern the draft mandatory breach guide is not relevant to the real life concerns of patients affected by threats to the privacy and security of their health information. The When to report a notifiable data breach section, page 7, suggests entities are not required to notify the OAIC of data breaches immediately if this is not practicable or at the expense of initial efforts to constrain it. We question why notification and efforts to constrain data breach cannot occur simultaneously. Participating consumers will rely on the integrity of information stored on the PCEHR system for their healthcare outcomes. It is vital that any matter affecting an individual health record is immediately reported to the consumers concerned and to the SO so that action can be taken to ensure consumers do not suffer from adverse health errors as a consequence of such breaches, whether these are accidental or deliberate. 2-3 The APF is receiving a rapid increase in contact from chronically ill patients where an ehealth record, including some on the PCEHR system, is inaccurate due to poor security mechanisms. In real life, these patients have been lucid and able to negotiate the matter with clinicians convinced the e-record

is a more reliable source of information about medical procedures than the individual concerned. Less lucid patients may not be similarly fortunate, risking adverse error as a consequence The APF requests notifiable health breaches are immediately reported to affected consumers, the PCEHR system authorities and the OAIC to protect the health and wellbeing of individuals whose records may have been compromised. The section Responding to a notifiable data breach, pages 12 to 19, offers useful steps for providers to follow while reflecting on a data breach or when establishing an ehealth system in the first instance. However, these are not sufficiently robust to protect individuals from the results of system breach, neither are consumers seen as pivotal in this process. For example, providers are asked to assess whether steps may be taken to mitigate the harm a consumer may suffer as the result of a breach (p.12). The welfare of the consumer should be the key priority of this section and rather than seem an afterthought to controlling machine or operator error or misuse. Indeed the section is replete with references to suitable individuals, determining whether there is a need to assemble a team to investigate a breach or not, inform others and escalate matters internally as appropriate. The section asks providers to be careful not to destroy evidence that may help law enforcement agencies determine cause or take corrective action. How will providers be equipped to understand what is and is not evidence in this context? The section is vague, unhelpful and far too general. At no stage is the health and wellbeing of the affected individual or individuals given primacy here with the exception of Section, page 16, where the provider, not the SOS or the OAIC, is asked to make a determination of risk to affected individuals. How will the provider be trained to make these determinations? Moreover, Step 3 on page 17, states that only the SO can notify affected consumers about notifiable data breach. The OAIC role is not specified. This is terribly confusing and overly bureaucratic for both practitioners and consumers. Regardless of nomenclature, the draft breach guide indicates the PCEHR is not personally controlled but SO controlled. The APF wonders whether providers are able to notify consumers of breaches to the PCEHR systems that are not deemed notifiable under the draft guideline. The notification processes outlined in the draft are vague, empower neither consumer nor practitioner and are unnecessarily bureaucratic to the cost of patient health outcomes and empowering clinicians to maintain secure ehealth networks. The guide reads as if directed to administrative staff working for the Australian government and managing abstract issues rather than consumers and clinicians in real life. The APF maintains that the guidelines do not reflect the seriousness of data breach to consumer health and wellbeing. Neither do these provide adequate emphasis on the consumer s human right to access or know information about their own health record, an ostensible feature of the PCEHR system that now seems countered by the breach guidelines. 4 The draft guideline is abstract and emphasises administrative processes that disempower patients and clinicians alike. 4 The guide is not transparent or useful in relation to mandatory notification of breaches in the ehealth record system.

The mandatory breach guidelines must build defences against harm, including safety processes, system redundancies and training, to minimise unsafe use or the creation of unsafe settings. (2) The draft does not accomplish this aim. The APF believes that failure to rectify these matters will undermine community confidence in the utility of the PCEHR system, fostering project failure, as has already occurred with similar implementations in other countries. (3) Finally the Privacy Act and legislative amendments supporting the PCEHR system simply set a minimum reporting requirement for breaches. The APF requests that action is taken according to our policy document (appended) so that the Australian government does not replicate the errors made by other nations implementing similar projects (1,3). Our national policies and procedures must be set at a level that actually achieves the aims of protection of sensitive data and transparency in relation to breaches. In this context, the Mandatory data breach notification in the ehealth record system draft guide September 2012 sets the minimum far too low to be acceptable. Yours sincerely Dr.JuanitaFernando Chair,HealthSubCommittee AustralianPrivacyFoundation DrFernandoisinMedicine,Nursing&HealthSciences,MonashUniversity0399058537or0408131535 mailto:juanita.fernando@monash.edu DrFernando ssonisaprojectleaderwithaccenture,whichistheleadcontractoronthepcehrimplementation. DrFernandoisaformercouncilloroftheAustralasianCollegeofHealthInformatics. http://www.achi.org.au/ ContactDetailsfortheAPFanditsBoardMembersareat:http://www.privacy.org.au/About/Contacts.html REFERENCES 1. AustralianPrivacyFoundation(2009)eHealthcareDataBreachPolicyStatement,August28. http://www.privacy.org.au/papers/ehealth"databreach"090828.pdf 2. Coeira,E.Kidd,M.&Haikerwal,M.(2012)Acallfornationale"healthclinicalsafetygovernance.MJA196(7)#16 April2012 3. Moynihan,R.(2012)e"Healthrecords:beawareofassumedbenefit.MJA197(6)17September2012 4. Hilvert,J.(2012)Doctorscouldrejecte"healthrecords.Itnews.com,September202012. http://www.itnews.com.au/news/316321,doctors"could"reject"e"health"records.aspx

Australian Privacy Foundation Policy Position Protections Against ehealth Data Breaches 28 August 2009 http://www.privacy.org.au/papers/ehealth-databreach-090828.pdf Personal health data is by its nature highly sensitive, so unauthorised access and disclosure is of even greater concern than it is with other categories of data. Irrespective of what laws and norms might apply to data breaches generally, it is vital that clear and effective protections exist for personal health care data. The APF has accordingly adopted the following policy on the matter. A data breach occurs when personal health care data is exposed to an unauthorised person, and there is a reasonable likelihood of actual or perceived harm to an interest of the person to whom the data relates. 1. An organisation that handles personal health care data must: take such steps to prevent, detect and enable the investigation of data breaches as are commensurate with the circumstances conduct staff training with regard to security, privacy and e-health subject health care data systems to a programme of audits of security measures when health care data systems are in the process of being created, and when such systems are being materially changed, conduct a Privacy Impact Assessment (PIA), in order to ensure that appropriate data protections are designed into the systems, and to demonstrate publicly that this is the case 2. Where gounds exist for suspecting that a data breach may have occurred, the organisation responsible must: investigate if a data breach is found to have occurred, take the further steps detailed below document the outcomes publish information about the outcomes, at an appropriate level of detail 3. Where a data breach has occurred, the organisation responsible must: (e) promptly advise affected individuals (and/or their next of kin or carers) provide an explanation and apology to affected individuals where material harm has occurred, provide appropriate restitution publish an appropriate notice and explanation in a manner that facilitates discovery and access by people seeking the information advise the Office of the Federal Privacy Commissioner 4. Where a serious data breach has occurred, the Office of the Federal Privacy Commissioner must: review the outcomes of any investigation undertaken by the responsible organisation where any doubt exists about the quality, conduct its own independent investigation publish the results of the review and/or investigation add the details of the data breach to a publicly available register, including any decision made as the result of the investigation, in order to ensure that information is available to support informed public debate about protections for personal health care data 5. Where a data breach occurs that results in material harm, the affected individuals must have recourse to remedies, both under the Privacy Act and through a statutory cause of action

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback