As the Australian healthcare industry adapts to today’s technological advancements the risk of privacy breaches occurring has increased. We review key considerations for healthcare providers, including the potential impact of proposed legislation.


The figures are of significant interest:

  • The total average organisational cost of a data breach in Australia increased from A$2.8 million in 2014 to A$2.82 million in 2015, according to a 2015 study by IBM and the Ponemon Institute.
  • Data loss and downtime cost Australian organisations US$55 billion in 2014, compared to the average of US$34 billion across the Asia-Pacific and Japan region, in the same year, research by EMC Corporation found.
  • The same research found that 86% of organisations in Australia rank in the bottom two categories for data protection maturity.

In order to adequately meet this risk, healthcare providers must update their internal privacy policies and procedures.

Legal implications 

There is a right to privacy in respect of medical records and health information due to their sensitive nature. As such, a healthcare practitioner owes a duty of care to the patient. Other information held by a healthcare practitioner may also be classified as confidential and private, potentially giving rise to equitable remedies for breach of confidence. Elements a court is likely to consider are whether:

  • The information was of a confidential nature.
  • It was communicated or obtained in circumstances importing an obligation of confidence.
  • There was an unauthorised use of the information.

Many of our international counterparts are surprised by the lack of a legislatively enforced mandatory data breach notification system in Australia. Currently there is only a voluntary guide to handling data breaches, which is regulated by the Office of the Australian Information Commissioner (OAIC). However, it is important to note that in December 2015 an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the Bill) was released, inviting public comment. The Bill requires Government agencies and businesses subject to the Privacy Act to notify OAIC, and those affected, following a serious data breach. Should the Bill be passed, we predict that data breach figures will increase dramatically. 

It is also important to note that there are state, territory and Commonwealth legislative and administrative provisions that govern both public and private healthcare service providers in Australia. These legislative and administrative schemes outline how private information must be handled, used and managed. 

Policies and procedures 

Internal policies and procedures should address privacy breaches and include the following:

  • Policies on how private information should be stored, how employees should handle personal information and also how employees should securely de-identify and dispose of certain patient information.
  • Privacy policies on how healthcare providers manage patients’ personal information. These policies should be displayed both in hard and soft copy and a copy should be provided to all new patients on registration.
  • Continuing mandatory employee training procedures and guidelines, involving employee training in all computer systems used, as well as outlining all scenarios where patient information can be disclosed.
  • Encryption of emails and servers and mandatory spyware and malware programs on all work and personal computers and portable devices.

Responding to a privacy breach 

In compliance with the OAIC guidelines the following steps may need to be followed:

  • Contain the breach and conduct a preliminary assessment.
  • Evaluate the risks associated with the breach.
  • Notify the OAIC directly, disclosing the following:
    • A description of the breach.
    • The type of personal information involved.
    • What response the agency or organisation has made.
    • What assistance has been offered to affected individuals.
    • The name and contact details of the appropriate contact person.
    • Whether the breach has been notified to other external contacts.
  • Notify all affected individuals directly (by phone, letter, email or in person), as soon as reasonably possible, and disclose similar information as above, and, in addition, details of how to:
    • Contact the agency or organisation or industry complaint handling body.
    • Lodge a complaint with OAIC.
  • Implement measures to prevent future breaches from occurring.

State and territory legislative and administrative provisions, as well as professional and ethical codes of conduct, may also apply and should be considered by healthcare providers. 

Take-away points

  • Privacy issues present a very important consideration to the healthcare industry in Australia.
  • To prevent a breach of privacy, or detect it early, internal privacy policies and procedures should be implemented and followed.
  • If a breach does occur, consideration should be given to the OAIC’s guide to voluntary data breach notification.
  • Keep an eye on the passing of the Bill given its possible consequences.