The recent case brought before the Australian Privacy Commissioner (Commissioner) involving the Pound Road Medical Centre (PRMC) serves as a timely reminder of the importance of handling private information with diligence and security, both in its storage and in administering procedures for its appropriate disposal.
In this investigation, PRMC was held to be in breach of provisions of the then applicable National Privacy Principles (NPPs) in the way they approached the storage of medical records of approximately 960 patients.
This case was considered prior to the implementation of amendments to the Privacy Act 1988 (Cth) in March 2014, where amongst other changes, the NPPs were replaced by the new Australian Privacy Principles (APPs). The APPs have significantly expanded the compliance obligations including financial penalties of up to $340,000 for individuals, or up to $1.7 million for corporations per breach.
The Commissioner emphasised the need to ensure that sensitive documents are not vulnerable to inadvertent disclosure or placed in a position where their confidentiality is compromised. If the proposed data breach notification laws had been in operation, PRMC would have likely been mandated by law to notify all effected persons of the data breach
In this Alert, Partner Hayden Delaney discusses the case and summarises outcomes from The Commissioner’s inquiry. HopgoodGanim also recognises the contribution of law clerk, Daniel O’Conner, to this alert.
The Commissioner’s inquiry
Since October 2012, PRMC had been storing medical records of patients in a garden shed located externally to the main practice area of the centre. There were also a breadth of other documents contained, including staff pay records, accounts to third parties, and ‘identifying particulars’ of patients (such as date of birth, marital status and address). Despite being secured by three padlocks, in November the following year, the shed was broken into and the security of the records was put in jeopardy.
In July 2014, the Commissioner found PRMC to be in breach of NPP 4 (an old law now replaced by the stricter APPs). Under this principle, organisations that have access to personal or sensitive documents are required to take reasonable steps to keep the information secure from misuse, loss, unauthorised access or disclosure, and destroy or de-identify information that is no longer being used.
PRMC advised the Commissioner that they had recently begun moving from paper filing to an electronic document management system. Part of this process involved the systematic scanning and uploading of pre-existing physical documentation into the database and simultaneously dealing with the paperwork once this had been completed. They partly attributed this transition phase to the rationale behind why the records were stored in the external shed; they temporarily needed room to deal with the added clerical workload. PRMC also conveyed that they already had in place a review system, whereby every two years patient documentation would be re-assessed to ascertain if it still needed to be kept.
The Commissioner noted the importance of going beyond mere physical protections in ensuring the safety of patient files. To comply with what ‘reasonable steps’ would entail, the record-holder needs to produce evidence that they have additional procedural safeguards and regular auditing practices in place. Although they had procedures in place, it was found they were not being adhered to strictly enough (the most recent audit was nearly three years old). Unsurprisingly, the Commissioner concluded that he could not consider any circumstance in which it would be considered reasonable to store medical information in a temporary structure such as a garden shed.
The Commissioner also indicated that the extent to which these additional steps should be taken needs to be considered in light of the sensitivity of the information and the likely impact in the event that the information was compromised. Under thePrivacy Act 1988 (Cth), sensitive information (such as medical records) is awarded a higher level of protection than other matters. Despite the fact that most of the records did not relate to current clients (in fact, nearly all the documents related to clients prior to 2004), the Commissioner emphasised that they still contained highly personal information, so the freshness of the data was not particularly important.
Ramifications of the PRMC investigation
The investigation has fallen around a time of significant change in the Australian privacy law landscape. Recently, in March 2014, a series of amendments were made to the Privacy Act 1988 (Cth), including the replacement of the NPPs with the new APPs.
These changes also brought with them renewed concerns over privacy and data security issues in Australia. The facts of the case are a striking example of the sometimes laissez faire attitude to information privacy and data security. Such attitudes are out of step with modern society – organisations are entrusted with personal information. Organisations must take all steps that are reasonable to secure that information and to build a framework within their organisation and information systems that enables compliance. This is reflected in the compliance obligations in APPs 1.2 and 11.
Good governance requires a combination of:
- legal measures (policy, contract and compliance documentation and audits);
- technical measures (e.g. access controls, encryption and tokenisation); and
- cultural (training, awareness and accountability).
All of these aspects need to transparently work together – a silo based approach will lead to gaps, oversight and failure.
Medical information is particularly sensitive because its disclosure may lead to humiliation, embarrassment, a loss of dignity, and in some circumstances, provides the basis for discrimination. Furthermore, when private information is leaked (whether intentional or not), there is very little that can be done to make the information private again – and it is this irreversible characteristic in the damage suffered that justifies the need for security measures to be extremely scrupulous.
The shift in precedent resulting from this investigation relates to expounding the scope of what ‘reasonable security steps’ entails when considering compliance with the Privacy Act. In this case the Commissioner was clear that PRMC had fallen well below what would be considered reasonable in the circumstances. It is not sufficient to simply ensure that information is stored in a ‘physically’ safe place. Additional security steps are required to fulfil the reasonable steps criteria, including:
- monitoring movement of paper files between locations;
- regularly reviewing files to ensure that any information which is no longer required is appropriately destroyed or de-identified (per requirements under the APPs);
- imposing physical control mechanisms, including limiting access to the storage location such as restricting the number of keys available; and
- making sure the storage location is secure and well guarded.
Different approaches are required for electronic records including access controls, encryption (and encryption key management), tokenisation and process controls.
What if the proposed ‘Data Breach Notification laws’ had been in place?
In March this year, the Privacy Amendment (Privacy Alerts) Bill 2014 (Cth) was introduced to Federal Parliament, as an attempt to further amend the Privacy Act 1988 (Cth) to deem it mandatory for organisations to notify the Commissioner and “significantly affected individuals” if a serious data breach occurs. Owing to several reasons, the Bill lapsed and has since been placed on the backburner, however indications are that it is more a question of ‘when’ rather than ‘if’ the Bill will be passed.
The amendments present another significant step forward in privacy laws. If these laws were in place at the time of the PRMC inquiry, the outcome for the offender could have been far more severe. Any ‘significantly affected persons’ who are deemed to have a ‘real risk of serious harm’ will need to be told of the breach. Depending on how these words are interpreted, this could include all 960 clients whose files were stored, and possibly even other third parties (such as consultants, financial institutions, government officials and staff) whose information was also amongst the documents. Based on the findings of the Commissioner, the ‘serious data breach’ trigger would clearly seem to apply to PRMC’s case.
The requirement to disclose the breach to this pool of ‘affected individuals’ presents a number of negative consequences for PRMC, including:
- the sheer size of the group poses significant time and cost issues, because compliance with the Bill would mean each and every one of them would need to be individually informed;
- needing to admit that the security measures of their business were not sufficient is embarrassing and causes a tarnishing of their business reputation;
- existing clients would begin to question the security of their own records stored at PRMC’s facilities, and feel less inclined to remain loyal to them as a medical service provider; and
- this security breach would consequently impact their ability to bring in new clients who are now aware of PRMC’s poor security history.
As such, the future introduction of these laws provides further incentive for businesses to ensure that their data protection infrastructure and procedures are watertight. We only need to imagine the damage that could be done to an organisation which is mandated by law to disclose such a data breach.
Data breach notification laws are already in force in other jurisdictions; most notably in California. When contrasted, these laws provide an interesting carve-out which is not present in the correlative Australian Bill. Under the California S.B. 1386, if a data breach relates to information that was stored in an encrypted format, this is an express exemption from the obligation to notify of the data breach.
California S.B. 1386 made practical sense and is an example of good law reform. It incentivised investment in IT security technology which was known and proven to be a very effective means of preventing data breaches. Encrypted data, when using an appropriate algorithm and controlling the encryption keys, is not personal information. It is not reasonably possible to ascertain a person’s identity from that data. It can therefore help avoid the compliance and legal risks associated with personal information.
The PRMC investigation reiterates the need for prudent attention to detail when it comes to handling personal information.
Complying with the laws governing this area is not difficult; most of the comments made by the Commissioner were a matter of common sense, not a technical argument about the way the provisions should be interpreted. From an objective basis, it makes sense that a ‘lock and forget’ approach to storing medical records is not sufficient to ensure the confidentiality and integrity of those persons affected is maintained. Judicious procedures and safeguards need to be evidenced on top of utilising a secure location, because the personal consequences of the information becoming publicly available are so far-reaching.
As a further complication, the proposed introduction of data breach notification laws raises more questions about the direction that privacy laws are heading in Australia. If they were applied in PRMC’s case, it would have meant far more severe implications for their organisation in terms of costs, reputation, existing client base and future marketability.