In our last blog post, we looked at what sensitive personal information is and how to appropriately manage this information to protect it from being disclosed to those who shouldn’t have access. But what should you do if the worst-case scenario occurs and you have a data breach and sensitive information is disclosed?
What is sensitive information?
To recap from last week, sensitive information includes information on a person’s health status, finances and investments, family, residential status, absences from their home and how vulnerable they are.
Sensitive information also includes an organisation’s ‘commercial’ sensitive records or documents relating to the business operations, information that can adversely impact on the organisation’s reputation, and personal information held on employees.
Take any data breach or suspected data breach seriously.
It is important that you acknowledge the potential adverse impact of a data breach. While initially, the breach can appear insignificant, closer investigation might reveal the impact may have broader ramifications for an individual or the organisation.
You are a target for hackers!
Aged care organisations can be (and have been) targets of cyberattacks, or have experienced other unauthorised access to sensitive information they hold on clients or residents in their care. Accidental disclosure of sensitive information also may occur due to human error or through inappropriate sharing of information. Any sort of data breach can lead to additional expense, stress on staff, clients/residents and their families and can impact the reputation of the organisation if not handled correctly.
What is a data breach or unauthorised disclosure of sensitive information?
A data breach can be accidental or deliberate, but both can be devastating to people impacted by the breach.
A deliberate data breach can occur when a hacker gains access to a computer system or platform and harvests the data or information to the detriment of the organisation, their clients or other stakeholders.
Holding an organisation to ransom after locking them out of essential databases is also a form of data breach, as staff often need to access essential information about a client on a day to day basis to provide essential care and support.
Loss of data relates to the accidental or inadvertent loss of sensitive information in circumstances where it is likely the information can be accessed by unauthorised individuals.
- a support worker loses a run sheet containing the names, addresses and other personal information of clients
- resident files are left unlocked and accessible to a casual visitor or subcontractor who is found to have accessed these without authorisation or legitimate purpose
- a laptop computer containing client/resident information is stolen from a locked vehicle
Unauthorised disclosure occurs when sensitive information is intentionally or unintentionally made accessible or visible outside the organisation in a way that breaches the Privacy Act.
- sensitive information relating to a client is accidentally sent to a different client
- a staff member circulates sensitive information relating to a resident (whether they are specifically named or not) on their social media platform
For the purposes of this post, we will consider two types of data breach: a general Data Breach and an Eligible Data Breach.
A general data breach happens when sensitive personal information or organisational information is accessed or disclosed without authorisation or is lost. This can be something that happens due to hackers accessing an online system, a visitor to a centre reading a document that contains private personal information not intended for them, or a staff member losing a run sheet with client names on it.
According to the Office of the Australian Information Commissioner, an eligible data breach occurs when:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds;
- the loss of information is likely to result in serious harm to one or more individuals; and
- the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.
So what should you do in the case of a data breach?
“If the Privacy Act 1988 covers your organisation or agency, you must notify affected individuals and us when a data breach involving personal information is likely to result in serious harm.” – Office of the Australian Information Commissioner (OAIC)
Your organisation should be committed to protecting personal privacy, recognising that clients/residents, staff and volunteers have a reasonable expectation that you will appropriately manage any personal information and take steps to protect this information.
Have a plan.
You should not only have processes in place for protecting data, you also need to have a data breach response plan that aims to mitigate the negative impact any data breach has on those you care for. Having a plan already considered and in place will mean you and your team can act promptly and effectively and not only minimise any adverse outcomes, but help build and retain the trust your clients and the community have in your organisation.
The Office of the Australian Information Commissioner (OAIC) has guidelines on how to develop your own Data Breach Response Plan.
Contain the breach.
Take steps to stop the loss of any further personal or company information. If you have discovered a breach or potential breach that is the result of poor password management, immediately change the passwords to relevant programs and accounts, especially where you have used the same or similar passwords.
If information has been accidentally distributed, aim to regain any documentation in a timely manner. Where information has been disclosed verbally, discuss the need to prevent the further spread of information with relevant persons where possible.
Assess the breach.
Once you have determined what information has been breached and how, you will need to evaluate the risks and impact of the breach on clients, the organisation or other stakeholders. Where you identify that the breach has the potential to harm an individual you will need to take steps to remediate this risk.
One way to address the risk is to be open and transparent about any data breach with the relevant client and/or their family. You should include the person in your response planning, which may need to be modified on a case by case basis. No one likes to be kept in the dark – if you keep the person and their family updated on your response to the breach and monitor for adverse outcomes it will go a long way towards regaining the trust you may have lost through the breach.
Report to OAIC where required.
If a review of the data breach indicates that serious harm is likely, the organisation must complete a statement for the Commissioner and alert affected individuals, informing them of the contents of the statement.
Review the incident.
By reviewing the incident, how it occurred as well as the impact it had on clients and the organisation, you’ll be in a better position to consider actions that can be taken to prevent future breaches. Implementing policies and procedures, or updating existing ones that protect information and outline how to respond appropriately in the event of a data breach, is just one way to support better information management and protection.
Educate your staff.
Not only do your staff need to understand what sensitive information is and how to protect it, they also need to be aware of what to do should they inadvertently disclose sensitive information or become aware of a data breach in the workplace.
Front line staff may be the first people to become aware of a data breach, so educate them on your data breach response plan, and where a breach is accidental, ensure staff understand that you have a ‘no-blame’ policy to help people openly disclose where an error has been made. The sooner you know about the breach the faster you can develop an appropriate response and mitigate the risk.
It is beneficial to have a policy and procedures for managing a data breach in place. That way, everyone knows how to manage data protection correctly and can respond appropriately in a timely manner if they become aware of a breach. If you are seeking an up to date set of policies and procedures for aged and community care settings, including policies relating to both protecting sensitive information and responding to a data breach, then check out the Total Quality Package from CDCS.
The Total Quality Package not only includes an up to date full suite of policies and procedures that take the hassle out of compliance, there is also a wide range of aged care resources for you and your team.
Click here to book a time to discuss your organisation’s needs or simply head on over to the Total Quality Package and get immediate access to these valuable resources and much more.