Privacy, information access and data security law.
In this digital age, data security and privacy is a serious concern for everyone, whether in business or not. Overlapping State and Federal legislation can create a myriad of responsibilities for the holders of personal information and restrict the way databases can be used. In addition, people in Queensland are given rights to access certain information held by a range of agencies and patients of healthcare providers and even, at times, rights to correct errors in their health record.
Navigating these rafts of legislation can be a proverbial minefield, yet the consequences of a failure to strictly comply can be devastating for business. At Travis Schultz & Partners we can help to find a path through the maze and provide advice, training of business teams and assist in managing governance issues where privacy law and data security is concerned.
The Commonwealth Privacy Act now contains a Notifiable Data Breaches Scheme which is regulated by the Australian Information Commissioner. The scheme requires compulsory notification of an “eligible data breach” – where the breach is likely to result in serious harm to an individual to whom the information relates.
Not all data breaches are “eligible”. For example, a data breach that can be quickly remediated without any damage or is not likely to result in serious harm, does not have to be reported. If a breach is notifiable, notice must be given not only to the Office of the Australian Information Commissioner, but also to any individuals who are affected.
Where personal information is compromised by a data breach, the risk of harm will be more likely to result in it being notifiable where it contains information about an individual’s health, their financial information or personal information which might be used for identity fraud. Significant penalties apply to any business or organisation that fails to comply.
Health care professionals
Because of the sensitivity that applies to data and records held by healthcare professionals (including both medical practitioners and allied health care professionals), the obligations imposed by State and Federal legislation can be onerous.
Not only are healthcare professionals subject to the Australian Privacy Principles under the Privacy Act 1988, but they can also be subject to the Information Privacy Act 2009 [Qld]. The Information Privacy Act allows a patient to amend documents of Queensland Government agencies where they contain personal information. Medical records held by private healthcare providers are accessible by patients under the Australian Privacy Principles. Under those guidelines, a person has a right to access personal information held by a private sector healthcare provider. This access to information may be refused only on a limited number of grounds, such as where it would pose a serious threat to the life, health or safety of an individual, have an unreasonable impact on the privacy of other individuals, access would be unlawful or there are legal reasons why access should not be granted.