Hot Topic: Protection of People’s Private Information

Compliance
Written By Roland Naufal & Paula Spencer

3 minute read

With recent high profile data breaches and more changes to the Privacy Act in the pipeline, protecting privacy is indeed a hot topic for managers.

The development and review of privacy management systems is a priority governance and risk management issue. Aged Care Providers collect and store significant amounts of personal information and a lot of it’s shared with frontline staff. This makes the protection of people’s personal information an area of big risks for both clients and organisations.

And providers are struggling to get it right. The Office of the Australian Information Commission (OAIC) in its January to June 2023 report identified that the health services sector including aged care, had the highest number of privacy breaches reported. It is chilling to read the data and find only 51% were due to malicious or criminal attack compared to 70% for all sectors. A whopping 49% in health services were due to human error.  

Human error includes actions such as accidentally sending people the wrong email, sending a group email without hiding recipients address (who has not done that?) and losing paperwork.

That data is telling us our sector is quite likely to do the wrong thing, simply by mistake. And we know an apology doesn’t always solve the problem when it comes to a privacy breach.

Here’s a quick reminder of the breadth of peoples’ private information we need to protect. OAIC defines health information as information about a person’s health or disability. Some examples include:

  • Diagnosis

  • Information about received or planned health services

  • Case notes containing information relating to health, such as details of what was discussed at appointments, treatment plans etc

  • Specialist reports and test results

  • Prescriptions and other pharmaceutical purchases

The Code of Conduct for Aged Care already requires that providers and their staff act with respect for this information, taking into account people’s need for self-determination, decision-making control and privacy. And the Commonwealth Privacy Act requires that the people whose information is being collected:

  • Are informed of why their personal information is being collected, how it will be used and who it will be disclosed to.

  • Can remain anonymous or use a pseudonym in certain circumstances.

  • Can ask for access to their personal information.

  • Can ask for their personal information to be updated or corrected.

  • Can request that they do not get sent direct marketing.

  • Can make a complaint if they believe their personal information has been mishandled.

Recent changes to the Privacy Act have increased penalties and enforcement for data breaches when personal information is lost or is accessed by someone who is not supposed to see it. And as we already noted, one of the scariest things about data breaches in our sector is almost half of it is down to human error.

It is vital that providers upskill staff to understand what private information is and how to protect it. Staff need to be aware of just how easily mistakes can get made.

And the bar is getting higher, the Federal Government is currently developing changes to the Act to strengthen the protection of people’s personal information and the control they have of their own data. One of the proposed changes is to require companies to provide individuals with ‘reasonable assistance’ to understand and exercise their privacy rights. It is also proposed that the Act include the need for supported decision making in regard to capacity and consent. This will mean that, where required, people will have to be supported to understand their rights and what they are consenting to.

It is expected that the draft legislation will be finalised in 2024, with a transition period planned for compliance to be achieved.

Providers who have an effective privacy management system in place, which includes ways to ensure participants rights and wishes are sought, listened to, and respected, will likely be on the front foot. You’ve got to think that’s a better alternative to being in the media spotlight answering questions about your organisation’s privacy breach.

The OAIC have guidance to assist organisations to develop their privacy system and to assess its effectiveness. For further information go to www.oaic.gov.au/privacy.

We are busy trying to build an audience for these Essential Briefings, so if you found this article useful it would be fabulous if you share it with other people you think might like it too.

Featured
Roland Naufal & Paula Spencer

Roland Naufal

Roland has built (and at times threatened) his career by being outspoken about things that matter. He has over three decades of experience – from aged care CEO and Age Friendly Cities expert to the founder of DSC, Australia’s best known NDIS educators. This led him to ask the question: if radical honesty worked for Australia’s disability sector, then why not aged care, too? And here we are, folks.

Paula Spencer

Paula knows her way around a risk matrix. She’s an expert in writing policies, frameworks, procedures, and training material that’s tailored to the frontline and ticks all the right boxes. She eats compliance complexity for breakfast and brings it back simple so that we can digest it (bet you wondered where this bio was going).

Continue Reading

Roland Naufal & Paula Spencer
Previous

Reform Roadmap or Roadkill?
Next

Do in-home and community based aged care workers need to be vaccinated for COVID-19?