Privacy at first sight (Part 2) How do providers gain compliance?

Please join Mike Up with Michael Dalichau. A conversation with expert business leaders. Michael has a conversation with leaders via his podcast, providing another channel for connection during the complex changes facing the Australian Aged Care Industry. Michael believes the inner pull to change and the external need for change are linked.  Based on the data we analyse at Mirus Australia and meetings with business leaders, it’s our experience that many are feeling overwhelmed by the noise and current demands across the entire aged care system. Mike Up provides continued education and bite-sized information that is easy to digest and challenges people to keep asking questions, discover more and consider what needs to be changed.

Michael has a conversation with Alec Christie, Partner & Asia Pacific Digital Law Leader at EY

Thanks, Alec for joining us again.  So how do providers gain compliance?

“You start the steps to compliance by understanding where you are right now. There has to be a review, an audit and a check process. It can be done internally but, in my experience, an external and independent review works better. Ideally, the review will highlight the gaps, it should provide recommendations and help prioritise the recommendations by importance.

A review will help determine where to invest both your budget and your resources. Even for providers who may have had a successful privacy compliance review, we are still seeing in Australia the need for an overarching Privacy Risk Management Framework to be adopted by organisations. This ensures you have a data breach response plan and other key policies and ensures you start preparing for the future. So, when a new project starts you already have the framework in place under which to consider such, from a privacy point of view. Finally, in the sector, there has not been adequate attention on the role & responsibilities of a Privacy Officer. This may not be a full-time job, but the Privacy Officer can no longer be 10% of someone’s time. It is not just overseeing issues but also considering PIAs and working through privacy by design when a new project commences ensuring compliance. A dollar spent on privacy at the beginning of a project will save $10 if you have to retrofit your solution when the regulator comes knocking.”

Can you please provide more information about what exactly a PIA is?

“A privacy impact assessment or “PIA” is a tool used anytime you bring in a new system or a new business that is acquired or a new data processing agreement or with a new 3^rd party provider, to assess the impact of or identify the privacy risks before they arise. It’s to prevent a ‘gotcha moment’ six or twelve months down the track, embedding privacy (or privacy by design) from the start.”

Are outsourcing data functions legal?

“This is similar to the question: Should I put my money in a bank or is it safer in my desk drawer at home?!  If you conduct a PIA and consider the privacy implications then outsourcing may actually be (and often is) privacy enhancing. If your core business, for example, is not data analytics and you engage a service provider whose core expertise is this, you can almost guarantee an uplift from your current privacy position! Of course, you just can’t give your personal information to an outsource service provider and forget about it. As an organisation you still have parallel privacy obligations including ensuring the third party is privacy compliant.”

What are a couple of practical tips to protecting or sharing data you can give us?

“Generally speaking, aged care and health care are in the consent privacy regime that we mentioned earlier. It’s not simply notifying people it’s actually gaining their consent to collect and use their health information. So, the key tip is to get the process right in terms of delivering a privacy statement and obtaining consent, (i.e. for what you will be using this data for.) Obtain the consent once for as much as possible: as mentioned in (Part 1) where we talked about the ‘cannot’s’ and think about:

• What do you want to collect?
• Who do you want to disclose it to?
• What do you need to get consent for?

If your privacy statement covers all these and consent to it is obtained from the resident, the guardian, the trustee or the family, whichever for example is appropriate you will not only comply but avoid having to go back and seek consents every time you need to use or disclose the information or “Do it right, do it only once”!

How do you know if you need to report a breach?

“This is the number one issue across all industries, the ability to detect and assess data breaches. Briefly, eligible data breaches are those data breaches likely to cause any of the people involved serious harm. So anything that can cause significant hurt, embarrassment, financial cost, reputational issues is an eligible data breach. If it’s health-related, it’s pretty much an eligible data breach (i.e. will cause serious harm) unless you can remedy it quickly so no serious harm actually occurs.

For example, a bank may send the wrong statement to the wrong customer. The bank has a relationship with the customer so phones or emails and that customer (who received the wrong statement) confirms that they haven’t read it, copied it or used it and the bank receives confirmation from them that the statement has been destroyed. If the bank is satisfied that the problem is resolved and no serious harm has occurred, then this is no longer a notifiable data breach that needs to be notified.”

If it’s a notifiable data breach what are the consequences?

“Firstly, you have to notify all the affected individuals and the Privacy Commissioner. This step makes it very public or “front-page news” and will probably trigger an investigation by the Privacy Commissioner. I have clients in the past who have done a perfect mandatory notifiable data breach assessment and reporting procedures. However, when the Privacy Commissioner has investigated them, they have found other things! For example, they have found that they keep their records to long and are therefore in breach of the Privacy Act. This will mean damages, potential fines up to $2.1 million and embarrassment by appearing in the news and a public determination by the Commissioner.”

Thanks Alec, what should our podcasters takeaway?

“I hate to espouse more doom and gloom, especially with a Royal Commission in progress, but my prediction is the Royal Commission will address privacy and how the sector is (or is not) managing it.  But even if it doesn’t, the ‘tide has to rise’ and the whole sector has to improve privacy compliance as I don’ think there will be anywhere to hide after the Royal Commission.”

Thank you for joining us, Alec. Please join us for Privacy at First Sight (Part 1) What is Privacy? with Alec Christie.

Alec Christie is the Asia Pacific Digital Law Leader at EY, which includes data privacy, IP and IT and has been recognised as a “Leading Lawyer” in each of these areas since 1998. Alec has been awarded by Best Lawyers Australia as one of Australia’s best (i) Outsourcing lawyers and (ii) Data Privacy & Security lawyers. He has also been recognised as Who’s Who Legal as one of Australia’s best Information Technology lawyers, specifically known for privacy. Alec has particular expertise in providing Digital Law solutions in the financial services, health/life sciences, online media and entertainment sectors and Government across the Asia Pacific region. If you’d like us to talk about a specific topic with an expert business leader, please request a podcast here!