This blog is totally independent, unpaid and has only three major objectives.
The first is to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide.
The second is to provide commentary on e-Health in Australia and to foster improvement where I can.
The third is to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.
Sunday, February 12, 2017
This Has Some Real Implications For All Those Handling Patient Data. The Game Has Changed!
Under the bill, if an organisation subject to Privacy Act obligations suffers an “eligible data breach”, it is obliged to notify both the Australian Information Commissioner and individuals whose data was affected by the breach.
Organisations subject to Privacy Act obligations include most Australian government agencies, businesses with an annual turnover in excess of $3 million, as well as a number of smaller organisations, such those handling sensitive health data.
An eligible data breach is “is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity” where “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates”.
A 2008 Australian Law Reform Commission review of Australia’s privacy laws recommended the introduction of a mandatory breach notification scheme. An attempt in 2014 to introduce a breach notification system through a private member's bill failed despite bipartisan support.
Technology industry groups have welcomed the passing of long-awaited mandatory data breach notification laws through the House of Representatives, but fears remain in business circles about unintended consequences.
The bill passed through the lower house with bipartisan support on Tuesday, having been on the government's agenda since early 2015, meaning organisations will have to reveal if their systems are compromised by cyber attack or technical failings.
President of tech industry peak body The Australian Computer Society Anthony Wong said the bill was a "critical step forward in the elevation of data protection and cyber security issues" at the enterprise level.
Eligible breaches are those in which there is unauthorised access, disclosure or loss of personal information held by an entity and that access, disclosure or loss is likely to result in "serious harm to any of the individuals to whom the information relates".
"As we transition to a digital economy, now more than ever the focus must be on ensuring Australia captures the opportunities of the information age, while protecting the rights of the individual," Mr Wong said.
"In an era of big data, the protection and privacy of personal information must be a primary consideration in the planning and construction of large scale ICT systems, not an afterthought."
Mr Wong said the laws would give individuals that share their information with businesses and government greater confidence, and would raise awareness of the threats of lax security.
The Australian Signals Directorate (ASD) has developed eight cyber security steps that business, enterprise and government should take to help protect themselves against cyber attacks.
This is up from its previous four — application whitelisting, patching applications, patching operating system vulnerabilities, and restricting administrative privileges — and has been called the “essential eight”. As yet these have not been included in the protective security policy framework (PSPF) mandate and will be available on the ASD website shortly.
It says that while the essential four will prevent 85% of cyber attacks and were mandatory for all Australian Government use since 2013, the extra precautions are a result of developments since then.
ASD says these are the essential eight and there are many more steps that could be taken. A range of publications are available on its website.