Australia Data Privacy Landscape Resources for Healthcare
RECOMMENDED CHANGES THAT HAVE BEEN AGREED ‘IN PRINCIPLE’ (and therefore are still being considered)
- The Right to be Forgotten, and other individual rights for
Australians, including requesting an explanation of what
has been done with their personal healthcare information and from where it
was sourced; objecting to information handling practices;
erasure of personal information. - A ‘fair and reasonable’ test for data collection.
- Healthcare organisations may need to state maximum or minimum data
retention periods. - The OAIC may require notification of data breaches within 72
hours. - A ‘fair and reasonable’ test for data collection.
- Healthcare organisations may need to state maximum or minimum data
retention periods.
KEY AGREED TO CHANGES
- Clarification of definitions including ‘de-identification’ and ‘disclosure’.
- Alignment with GDPR on using the terms ‘controllers’ and‘ processors’ of personal data.
- Removal of the 1988 Privacy Act’s SMB exemption but only if they are utilising biometric information or trading personal
data. - Healthcare organisations must take ‘reasonable’ steps to protect personal data, with the OAIC due to provide further guidance.
- Streamlining of data breach reporting processes.
Four Data Privacy Implementation Considerations in 2024
01
DATA PRIVACY IS A HEALTHCARE ORGANISATION’S RESPONSIBILITY
The protection of patient data held by your healthcare institution is now considered 100% your responsibility. This means data privacy should be seen as an executive priority, and many of the Data Privacy Review’s ‘agreed in principle’ recommendations are worth adopting now.
04
PROACTIVE DATA MANAGEMENT DRIVES VALUE
Data shouldn’t be seen as a burden, but as a key asset for a healthcare institution. Protecting patient data, specially as it flows between data processors for research, analytic usage, and training scenarios should be a given so that healthcare providers can focus on leveraging this data to achieve a competitive edge and create better patient outcomes.
The Cost of a Healthcare Data Breach
What Does This Mean for Your Healthcare Organisation?
Responsibility for privacy is shifting from the patient, and healthcare service providers will be expected to comply. We recommend healthcare leaders bear in mind three golden rules, which will help future proof their institutions from upcoming changes:
Healthcare providers need to show regulators, patients and other stakeholders that they are taking serious steps to protect sensitive patient health information (PHI), both through privacy principles, processes and cyber maturity.
Healthcare organisations will be expected to explain how and why they collect the data they store, who has access, what it is used for, and if it can be deleted if requested. This means, at the very least, having a complete picture of data files and repositories.
Healthcare leaders and organisations are being held to task by the government, via fines stipulated in the Privacy Act, while regulators like ASIC have already started making examples of institutions that are not up to scratch.
By 2024, modern privacy regulation will blanket the majority of consumer data, but less than 10% of organizations will have successfully weaponized privacy as a competitive advantage.