Sunday, February 12, 2017

This Has Some Real Implications For All Those Handling Patient Data. The Game Has Changed!

This appeared late last week.

Data breach notification bill receives bipartisan backing

Legislation for mandatory data breach notification scheme passed by lower house
07 February, 2017 13:29
Australia is a step closer to having a mandatory data breach notification regime, after a bill to create such a scheme today received bipartisan support in the House of Representatives.
The government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 in October. The bill has yet to be introduced in the Senate.
Under the bill, if an organisation subject to Privacy Act obligations suffers an “eligible data breach”, it is obliged to notify both the Australian Information Commissioner and individuals whose data was affected by the breach.
Organisations subject to Privacy Act obligations include most Australian government agencies, businesses with an annual turnover in excess of $3 million, as well as a number of smaller organisations, such those handling sensitive health data.
An eligible data breach is “is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity” where “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates”.
A 2008 Australian Law Reform Commission review of Australia’s privacy laws recommended the introduction of a mandatory breach notification scheme. An attempt in 2014 to introduce a breach notification system through a private member's bill failed despite bipartisan support.
More here:
Even since this first article things have moved on:
  • Updated Feb 8 2017 at 3:27 PM

Mandatory data breach notification laws pass lower house


Mandatory data breach notification legislation is a step closer to being enacted after passing the lower house.
Technology industry groups have welcomed the passing of long-awaited mandatory data breach notification laws through the House of Representatives, but fears remain in business circles about unintended consequences.
The bill passed through the lower house with bipartisan support on Tuesday, having been on the government's agenda since early 2015, meaning organisations will have to reveal if their systems are compromised by cyber attack or technical failings. 
President of tech industry peak body The Australian Computer Society Anthony Wong said the bill was a "critical step forward in the elevation of data protection and cyber security issues" at the enterprise level.
Eligible breaches are those in which there is unauthorised access, disclosure or loss of personal information held by an entity and that access, disclosure or loss is likely to result in "serious harm to any of the individuals to whom the information relates".
"As we transition to a digital economy, now more than ever the focus must be on ensuring Australia captures the opportunities of the information age, while protecting the rights of the individual," Mr Wong said.
"In an era of big data, the protection and privacy of personal information must be a primary consideration in the planning and construction of large scale ICT systems, not an afterthought."
Mr Wong said the laws would give individuals that share their information with businesses and government greater confidence, and would raise awareness of the threats of lax security.
More here:
Given the level of support it can be assumed the Bill will become law and what will then be important will be how the regulations are drafted to define the language in the law.
Given the sensitivity of health information we can be sure the regulations (and penalties) are likely to be firm to say the least.
All clinicians and support staff need to be alerted and trained in what will become new risks and obligations.
For electronic data this might be a good place to start!

ASD says eight cyber security steps are better

  • 06 February 2017
  • Written by  Ray Shaw
The Australian Signals Directorate (ASD) has developed eight cyber security steps that business, enterprise and government should take to help protect themselves against cyber attacks.
This is up from its previous four — application whitelisting, patching applications, patching operating system vulnerabilities, and restricting administrative privileges — and has been called the “essential eight”. As yet these have not been included in the protective security policy framework (PSPF) mandate and will be available on the ASD website shortly.
It says that while the essential four will prevent 85% of cyber attacks and were mandatory for all Australian Government use since 2013, the extra precautions are a result of developments since then.
ASD says these are the essential eight and there are many more steps that could be taken. A range of publications are available on its website.
Lots more useful advice here:
David.

No comments: