Businesses that hold confidential and private client or patient information are obliged to properly secure that information at all times, but you would be surprised to know the “creative storage solutions” some businesses come up with, writes privacy lawyer MATTHEW WICKS.
One medical centre discovered the legal consequences of failing to meet their obligations when their records were found to have been stored in a garden shed and was anonymously reported to authorities.
The investigation by the Australian Privacy Commissioner into this case serves as a timely reminder to ensure your business’ handling of privacy information is done in a responsible and considered manner, and in compliance with the amended Privacy Act 1988 (Cth).
Following the discovery of confidential patient files in a locked garden shed, the Pound Road Medical Centre (PRMC) was found to have breached the Act by failing to take reasonable steps to ensure the security of personal information it held, and also failing to destroy or permanently de-identify the information.
PRMC moved its operations to new premises in April 2011, and in doing so, left certain boxes of paper files behind at its old site. The boxes were subsequently moved to a garden shed at the back of the old site, so that the premises could be renovated and prepared for sale. In November 2013, the shed was broken into and the medical records were compromised.
The Australian Privacy Principles (APP’s) require that businesses take reasonable steps to protect information “from misuse, interference and loss; and from unauthorised access, modification or disclosure.” In this instance, the Commissioner found that PRMC had not taken reasonable steps to protect its patients’ information.
In particular, the Commissioner stated that he “did not consider there to be any circumstances in which it would be reasonable to store health records, or any sensitive information, in a temporary structure such as a garden shed. …PRMC’s failure to take reasonable security steps was also exacerbated by the fact that it did not identify or deal with health records stored at the site for a period of more than two years following its relocation.”
Ensuring Security of Information
While ensuring physical security is a vital part of ensuring personal information is not inappropriately accessed, organisations also need to consider what other steps might be reasonable to ensure information is secure, such as:
- Monitoring the movement of physical files, particularly during an office relocation or merger;
- Regularly reviewing the content of files, to ensure that any information no longer required, can be securely disposed or de-identified;
- Implementing physical access controls;
- Regularly and diligently monitoring and guarding the location in which information is stored; and
- Ensuring electronic files are encrypted and appropriate encryption key management processes are in place.
In his comments following the PRMC investigation, the Commissioner observed that an organisation’s response to a breach of privacy, and attempts to mitigate damage, are relevant when considering what, if any, penalties the Commissioner might impose.
Responsive actions your organisation could take in the event of a breach include:
- Developing a data breach response plan;
- Conducting thorough training with all employees to ensure they understand the obligations of both the organisation and them personally under the Act;
- Implementing a system to ensure physical information is reviewed annually and any old or obsolete information is de-identified or securely destroyed, as appropriate.