We live in science-fictional times. You probably carry around a powerful computer that checks in with a range of multinational corporations a few times every minute, reports your location, stores your photos, records your footsteps, maybe even logs the fluctuations in your heartbeat.
Not for any sinister purpose of course. In fact you probably gave permission for your mobile phone to do all of these things. You zipped past the terms and conditions without reading them and tapped ‘ok’. But it’s important to remember that when you tapped ‘ok’ you were okaying a flow of information. You were giving the thumbs up to a relationship.
It’s a bit like when a patient enrols with a PHO or signs up to a general practice. As a practitioner you’re not going to ask for permission every time you disclose or collect the information you need to provide care to that patient; they’ve entered a clinical relationship and they trust you’re going to handle that information properly.
A good relationship requires trust. And if or when that trust gets breached, for instance by information being released when it shouldn’t have been, agencies need to know what they’re going to do and act quickly.
When a breach happens, whether by sending a spreadsheet to a stranger or leaving a laptop on a park bench, there’s an inevitable temptation to hunker down and pretend nothing happened. That’s not the best thing to do. And in the future, as the law changes to require compulsory notification of privacy breaches that seriously affect people, it also won’t be the legal thing to do.
Agencies both large and small need to plan for compulsory breach reporting. It’s a change we strongly support. It’s not about increasing compliance costs, and it’s not about drowning people in information. It’s about acknowledging that health agencies expect people to trust them with their information, and that there should be a corresponding expectation of openness going the other way.
One common dilemma for organisations, DHBs, PHOs and GPs, is who to tell when it comes to notifying a privacy breach. Do you call the Privacy Commissioner every time a letter gets left on the photocopier overnight? Conversely, where genuinely sensitive information is lost or disclosed accidentally, do you need to tell every single person who might be affected, just in case? Do you need to tell people about breaches where information about a breach might cause more distress than the breach itself?
We wrote some guidelines for voluntary disclosure of privacy breaches a few years back that try to answer these questions. They’re pretty simple, and pretty sensible; stop the leak and work out what happened, evaluate the risks, decide who you need to tell and stop it happening again. When you’re deciding who to tell, first ask yourself whether notification will help affected people avoid harm.
We’ve had a number of agencies coming to us to let us know about breaches over the last few years. Based on this experience we think our guidance sets out a simple and effective process that will stay just as relevant as the law changes to require notification of serious privacy breaches.
For example, we had a visit from the CEO and senior staff of a DHB. They’d noticed, during a random audit, that a senior nurse was doing a lot of browsing of patient records for patients that weren’t under her care. They investigated further, and talked to the nurse, and as a result of these discussions they extended their audit back a number of years. The DHB discovered that the nurse had been doing extensive browsing of the medical records of her friends, family, VIPs, and other staff members.
The DHB told us they had dismissed her from her position, in accordance with their serious misconduct policy. They decided to tell all of the staff who were affected, and the close family whose records had been viewed multiple times. They assessed what information was viewed of the VIPs and nurse’s friends and made judgment calls for each case about whether disclosing the breach directly to those people would be the best thing to do.
Another visit was from a health research agency who laid out an unfortunate story where the chief researcher handed over a body of identified research data to his junior without having first gone through the expected, and legally required, ethical approvals. The information was stored on a laptop, unencrypted and unsecured and was subsequently stolen out of the junior’s car.
So the chief researcher put another copy of the entire dataset, which covered many thousands of people, onto a USB memory stick and gave it to the researcher with an exhortation to be more careful. Then when that memory stick got lost in turn, there was a very awkward discussion at the agency, following which we got a call and a visit from their Chief Executive.
Our advice, which the agency followed, was first to triage the information that was lost. Then to make a careful decision about who needed to be told about the accidental disclosure and what the agency was going to do about it. So they looked over the kind of information that had been accidentally released and divided it into risk categories based both on what might go wrong if the affected people weren’t told about it, but also what might go wrong if they were.
Health information is nearly always provided in the context of a relationship, and good relationships require trust. Any agency with sensitive information runs a risk of it being lost, stolen or mishandled, and while you can do everything you can to prevent it, mistakes will still happen. Act quickly to deal with mistakes and you will safeguard the trust of your patients and your peers.
More information about breach notification.