With the Australian Privacy Principles coming into force on 13 March, optometrists should ensure their electronic patient record storage practices are compliant.
The principles, or APP, apply to any Australian businesses that have a turnover of more than $3 million a year. As optometrists have a responsibility to safeguard sensitive patient information, the APP apply to all optometrists regardless of turnover.
Fines are calculated in penalty units and will often reach over $1 million for businesses while individuals can be fined hundreds of thousands of dollars.
If an overseas entity breaches the APP, the Australia-based partner will be liable for the acts and any omissions of the overseas entity.
Australian businesses have been strongly encouraged to re-examine any contracts they have with data suppliers and ensure an overseas entity has agreed to comply with the Privacy Act 1988 and the APP.
As well as agreeing to comply, the overseas supplier must have strong measures in place to retain security of private records. It is the business owner’s responsibility to show due diligence when choosing a data storage provider.
The Australian Computing Society has created a cloud computing special interest group to track the legislative changes.
It has requested that the government embarks on an extensive education and awareness campaign on the changes in cloud storage law and regulation.
The society has urged all cloud computing providers to follow the international standard for security management: ISO 27002.
Allen Haroutonian is the business developer of cloud provider OrionVM, the New South Wales convenor of the Australian Computing Group and the AusCloud Forum.
‘A lot of lawyers in Australia are scaremongering, saying you need to pay us $100,000 to do a risk assessment and privacy audit for you,’ he said.
Mr Haroutonian said the safest option for optometrists was to select an Australian-owned and operated cloud storage provider that was familiar with Australian law.
‘There is a huge influx of data centres being brought online in Australia. There’s quite a few that have been around for a while, but there has been a sudden increase of providers starting new centres.
‘Rather than us going offshore to get a good deal, we are getting them popping up everywhere. This is a good thing as latency is an issue. Cables to Asia and America do tend to get congested,’ he said.
‘For every legitimate Australian cloud provider out there that is enterprise grade with a high level of governance and control, there are five small-fries who think just because they can buy some second-hand servers and install those in their garage, they can open a cloud hosting service,’ Mr Haroutonian said. ‘All clouds are not created equal.’
Mr Haroutonian said that the international standard could be very expensive for a cloud storage provider to obtain. He said that after certifying, many providers had decided to adopt the ISO protocol but without the expensive recertification and employee costs.
Compliance tips to help you
Paul Tsaousidis of Avant Mutual Group Limited offers helpful hints to reduce risk in your business.
Be familiar with the new Australian Privacy Principles (APP) generally as they deal with the life cycle of personal information, from its collection, use, disclosure and security, through to its access and correction.
In particular, be familiar with APP 1, which positively requires practices to take reasonable steps to implement procedures and systems that will enable a practice to comply with APP, and to deal with enquiries or complaints about the practice’s compliance with APP.
In relation to data security, APP 11 requires that practices must take reasonable steps to protect personal information that they hold from misuse, loss, unauthorised access and disclosure. There is a new requirement that practices also protect personal information from interference.
For electronic records regularly back-up your data off site. If this is being managed for you by an IT service provider, make sure they regularly report that there has been successful back-up of data occurring.
Passwords are required by staff to access the practice’s computer-based medical records system and they should be changed on a regular basis. Computer screens should not be positioned so that a patient’s personal information can be viewed by third parties.
For hard copy records, whether awaiting the attendance of a practitioner or in storage, they must not be in view of third parties and they need to be securely stored at all other times and inaccessible to non-authorised persons.
If patient information is to be stored in a cloud-based system located overseas, APP 8 requires practices to take reasonable steps to ensure that the overseas recipient does not breach APP.
There are exceptions to this, including where the overseas recipient is subject to a similar law or binding scheme with protections substantially similar to APP, and there is a mechanism for an individual to enforce the protections provided by that law or scheme; or the individual consents after being expressly informed that information will be sent overseas.
Consider the integrity of the cloud-based system to protect patient data from unauthorised access. Review your contract with an overseas cloud service provider. Consider having a contract with the overseas cloud service provider that requires them to comply with APP. Also consider requiring a written commitment from the cloud service provide that your data is kept on servers in data centres in Australia as this will avoid the privacy complexities involved with storing data overseas.