Legal aspects of design Presented by Karen Keogh, Partner, HWL Ebsworth Lawyers Wednesday, 11 April 2018
Introduction Privacy by Design Security by Design Risk Management by Design 2
Is it really an issue? 3
Privacy Law The Privacy Act 1988 (Cth) Australian Privacy Principles – Regulates how personal Open and Transparent information is handled in Anonymity / Pseudonymity Australia Collection – Applies to private businesses: Unsolicited information • with a greater annual turnover than $3,000,000, or Notification • provide health services Use or Disclosure and hold health Direct Marketing information, or Cross-Border disclosure • are contracted service provider for a Government identifiers Commonwealth contract Quality (whether or not a party to the contract). Security Access Correction 4
Privacy by Design “Instead of having settings spread across nearly 20 different screens, they’re now accessible from a single place” ( It’s Time to Make our Privacy Tools Easier to Find 28.03.18) The object of this principle is to ensure that APP entities manage personal information in an open and transparent way. ( APP 1 ) 5
Privacy by Design Foundational Principles – Proactive – Privacy as default – Embed privacy to design – Retain full functionality – Ensure end to end security – Maintain visibility and transparency – Respect user privacy 6
Privacy by Design Health Industry – UK ICO reports health incidents ↑ 22% Data posted or faxed to incorrect person Data sent by email to incorrect recipient Loss of theft of paperwork Digital Health Industry – Data breach notifications 35 mandatory digital health notifications to OAIC 2016/17 Notifiable Data Breaches Scheme from 22 February 2018 7
Red Cross Data Breach Information retained A data breach is not Donate Blood at backend where part necessarily a breach of Website of the web server is APP11. Here, it was publicly accessible Employee of Red Cross retained contractor saved data effective ownership to part of the web although it did not server which was physically hold the publicly available personal information OAIC was satisfied Red Cross failed to steps were taken to implement contractual appropriately rectify requirements the data breach
Privacy by Design Data Analytics – Valuable commodity FB market cap fell $47 billion from 01/03 to 01/04 – De identification De-Identification Decision-Making Framework (OAIC / CSIRO Data 61) – Privacy Impact Assessment OAIC Privacy Impact Assessment eLearning (www.oaic.gov.au/agencies-and-organisations/training-resources/) 9
Security by Design There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again. (Robert Mueller, former Director, FBI) 10
Security by Design Liability Data Breach Training To avoid: on potential security breaches (a) Statutory liability (Company/Personal) (b) Regulatory liability Insurance (c) Third party claims must implement measures to protect personal data (both technical and Ad blocking; Anti-virus software; organisational) Back up Response Plan
Security by Design Prudential Standard CPS 234 APRA regulated entities Board ultimately responsible for information security Must have: – Information security policy framework – Direction on the responsibilities of all parties – Controls on information assets managed by related /third parties – Evaluate design and operating effectiveness of related /third party – Information security incident plan Notify APRA of an information security incident no later than 24 hours 12
Security by Design Practical tips Only retain data for as long as necessary (APP 11) – Note: State based health records legislation Check third party contracts Check own and third party cyber insurance 13
Risk Management by Design National Digital Health Strategy Framework for Action Strategic Priorities – Minimise medication errors – Better availability and (Providers) access to prescriptions and – Amend regulatory medicines information framework (States) – A workforce confidently – Participate in training & using digital health education (Providers) technologies to deliver – Support & evaluate, health and care education & training (States) 14
Risk Management by Design Lau Inquest Issue – Did the introduction of the TrakCare electronic medical record system to Macquarie University Hospital cause or contribute to the death Finding – Whilst TrakCare did not cause … death, the initial prescription error was made easier due to a function of TrakCare of great utility – the ability to open and close different patient records from a single terminal. Prior to the introduction of electronic medical records, it was much more difficult to chart medication on the wrong patient file 15
Risk Management by Design Lau Inquest Yet… – The main reason for the failure … the persistent failure to critical thinking by those involved in the care and treatment of … Recommendations – Working party to consider lessons learnt and to include IT representatives, anaesthetists, nursing staff, pharmacy, patient safety & quality manager 16
17
Team Contacts Karen Keogh Partner P +61 2 9334 8884 E kkeogh@hwle.com.au 18
Adelaide | Brisbane | Canberra | Darwin | Hobart | Melbourne | Norwest | Perth | Sydney
Recommend
More recommend
