Holdsworth House Dental Practice is committed to protecting the privacy of patient information and to handling your personal information in a responsible manner in accordance with the Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the Australian Privacy Principles and relevant State and Territory privacy legislation. A data breach occurs when personal information that Holdsworth House Dental Practice holds is subject to unauthorised access or disclosure, or is lost. A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems. Holdsworth House Dental Practice is committed to the Australian Privacy Principles and our ongoing efforts to ensure these are complied with minimises the likelihood of a data breach. The Notifiable Data Breaches (‘NDB’) Scheme that is outlined in the Privacy Act requires Holdsworth House Dental Practice to notify affected individuals and the Privacy Commissioner of ‘eligible data breaches’ which occurs when certain criteria has been met. In instances when it is not clear if a suspected data breach meets the specified criteria Holdsworth House Dental Practice will conduct a thorough assessment and respond appropriately.
Data Breach Response Effective data breach response is about reducing or removing harm to affected individuals and protecting the interests of Holdsworth House Dental Practice. Eligible data breaches are dealt with on a case by case basis however typically follow a four step process: 1 Contain: If Holdsworth House Dental Practice confirms that a data breach has occurred we will take immediate action to limit the data breach to prevent any further compromise of personal information. 2. Assess: Holdsworth House Dental Practice will gather and evaluate as much information about the data breach as this will enable us to understand the risk of harm to individuals and help Holdsworth House Dental Practice to determine the steps to limit the impact of a data breach. 3. Notify: If Holdsworth House Dental Practice believes that the breach fits the definition of a notifiable data breach a statement will be prepared for the Privacy Commissioner and the affected individuals will be notified.4. Review: Senior Management will undertake a comprehensive review of the incident and take the relevant actions to prevent further future breaches. Assessing a suspected data breach If Holdsworth House Dental Practice suspects it has experienced an eligible data breach it will act quickly to determine if one has occurred. Assessments are typically completed using the following three stage process:1. Initiate: Holdsworth House Dental Practice will decide whether an assessment is necessary and identify which person or group is responsible for completing it. This is typically Senior Management and the IT Project Co-ordinator.2. Investigate: Holdsworth House Dental Practice will expeditiously gather relevant information about the suspected breach to both determine if the breach occurred and if it would result in serious harm to an individual.3. Evaluate: Holdsworth House Dental Practice will make a decision about whether the identified breach is an eligible data breach and notify individuals and the Privacy Commissioner as required.Holdsworth House Dental Practice will take all reasonable steps to complete the assessment quickly up to a maximum of 30 calendar days.Notifying individuals about an eligible data breachIf Holdsworth House Dental Practice experiences an eligible data breach its first priority is to contain the breach and take remedial action. If serious harm cannot be mitigated by remedial action Holdsworth House Dental Practice will notify the affected individuals at risk of serious harm and provide a statement to the Privacy Commissions. If an eligible data breach has been confirmed Holdsworth House Dental Practice will notify individuals affected as soon as practicable after completing the official statement prepared for notifying the Privacy Commissioner.Notification has the practical benefit of providing individuals with the opportunity to take steps to protect their personal information following a data breach, such as by changing account passwords or being alert to possible scams resulting from the breach. It is important that staff are capable of engaging with individuals who have been affected by a data breach with sensitivity and compassion, in order not to exacerbate or cause further harm.Notification of an eligible data breach must include: – The identity and contact details of the practice- A description of the data breach- The kind of information involved in the data breach- Recommendations about the steps that individuals should take in response to the data breachFor a copy of our full data breach policy, please contact email@example.com. Please also direct any queries, complaints, or requests for access to medical records to firstname.lastname@example.org.