Home/Manage a Privacy Breach
Manage a Privacy Breach2023-06-13T10:54:45+10:00

How to: Manage a Privacy Breach

If you become aware of a privacy breach in your area, these are the steps you should take to manage the breach.

Contents

    Who do I inform of the breach?

    If you become aware of a breach, you must immediately notify your line manager. The breach may need to be reported to your local senior manager.

    Metro North Health must be also be officially notified of the breach. You can do this by contacting any of the following people:

    • Metro North Director of Health Information Policy Access and Coordination
    • Privacy Confidentiality Contact Officer (PCCO)
    • Health Information Services Director

    Retrieve the information and contain the breach

    Try to contain the breach and retrieve the information if possible. You can do this by confirming with the recipient that:

    1. they understand the information was confidential, and
    2. not for further dissemination and
    3. offering to send them a reply-paid envelope to return it at no cost to them. If the information is electronic then you should confirm that they have deleted the information, not only from their inbox but also from their deleted items.

    Seek advice

    You should seek advice from your relevant privacy contacts and assess why the breach occurred. For example, was it a deliberate or malicious act, or was it just an honest mistake or accident?

    The breach must be referred to the Metro North Ethical Standards Unit if:

    • involved staff accessing a computer system that they shouldn’t have; or
    • if the breach occurred due to deliberate, intentional, or malicious action

    Preventing a breach in future

    You should consider how to prevent a repeat occurrence in the future. For example, you may need to change an administrative process so that it is less likely that correspondence will go in the wrong envelope. Do team members need more training? Staff may need clarification on correct processes if the breach was an honest mistake or accident.

    Do you need to notify the individual breached?

    You should also assess with the help of your privacy contact whether the individual whose information was breached, should be notified. Notification should occur where there is likely harm to the individual and they can take steps to protect themselves. For example, if a credit card number was compromised, the individual should be notified so that they can cancel their card and get a new number issued by their bank. However, where the breach is well contained (e.g. only one person has seen the information and they understand that it was confidential and have not disseminated it) and there is no obvious benefit in providing the notification, then it may be unhelpful to notify the individual as it may worry them unnecessarily in circumstances where any risk of harm to them is minimal.

    In some circumstances it won’t be possible to contain the breach or to know who exactly has been affected by the breach (e.g. patient files falling off the back of a truck onto a road). It may be necessary to publicly disclose this information to try and minimise any harm to affected individuals. This option will be considered in consultation with relevant privacy contacts and senior management.

    Essential Contacts

    MNHHS: Director, Health Information Policy Access and Coordination

    Ph:                   (07) 3647 9753

    Email:             privacymetronorth@health.qld.gov.au

    RBWH: Manager, Information Access Unit

    Ph:                   (07) 3646 7423

    Email:               IAU-RBWH@health.qld.gov.au

    TPCH: Director, Health Information Services

    Ph:                   (07) 3139 4288

    Email:               IAU-TPCH@health.qld.gov.au

    Caboolture-Kilcoy: Director, Health Information Services

    Ph:                   (07) 5316 3943

    Email:               Cab-HIS-IAU@health.qld.gov.au

    Redcliffe: Director, Health Information Services

    Ph:                   (07) 3883 7029

    Email:               CIA-Redcliffe@health.qld.gov.au

    STARS: Director Health Information Services

    Ph:                   (07) 3647 6009

    Email:               Megan.Wallace@health.qld.gov.au

    Metro North Ethical Standards Unit

    Phone:                (07) 3646 1566

    Email:               mn-esu@health.qld.gov.au

     

    Values in Action

    Updated: June 2023

    Back to top