How to: Manage a Privacy Breach

Who do I inform of the breach?

If you become aware of a breach, you must immediately notify your line manager. The breach may need to be reported to your local senior manager.

Metro North Health must be also be officially notified of the breach. You can do this by contacting any of the following people:

• Metro North Director of Health Information Policy Access and Coordination
• Privacy Confidentiality Contact Officer (PCCO)
• Health Information Services Director

Retrieve the information and contain the breach

Try to contain the breach and retrieve the information if possible. You can do this by confirming with the recipient that:

1. they understand the information was confidential, and
2. not for further dissemination and
3. offering to send them a reply-paid envelope to return it at no cost to them. If the information is electronic then you should confirm that they have deleted the information, not only from their inbox but also from their deleted items.

Seek advice

You should seek advice from your relevant privacy contacts and assess why the breach occurred. For example, was it a deliberate or malicious act, or was it just an honest mistake or accident?

The breach must be referred to the Metro North Ethical Standards Unit if:

• involved staff accessing a computer system that they shouldn’t have; or
• if the breach occurred due to deliberate, intentional, or malicious action

Preventing a breach in future

You should consider how to prevent a repeat occurrence in the future. For example, you may need to change an administrative process so that it is less likely that correspondence will go in the wrong envelope. Do team members need more training? Staff may need clarification on correct processes if the breach was an honest mistake or accident.

Do you need to notify the individual breached?

You should also assess with the help of your privacy contact whether the individual whose information was breached, should be notified. Notification should occur where there is likely harm to the individual and they can take steps to protect themselves. For example, if a credit card number was compromised, the individual should be notified so that they can cancel their card and get a new number issued by their bank. However, where the breach is well contained (e.g. only one person has seen the information and they understand that it was confidential and have not disseminated it) and there is no obvious benefit in providing the notification, then it may be unhelpful to notify the individual as it may worry them unnecessarily in circumstances where any risk of harm to them is minimal.

In some circumstances it won’t be possible to contain the breach or to know who exactly has been affected by the breach (e.g. patient files falling off the back of a truck onto a road). It may be necessary to publicly disclose this information to try and minimise any harm to affected individuals. This option will be considered in consultation with relevant privacy contacts and senior management.