Make privacy a priority
Privacy Awareness Week (PAW) 2021 – 3-9 May 2021
Jane Larkan, Health Information Manager, Mount Hospital (WA) and Meleah Herbert, A/Director Health Information Management, Royal Brisbane and Women’s Hospital (Qld)
OAIC Privacy Awareness week (PAW) is the time for us all to reflect and assess on how important it is for us to make privacy a priority within our workplaces, whether the traditional office setting or our work from home environment.
Our healthcare system has embedded many protocols to ensure we maintain privacy on a daily basis. The protocols are only as good as the compliance levels and in the busy hospital setting, both public and private, it is easy for the situation to result in the focus on privacy to be overlooked amongst the many competing priorities; including the current COVID situation.
For Health Information Managers (HIMs) the focus cannot fade and it is our role, irrespective of whether or not we are the designated privacy officer, to continuously work on promoting, maintaining, educating and monitoring privacy performance.
HIMs should be the champions for privacy, protecting both patients and staff.
In the current healthcare environment we are all rapidly being forced to become more reliant on information technology. Previous methods of sending health information are slowly becoming redundant. There are fewer fax machines and the postal service is struggling to keep up with demand. More communications are reliant on emails and file transfer software to exchange information and operate more efficiently. It is imperative that HIMs are able to proactively assess and advise their organisations so that staff are given the right tools, including secure systems, to provide an excellent service whilst maintaining privacy standards and mitigating the risks of data breaches.
In the COVID environment we have all been challenged to work effectively from home. While we like to think of our homes as a safe space, most do not typically have the physical security infrastructure of our offices; being dedicated work areas, restricted access, cabled network and access controls with logs, CCTV and so on. It is important we remain vigilant and take note of some privacy guidelines for working from home, which will also help in protecting your own data from potential threats when working at home or browsing online.
One of the most important lines of defence is to create secure, strong passphrases as these may be the best barrier to prevent the loss of personal information during a malicious or criminal attack. A few words with a combination of upper and lower cases, numbers and special characters are harder for machines to crack. This should extend to using different passphrases for each application or website; using one common passphrase is not advised.
Check and see if your organisation has or can establish a secure VPN to enable you to work in a secure network environment and not simply over the public network.
Ensure you have reliable security software installed and make certain you have automatic updates turned on. Check before sharing any personal information;you should be comfortable with how, where and why the information is going to be used.
Adjust your browser’s privacy settings to prevent access to your browsing habits and activities.
Always properly destroy any personal information prior to discarding. This includes safely deleting data from devices such as memory sticks or external hard drives.
For more information about making privacy a priority at home OAIC has provided ten simple and effective tips which are available online
https://www.oaic.gov.au/s/paw2021/at-home
HIMS need to step up activity in support of the upcoming OAIC PAW. Our role is to make sure that all stakeholders in our organisations are exposed to privacy education and the need for privacy and what to do if they identify an issue. Every single person has a role to play, from clinician to cleaner. Without awareness through education and promotion each person has the potential to be a privacy breach or present the opportunity to prevent a privacy breach.
OAIC PAW is an opportunity for HIMs to lift awareness and create focus towards continuous improvement, embedding behaviours within their organisation focused on Privacy when dealing with any personal information. All Australian Government agencies and businesses covered by the Privacy Act 1988 have a responsibility to protect all personal information they collect.
Meeting legal obligations and the public’s expectations around privacy will assist with building healthcare consumers’ confidence and trust.
We should be working on programmes and initiatives to:
- Establish a robust governance framework through policies, procedures and review processes
- Create privacy awareness throughout the hospital for all staff so that everyone appreciates that like safety, privacy is everyone’s responsibility
- Train and educate to ensure staff have the skills and competencies required to protect privacy. Staff need to understand how personal information should be handled from collection, use and disclosure through to security and deletion/destruction
- Reduce the risk of data breaches caused by human error. A common example of human error includes emailing (or bcc) personal information to the wrong recipient. Staff need to be educated about these risks and controls need to be put in place
- Have strong processes and secure systems in place to protect personal information from misuse, unauthorised access or disclosure
- Physically secure personal information, especially for staff working from home. Computer screens should be angled so that they cannot be viewed by anyone else, devices should be locked when not in use and hard copies with personal information should also be securely stored and out of sight from unauthorised view
- Ensure a response plan and processes are in place to deal with any data breaches.
No system, reliant on human performance, is perfect. When a failure occurs and there is a data breach the individual and the organisation are exposed to penalties. This is a useful point to make when motivating for changes and investment to improve privacy protection. However, mismanagement of a breach can be substantially more detrimental than the initial breach itself.
The response plan should include the following steps:
- Contain
- Assess
- Notify
- Review
- Improve
Staff must be in a position where they understand their roles and actions expected when responding to a data breach. Educating them is a leadership opportunity for HIMs.
OAIC PAW is an opportunity to raise awareness of the importance of privacy. Reinvigorate the messaging by leveraging IT to send broadcast emails on the use of screensavers and passwords. Move the awareness posters around and schedule education and awareness sessions for inductions and refreshers for existing staff.
Share this article – IT IS NOT PRIVATE!
References:
Office of the Australian Information Commissioner. 2021
https://www.oaic.gov.au/s/paw2021/
Office of the Australian Information Commissioner. Part 2: Preparing a data breach response plan. 2019
https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-2-preparing-a-data-breach-response-plan/
Office of the Australian Information Commissioner. Part 3: Responding to data breached – four key steps. 2019
https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-3-responding-to-data-breaches-four-key-steps/