Privacy Act changes present another significant hurdle for aged care

While the aged care sector has its focus firmly on the introduction of the Aged Care Act to Parliament, another important piece of legislation is coming that will have a major impact on providers: updates to the Privacy Act.

Among the most important expected changes are new rules around data retention periods, the removal of the small business exemption and increased financial penalties for those who do not comply.

“It’s important aged care organisations are prepared as best they can be. Records are usually the area of lax in many organisations, not just aged care,” Anne Cornish, CEO, Records and Information Management Practitioners Alliance (RIMPA) told hello leaders. 

“Providers need to be ready for this new Privacy Act and the penalties that are going to be in place, which we’re being warned are going to be horrific. I believe Australia’s going to become one of the most regulated and penalised countries in the world in the way of privacy and sensitive information.”

While the exact outcome of Australia’s strengthened privacy laws is still unknown, we do know that it’s based on the Privacy Act Review Report. A total of 116 proposals were made in the Report and the Government agreed to 38, agreed in principle to an additional 68 and noted ten other proposals. 

Overall, the changes bring Australia’s Privacy Act in line with global benchmarks, an important step forward. Ms Cornish said it had to happen, and now the onus is on businesses to play their part. 

“Organisations are only going to have 12 months to get themselves organised and that’s not a long time if you want to do this properly. Get the tools, understand your retention policies and get rid of inactive records as soon as you can because you’re just putting yourself at risk,” she said.

“Besides all the cyber attacks and legislation, it’s your reputation at stake which is important. If aged care is renowned for being hacked and private information is at risk, people will become very cautious. Rumours and gossip about a particular sector can be quite destructive.”

One of the most important changes coming for providers is a new data retention policy. Organisations will have to establish minimum and maximum retention periods with those periods to be specified in privacy policies and reviewed accordingly. 

This of course follows on from the serious cyber attacks that saw Optus and Medibank customer data leaked, including data of former customers. Ms Cornish said by reducing the amount of data you keep, the less risk there is when a cyber attack takes place. 

“Don’t keep private information if you don’t need it. Organisations should have a program in place to allow that to happen. It’s about the processes, the methodology, the rigour and the overall governance of your records and your information to ensure that you minimise that risk,” she said. 

“The data minimisation aspect is important because digital storage is cheap, so people think they might as well keep everything. That’s proven to be everybody’s demise, including Medibank and Optus.”

The nature of private information stored by aged care providers is another reason to assess what you do and do not need to collect or keep. Although certain information is required to be collected and stored for regulatory purposes, Ms Cornish warned that it becomes risky when residents or clients pass away and their data is unnecessarily retained. 

Worse, it could be the private information of a family member, including their contact details, date of birth or bank account details used for payments. 

“There are various maximum and minimum retention periods you can put in place. The minimum retention period is what we care about. You want to get rid of data after the minimum unless there’s a valid business reason to keep it. For example, if my father were to pass away and there was an issue or investigation into his passing you may need to keep my records and his records longer than first anticipated,” Ms Cornish added. 

Stepping up with clear processes

Ms Cornish believes that it’s ‘when’ not ‘if’ a cyber attack will occur. With a recent history of significant data breaches, data security processes must be clearly outlined in policies. 

If a data breach does occur, showing that all reasonable steps were taken to protect it can help you avoid a potential penalty of up to $50 million. 

“No one’s ever going to get it 100% right but when I’ve been involved in investigations with royal commissions on this, in records management, as long as you can see that the organisation has attempted to and has the governance in place the organisation won’t become entirely liable. They’ve done the right thing,” Ms Cornish said. 

Meanwhile, the Government will also remove the small business exemption that allowed businesses with an annual turnover of $3 million or less to operate outside of the Privacy Act. Health service organisations have never been eligible for this exemption due to the data they collect. 

However, the removal of the exemption is still a notable warning for smaller businesses that might not have taken their data privacy seriously. One example used by Ms Cornish is a home care provider; paperwork could be left in a car during the day while a staff member visits another, but what happens if the car is stolen?

“It’s not just about digital hacking,” she warned. 

Ms Cornish said it’s essential that all staff are educated in data management policies and processes so they understand what role they play. Additionally, she said for organisations to update their privacy policies as soon as possible, and adopt a software program that can safely manage and destroy data.