A review by the Australian Information Commissioner found that:
- Only 20% of Clinics documented how they collected and stored patient information.
These gaps, amongst others, potentially leave GP’s exposed if there ever is a breach of patient confidentially. Protecting personal and corporate data is now an absolute must for all General Practice Clinics.
During its drafting and implementation, you should consider:
- current and future employers/employees; and
- your future and present patients
Here are our top tips:
- Think about your Practice and make sure the Policy reflects your specific operations.
- Consult and discuss on its content and delivery (and how employees and patients will access it)
- Make sure you keep it readable and understood by using simple language and an easy to read font (try to avoid legal jargon and terms)
- Focus on the essentials.
TIP: So people aren’t thrown by the length of the document – consider initially providing a summary version of your Policy which highlights the key points with a link to the full extract.
2.Provide employees with adequate Training
Allocating one key person to be accountable for its implementation and adherence will create less confusion, especially if questions and issues arise. Depending on the size of your Practice – this may be a dedicated role or a part of an existing employee’s overall job responsibilities.
It’s important to reiterate that everyone in your Practice is aware of who is responsible for privacy, including the role they play.
3.Consider Special Circumstances that may arise
- Such as when new responsibilities are taken on
- New information is captured and stored, or
- Handling practices differ from the usual.
An example would be working with an overseas partner – in this case, don’t also forget to ensure an overseas recipient will comply with the Australian Privacy Principles.
4.Prepare for any potential Data Breaches
Finally, when you implement your Policy do so together with a Data Breach Response Plan. A new Notifiable Data Breaches scheme comes into effect on 22 February 2018. It will apply to any organization who must comply with the current Privacy Principles.
A ‘Notifiable Data Breach’ is a breach that is ‘likely to result in serious harm’ to the person to which the data relates. If an organisation believes that there has been a data breach (of any size) they must, in the first instance, undertake and complete an assessment within 30 days of identifying the (possible) violation.
To get started, please complete our online questionnaire.
GOT A QUESTION?