• If you keep information on a phone / laptop / tablet / iPad be careful about taking it out of the clinic . People regularly leave these behind on trains , cafes and in taxis . Know where your device is at all times and always have a backup of your files elsewhere . Make sure that you password-protect your files . Should you lose the device they ’ re stored on , no one will be able to access them .
• Move inactive files into secure storage . This way you can comply with legal requirements without cluttering up your current files . Store them somewhere safe and dry , not at the back of a damp garage . You may need to review them , so look after them .
• Regularly review your files and destroy old ones . Do not keep things that should be destroyed .
The same rules apply generally to your employment , tax , superannuation and company records . While they don ’ t perhaps have the same sensitive nature as your client files , they do contain very important information such as tax file numbers , ABNs , dates of birth , bank details and forms of ID . Records need only be kept for 5 years for taxation purposes . Again , regularly review and destroy old records . You don ’ t need to keep someone ’ s tax file number if they worked for you 10 years ago .
So , what happens if you think your data has been breached ?
Since 23 February 2018 , there is a regime called the Notifiable Data Breaches scheme , requiring notification of ‘ eligible data breaches ’. Data breaches could be either :
• unauthorised access , such as by an employee of the business who shouldn ’ t be accessing the files , or by a hacker ;
• unauthorised disclosure , such as accidentally publishing the names of clients on a website ; or
• loss , such as leaving your iPhone containing client files in a café .
These are defined as data breaches where a ‘ reasonable person would conclude that [ the breach ] would be likely to result in serious harm to any of the [ affected individuals ]’. ‘ Serious harm ’ could include physical , psychological , emotional , economic , financial and reputational harm . An affected individual is someone who has been identified or can reasonably be identified .
At this stage you must decide whether an eligible data breach has occurred , that is , is it one that you need to report . Would a reasonable person think that the breach of data has caused serious harm to the identified person ? In assessing the harm , an organisation needs to consider the nature and sensitivity of the personal information , whether the information is protected by security measures ( e . g ., encryption ), who has obtained or
JATMS | Summer 2022 | 219