Source: Office of the Privacy Commissioner
Privacy Commissioner, Michael Webster says it’s always better to notify his office about a privacy breach than ignore it.
His message comes as he names Ultimate Care Group Limited as consistently ignoring their notification requirements, after it was found that they’d lost part of a patient’s medical records.
Mr Webster said, “My recommendation is for agencies to notify us and do it early, even if they’re not 100 percent sure a privacy breach has occurred, or don’t yet have all the details.
“It’s always better to talk to us than ignore the problem.”
The decision to name Ultimate Care Group was made so they could become an example for others.
Ultimate Care had several instances where they should have made an earlier notification. They were also advised by the Capital and Coast District Health Board to report a privacy breach, but in the end, it took two years for them to formally notify OPC.
“It is disappointing they did not identify the breach to be notifiable as required under the Privacy Act.
“Ultimate Care is a large provider serving a vulnerable group in our population and holds a significant volume of sensitive information about the individuals in its care. A key element of providing care to these individuals is looking after their personal information, and health information in particular,” said Mr Webster.
Mr Webster says following engagement with OPC, Ultimate Care has taken actions to strengthen privacy policies, increase privacy awareness, and improve document management practices.
“While these changes are good and have resulted in an improvement in privacy capability in Ultimate Care, I consider the impact of the loss of the clinical file on the resident and the wider systemic issues of poor information management practices at Ultimate Care at that time to be significant,” said Mr Webster.