Source: New Zealand Privacy Commissioner – Blog
Identifying, reporting, and reviewing privacy breaches, and acting when individual or systemic issues are identified, is vital to ensuring that a strong privacy culture exists.
Breaches are not just external
A common misconception is that a privacy breach only occurs when personal information is inadvertently shared to, or inappropriately accessed by, someone external to the agency. That’s not the case.
- Accidently sending personal information to the wrong clinician or sending someone’s pay slip to a fellow staff member is a privacy breach.
- Browsing patient records or looking up the records for friends or family members is a privacy breach.
- Health records that are lost or accidently destroyed are also privacy breaches.
Access to personal information should be restricted to only those need to see the information. This protects the person whose information you hold in trust, your staff, and your organisation. Trust is hard won and easily lost.
Not just sensitive information
Another common misconception is that it’s only ‘sensitive’ information that matters. That’s not the case. All personal information, whether it’s of a sensitive nature or not, requires legal protection. For example, it is a privacy breach regardless of whether test results sent to the wrong address are a simple and unremarkable blood count or whether they disclose the existence of an STI or underlying medical condition.
Not just ‘notifiable’
While the above examples may not all be at the level where they need to be reported to the Office of the Privacy Commissioner, they do all need to be reported to your privacy officer and recorded and reviewed as a privacy breach.
Just like ‘near misses’ in the Health and Safety at Work regime, they all tell you something about your privacy systems, and the changes needed to ensure the information you are entrusted with is appropriately protected.
Email hygiene
Poor email hygiene is a common cause of privacy breaches.
One example involved an email containing detailed health information about a group of patients, which was intended to be sent internally to the staff of a medical provider. A typing error in the ‘TO’ field resulted in a member of the public receiving these patients’ medical records. Having their sensitive personal information exposed in this way caused considerable emotional harm to a number of these patients.
Respect the people whose information you’re sending by double-checking who you’re sending it to. Go a step further and use a delayed send option on your email to avoid any hasty mistakes. Always use the BCC field when emailing groups of recipients. If you’re emailing sensitive material, encrypt the material. If you do this, the password (phrase or code) should be sent by some method other than email so that the wrong person doesn’t receive both.
Confirm contact details
Ensure you confirm patient contact details before sending out their personal information. Check that the address or email is still current. If you’re enrolling a new patient or emailing a patient for the first time, send out an email just to confirm the correct address.
Explaining your processes to your patients is good practice and demonstrates that you’re trustworthy. It helps ensure information is accurate and reduces the risk of a data breach.
One case notified to our Office was about a patient who told their GP about being abused in the past. The GP referred the patient to counselling to help work through the issues stemming from that abuse.
The GP’s office followed up this referral by sending a letter to the patient’s house. Due to error in the office’s internal processes the envelope containing the letter did not have the patient’s name on it, or a return address. It also had the incorrect street number, meaning that it was sent to a neighbour’s house instead of the patient’s house.
Not knowing who the letter was addressed to or who it was from, the neighbour opened the letter, inadvertently finding out about the patient’s abuse history.
Inadvertent disclosures
Our Office receives numerous notifications of healthcare staff either accidentally dropping patient documents or leaving the information in public view. Being busy caring for patients isn’t an excuse and making changes to your systems and practices now can make a big difference.
- Where is patient information recorded or displayed in your organisation? Think whiteboards, run sheets, patient lists, computer screens, medical records. Can these be seen or accessed by others? If you have paper run sheets, are these collected and destroyed at the end of the shift?
- Do you use portable storage devices such as USBs? Should you? If you do, are they encrypted?
- If you are transporting paper records, how do you make sure they are secure? Can they be seen in transit?
Reviewed May 2025
