Privacy Policy & Collection Notice
Table of Contents - Privacy Policy, Collection Notice and Appendix I
1. Scope of MindSkiller® Privacy Policy
2. When you can interact anonymously or use a pseudonym
3. The types of personal information collected
4. How We use personal information
5. Consent to collect and use personal information
6. Consent for direct marketing
7. How We obtain your consent for direct marketing
8. Collection and use of your personal information
10. Quality of personal information
11. Storage and security of information
1. Who is collecting your personal information?
2. How your personal information is collected
3. Purposes for which your personal information is collected
4. What might happen if We don’t collect your personal information
5. Collection of personal information from third parties
6. Disclosing your personal information
8. How do We protect your information
9. Access to and correction of your personal information
Appendix I - MindSkiller® Notifiable Data Breach (NDB) Scheme Policy
2. Guidance for completing the MindSkiller® Suspected Eligible Data Breach Assessment Form - Manager
6. Prelude to Notification - Containment, Immediate Remedial Action and Assessment
7. Notification Requirements for an Eligible Data Breach
10. Ongoing Preventive Measures
Privacy Policy
1. Scope of MindSkiller® Privacy Policy
The Privacy Act 1988 (Cth) (Privacy Act) which includes the privacy rules in the Australian Privacy Principles (APPs) applies to Dr Egg Pty Ltd ACN 616 322 288 trading as MindSkiller® (We, Our, Us, Dr Egg).
The MindSkiller® online platform provides access to educational services in relation to mental health literacy, and other goods and services that relate to mental health and mental wellbeing (Platform) including (but not limited to):
- A video-conferencing feature that enables brief support for users of educational services
- A registry of digital and in-person mental health services that matches user preference
- Online therapeutic interventions for specific diagnoses, such as an online cognitive behaviour therapy 'exposure therapy’ module for users with obsessive compulsive disorder, which also enables users to utilise a co-designed virtual reality ‘exposure therapy’ intervention
- A person-centred shared care utility with tailored interactive forms to streamline clinical collaboration, such as forms that contain clinical care pathways for services, interventions and diagnoses, management plans, safety plans and outcome measures
- A risk management WH&S service to assist Australian organisations address workplace psychosocial hazards
- A Notifiable Data Breach Scheme care pathway service.
This Privacy Policy outlines how We use, share, protect and store personal information that We collect.
This Privacy Policy applies to Our handling of personal information* which is broadly defined in and has the same meaning as defined under section 6 of the Privacy Act.
*"Personal information" means "information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not".
This Privacy Policy also refers to sensitive information**, which is a form of personal information.
**"Sensitive information" includes information or an opinion about racial or ethnic origin, political opinions, philosophical or religious beliefs and affiliations, sexual orientation, health or genetic information, and criminal record.
2. When you can interact anonymously or use a pseudonym
We acknowledge Australian Privacy Principle 2 (APP 2) providing individuals the option of not identifying themselves, or of using a pseudonym.
Accordingly, We will allow you to interact anonymously or use a pseudonym, unless We are required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves; or if it is impracticable*** for Us to deal with individuals who have not identified themselves or who have used a pseudonym.
***"Impracticable" means "not practicable; that cannot be put into practice with the available means."
We acknowledge National Safety and Quality Digital Mental Health Standard section 1.26 to minimise the risk of abuse and exploitation of users and section 1.27 to minimise the risk to young people.
Accordingly, We:
- Conduct identity and credentialing checks of help providers who wish to be listed on any of Our online educational support registries. Help providers who have been successfully verified will be identified as such including the date of verification within their listing on the online educational support registries. Those help providers who are yet to be verified or are in the process of being verified by Us will display an unverified status against their names
- Apply a ‘fair and reasonableness test’ with a view to protections for minors and individuals experiencing such vulnerabilities that have been identified.
Examples of situations where it is impracticable for Us to deal with individuals who do not wish to identify themselves (i.e. situations where you may not use a pseudonym), include but are not limited to:
- Help providers who have been subject to Our verification or credentialing processes, have subsequently been approved for verification by Us and consent to be listed on one of Our online educational support registries as a verified help-provider.
- Help providers who have consented to be listed on one of Our online educational support registries but are yet to be verified by Us and are licensed persons that are required to identify themselves in accordance with the rules of their professional regulatory obligations (e.g. medical practitioners and licensed teachers) to any persons with whom they are engaging in a professional interaction.
Examples of situations where you may need to identify yourself include but are not limited to:
- Help seekers who are lawfully using a pseudonym and subsequently wish to utilise a healthcare identifier (e.g. a Medicare number or a private health insurance policy number) in relation to a consultation with a medical practitioner or other help provider.
Examples of situations where anonymity and pseudonymity pursuant to APP 2 are permitted include but are not limited to:
- Help seekers who wish to utilise eLEARNING modules solely and exclusively for educational purposes
- Help providers who wish to utilise eLEARNING modules solely and exclusively for educational purposes
- Help providers who have NOT consented to be listed on one of Our online educational support registries
- Help providers who do not require Us to provide any confirmation of their progress (and therefore their true identity) to a continuing professional development provider for CPD purposes.
Under the Terms of Use, you agree to engage in communications with either verified help providers or help providers designated as unverified with whom you already have an existing professional or personal relationship.
3. The types of personal information collected
We collect personal information that is:
- Reasonably necessary for, or directly related to, activities undertaken on the Platform, when you provide it directly, either when you register and when you subsequently interact with the Platform.
Health information (sensitive information) may also be collected about you. The choice of how much information you provide is yours and depends on the purpose(s) for which you interact with the Platform.
Any information that you share will be protected in accordance with the Privacy Act 1988 (Cth) and the Health Records and Information Privacy Act 2002 (NSW).
4. How We use personal information
Use for a primary purpose and certain secondary purposes
We must only use your personal information:
- For the primary purpose for which it was collected or
- A secondary purpose to which you have consented, or
- For a purpose related to (or if sensitive information directly related to) the primary purpose of collection and you would reasonably expect the personal information to be used for such purpose.
5. Consent to collect and use personal information
When you register on the Platform, you consent to providing Us with personal information. We may also collect sensitive information including health information about you, such as your medical history.
Our Collection Notice can be found appended to this Privacy Policy.
6. Consent for direct marketing
We may use some personal information for direct marketing purposes, but only where the direct marketing communication:
- Is directly related to the primary purpose for which the information was collected or
- A secondary purpose to which the individual has consented or
- For a purpose related to (or if sensitive information directly related to) the primary purpose of collection and you would reasonably expect the personal information to be used for such purpose and
- Contains a statement that the individual may opt out of receiving that type of communication, and the relevant individual has not made such a request.
7. How We obtain your consent for direct marketing
When personal information is collected in accordance with the Collection Notice that forms part of this Privacy Policy, you are taken to have consented to the use of your personal information for direct marketing purposes unless you have specifically opted out.
Opting out of direct marketing
Email based direct marketing communications contain an ‘unsubscribe’ link that provides individuals with the opportunity to opt out of direct marketing communications. You may also email Us directly at support@mindskiller.com if you do not wish to receive direct marketing communications.
Individuals who have opted out of direct marketing may still receive administrative emails or phone calls related to the primary purpose as per Australian Privacy Principle 6 in the Privacy Act.
Removal of opt-outs
If you subsequently provide personal information for marketing-related purposes, having previously opted out of direct marketing communications, you have ‘opted in’ once again and may receive direct marketing communications.
8. Collection and use of your personal information
When is information collected
Information may be collected when you contact or interact with the Platform including but not limited to when you:
- Register an account
- Utilise eLEARNING modules
- Utilise any other software on the Platform
- Utilise the CONNECT and PLUS services
- Engage Us on the telephone or by text message
- Engage Us in person, in writing by post
- Engage Us on social media platforms including Twitter, Instagram or Facebook. Noting that social media platforms handle your personal information for their own purposes. You can access the privacy policies on their websites.
We may also collect personal information:
- From a third party such as a medical practitioner, but only if you have consented to such collection or it would reasonably be expected for Us to collect their personal information in this way under the Australian Privacy Principles
- By means of artificial intelligence (AI) technologies and/or applications being utilised by the Platform.
The information collected includes:
- Personal contact information such as name, address, telephone, email address, IP address,
- Educational subject matter that is of interest to you including educational modules you have clicked on and/or viewed, and notes and other information that you have saved while on the Platform
- When you purchase goods and services from the MindSkiller® shop, We collect information on what you purchased including credit card details
- When you donate, We collect your contact information, bank details including credit card information if applicable and the amount you donated
- When you apply to volunteer We collect personal information necessary to enable the assessment of your application with a view to being verified and identified. Depending on the role this may include your employment or volunteering history, education, criminal history and/or a Working with Children Check. Volunteers for positions on the Board that regulates and oversees Dr Egg’s By-Laws may also have to declare such relevant information to assess any potential, actual or perceived conflict of interest
- When you apply for a job with Dr Egg, personal information collected is necessary to enable an assessment of your application for employment including but not limited to: curriculum vitae, representations that address the selection criteria including written tasks undertaken by you during the selection process, information provided by referees, information provided by you with a view to managing potential, actual or perceived conflicts of interest, proof of Australian citizenship or residency, copies of academic qualifications
- We collect personal information necessary to manage employees and contractors in the normal course of business including tax file numbers, employment contracts, proof of citizenship or residency, records relating to an employee's salary, superannuation contributions, other benefits and leave, health related information supplied by employees and contractors or their medical practitioners, information relating to an employee’s or contractor’s training, and information relevant to managing potential, actual or perceived conflicts of interest.
Individuals aged under eighteen (18) years
We may collect information on individuals aged under eighteen (18) that use the Platform.
We are cognisant of National Safety and Quality Digital Mental Health Standard, section 1.27 (to minimise the risk to young people).
We will not profile children, engage in automated decision-making concerning children, or otherwise use their personal data, for advertising/ marketing purposes, unless they can clearly demonstrate how and why it is in the best interests of children to do so.
Individuals experiencing identifiable vulnerabilities
We may collect information on individuals that use the Platform whereby those individuals are experiencing such vulnerabilities that can be identified.
We are cognisant of National Safety and Quality Digital Mental Health Standard, section 1.26 (to minimise the risk of abuse and exploitation of Our users).
We will not profile individuals that are experiencing identifiable vulnerabilities, engage in automated decision-making concerning such individuals, or otherwise use their personal data, for advertising/ marketing purposes, unless they can clearly demonstrate how and why it is in their best interests to do so.
Analytics
We may use Google Analytics or other tools developed internally to collect data about your interaction with the website. The purposes of collecting your data in this way includes: to improve your experience when using the website, to analyse public and consumer interest in goods, services and related subject matter.
Cookies
Most browsers allow you to choose whether to accept cookies or not. If you do not wish to have cookies placed on your computer, please set your browser preferences to reject all cookies before accessing the Platform.
9. Disclosure
General Disclosure Practices
We do not disclose personal information to another person or organisation unless at least one of the following applies:
- You have consented (whether expressed or implied) to the disclosure of your personal information.
- You would reasonably expect that the information is of a kind that is usually or reasonably passed to those persons, bodies or agencies or the disclosure:
- In the case of sensitive information, it directly relates to the primary purpose for which it was collected.
- Is a Permitted General Situation pursuant to section 16A of the Privacy Act.
- Is a Permitted Health Situation pursuant to section 16B of the Privacy Act..
We use contracted service providers such as information technology based service providers that have access to personal information. The service providers are required to only use or disclose information for the purposes of their contract.
Disclosure of personal information overseas
Our Platform is hosted on secure servers in Australia.
We will take reasonable precautions to not disclose your personal information to an overseas entity without your consent.
When information is collected by means of artificial intelligence (AI) technologies and/or applications being utilised by the Platform, the AI technology and/or application may be based outside Australia.
We take all reasonable precautions to ensure that:
- Third parties outside Australia do not breach the APPs
- A zero data retention policy is applied unless the AI technology and/or application is triggered by specific key words or phrases indicating potential unlawful activity, self harm or the harming of others. In such circumstances relevant data may be retained for 30 days.
Web traffic information may be disclosed to Google Analytics when you visit Our websites. Google may store this information across multiple countries.
When you communicate through a social network service such as Facebook, Instagram or Twitter, the social network provider and its partners may collect and hold your personal information overseas.
10. Quality of personal information
We endeavour that the personal information collected is accurate and up-to-date by:
- Recording information in a consistent format
- Updating personal information in a timely manner
- Reviewing the accuracy of information collected from a third party.
11. Storage and security of information
We protect personal information against unauthorised access, modification and/or disclosure and loss by:
- Restricting access to IT systems and records, including recordings and transcripts
- Utilising password protection for accessing electronic IT systems
- Undertaking background checks on personnel who require access to IT systems and records.
When no longer required, personal information is destroyed or deleted in a secure manner.
12. Access
Pursuant to Australian Privacy Principles 12 and 13, you have the right to ask for and receive access to personal information held about you and to ask for corrections to that personal information.
We will endeavour to respond within 30 days if you ask for access or correction of your personal information.
The person seeking access must be:
- The person to whom the information relates
- Australian law otherwise supports such access.
In some cases, additional proof of identity information may be required.
If an access request relates to an individual who is deceased, the personal information will be released to the requester, in accordance with the Privacy Act, unless the information contains the personal information or sensitive information, including health information, of another living person who is reasonably identifiable from the information available.
If access to, or correction of, your personal information is denied, you will be notified in writing setting out the reasons.
13. Complaints
In some cases, additional proof of identity information may be required.
You can lodge a written request or complaint with the Privacy Officer at the following addresses:
MindSkiller Support
32 Adelaide Street
Woollahra NSW 2025
support@mindskiller.com
We welcome the opportunity to attempt to resolve any legitimate concerns with us, but you are entitled to lodge a complaint to the Office of the Australian Information Commissioner at www.oaic.gov.au/privacy/privacy-complaints/
Collection Notice
1. Who is collecting your personal information?
Dr Egg Pty Ltd (ACN 616 322 288) trading as MindSkiller® (We, Our, Us, Dr Egg) complies with all relevant Australian privacy legislation including the Privacy Act (Cth) 1988 and the Health Records and Information Privacy Act (NSW) 2002.
We protect the privacy of the personal information including sensitive information which We collect and hold..
2. How your personal information is collected
Information may be collected when you contact or interact with Us including but not limited to when you:
- Register an account
- Utilise eLEARNING modules
- Utilise any other software on the Platform
- Utilise the CONNECT and PLUS services
- Engage Us on the telephone or by text message
- Engage Us in person, in writing by post
- Engage Us on social media platforms including Twitter, Instagram or Facebook. Noting that social media platforms handle your personal information for their own purposes. You can access the privacy policies on their websites.
We may also collect personal information:
- From a third party such as a medical practitioner, but only if you have consented to such collection or it would reasonably be expected for Us to collect their personal information in this way under the Australian Privacy Principles
- By means of artificial intelligence (AI) technologies and/or applications being utilised by the Platform.
3. Purposes for which your personal information is collected
We may collect your personal information for any of the following purposes, including to:
- Contact you
- Provide you with educational and mental health literacy services
- Provide you with any other related goods and services, including those offered by Our strategic partners and related bodies
- Advise your help providers about your progress through MindSkiller® educational modules and supporting services
- Conduct verification and credentialing checks about, if you are a help provider, including but not limited to, your professional and academic qualifications, background checks and insurance requirements
- Manage and administer Our commercial relationship with you
- Provide you with administrative information and/or marketing materials
- Assess, analyse, research and improve Our services including those offered by Our strategic partners and related bodies, and including goods and services provided through Our Platform
- Billing and for general administration
- Implement security measures
- Comply with any relevant laws
- Communicate with third parties such Medicare Australia and other government bodies
- Private health insurers.
Please note that social media platforms collect your personal information for their own purposes, in accordance with their terms of use and privacy policies, which can be found on their websites.
4. What might happen if We don’t collect your personal information
If we don’t collect your personal information, We may not be able to permit you to register or subscribe.
5. Collection of personal information from third parties
We may collect your personal information from the following third parties:
- Government entities
- Health insurance providers
- An individual or entity who may be providing services to you as Our client or contractor or a third party otherwise assisting Us in supplying you with goods or services
- A third party to assist Us in locating or communicating with you.
6. Disclosing your personal information
General Disclosure Practices
We do not disclose personal information to another person or organisation unless at least one of the following applies:
- You have consented (whether expressed or implied) to the disclosure of your personal information
- You would reasonably expect that the information is of a kind that is usually or reasonably passed to those persons, bodies or agencies and the disclosure
- In the case of personal information (which is not not sensitive information), it relates to the primary purpose for which it was collected
- In the case of sensitive information, directly relates to the primary purpose for which it was collected
- Is a Permitted General Situation pursuant to section 16A of the Privacy Act
- Is a Permitted Health Situation pursuant to section 16B of the Privacy Act.
Personal Information
If you are a Help Seeker, We may provide your personal information to:
- Third parties involved in your medical care, such as clinicians
- Third parties who perform services on Our behalf, including software development and information technology service providers
- Any of the related bodies and other entities on the Platform.
If you are a Help Provider, We may provide your personal information to:
- Any of the related bodies and other entities included in the Platform.
7. Disclosing Overseas
Our Platform is hosted on secure servers in Australia.
We will take reasonable precautions to not disclose your personal information to an overseas entity without your consent.
When information is collected by means of artificial intelligence (AI) technologies and/or applications being utilised by the Platform, the AI technology and/or application may be based outside Australia.
We take all reasonable precautions to ensure that:
- Third parties outside Australia do not breach the APPs
- A zero data retention policy is applied unless the AI technology and/or application is triggered by specific key words or phrases indicating potential unlawful activity, self harm or the harming of others. In such circumstances relevant data may be retained for 30 days.
When web traffic information may be disclosed to Google Analytics when you visit Our websites. Google stores information across multiple countries.
When you communicate through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.
8. How do We protect your information
We utilise both cybersecurity and physical security measures to ensure that your data is stored and managed appropriately.
9. Access to and correction of your personal information
You have the right to ask for and receive access to personal information held about you and to ask for corrections to that personal information.
We will endeavour to respond within 30 days if you ask for access or correction of your personal information pursuant to the Privacy Act.
10. Privacy complaints
You can lodge a written request or complaint with the Privacy Officer at the following addresses:
MindSkiller® Suppor
32 Adelaide Street
Woollahra NSW 2025
support@mindskiller.com
We encourage you to attempt to resolve your concerns with Us first, however you can also lodge a complaint to the Office of the Australian Information Commissioner at http://www.oaic.gov.au/privacy/privacy-complaints/
Appendix I - MindSkiller® Notifiable Data Breach (NDB) Scheme Policy
Table of Contents
2. Guidance for completing the MindSkiller® Suspected Eligible Data Breach Assessment Form - Manager
6. Prelude to Notification - Containment, Immediate Remedial Action and Assessment
7. Notification Requirements for an Eligible Data Breach
10. Ongoing Preventative Measures
1 Glossary
Assessment
A process to determine whether a Data Breach is an Eligible Data Breach.
See:
3.1 Containment, Immediate Remedial Action and Assessment
3.2 Eligible Data Breach - The Reasonable Person Test
3.3 Suspicion vs Belief
3.4 Assessment
3.5 Containment and Immediate Remedial Action
5 Serious Harm
Care Pathway
Care Pathways are interactive forms that are designed to personalise an Individual Nominated User’s journey. There are three distinct functionally based categories: Service, Diagnostic and Interventional Care Pathways.
See:
Appendix II MindSkiller® Virtual Marketplace
Data Breach
Eligible Data Breach
Suspected Eligible Data Breach
See:
4 What is a Data Breach?
Entity/Entities
APP (Australian Privacy Principle) Entities that provide a health service or otherwise hold health information including MindSkiller®, MindSkiller® Virtual Marketplace, Retailers on the Mindskiller® Virtual Marketplace, Help Providers on the Mindskiller® Platform.
Holding/Held/Holds
See:
4.4 Holding Personal Information
8.1 When is Information Jointly Held?
Likely/Likelihood
Means more probable than not - rather than just simply possible.
See:
5.4 Likelihood of Serious Harm - Probable vs Possible
Most Direct Relationship
See:
5.6.2 Entity with the Most Direct Relationship
5.6.3 Sufficiently Proximate vs Most Direct Relationship
5.6.4 Shared Responsibilities - The Need to Collaborate
NBD Scheme
Notification/Notify
See:
7 Notification Requirements for an Eligible Data Breach
OAIC
Office of the Australian Information Commissioner
Privacy Act
Reasonable Grounds
See:
Reasonable Grounds
See:
5.3 Likelihood of Serious Harm - The Reasonable Person Test
6.2 Eligible Data Breach - The Reasonable Person Test
Serious Harm
Serious Harm to an individual may include significant physical, psychological, emotional, financial or reputational harm.
See:
Sufficiently Proximate
See:
5.6.1 Sufficiently Proximate - Knows or Ought to Know
5.6.3 Sufficiently Proximate vs Most Direct Relationship
5.6.4 Shared Responsibilities - The Need to Collaborate
2 Guidance for completing MindSkiller® Suspected Eligible Data Breach Assessment Form - Manage
In the event of a Data Breach an Entity must:
- Take all reasonable steps to contain the breach
- Take immediate remedial action
- Concurrently carry out an Assessment process to determine whether that data breach is an Eligible data breach and therefore subject to Notification requirements.
The Assessment:
- Must commence immediately after the person responsible for your compliance, or someone else with appropriate seniority, becomes aware that a suspected Eligible Data Breach has occurred
- Requires a person or group of people to manage the process.
The person or Entity undertaking the Assessment must:
- Have the Most Direct Relationship with the affected individuals
- Adequately investigate the incident by gathering as much relevant information as possible about the suspected Eligible Data Breach
- Take all reasonable steps to ensure that the Assessment is expeditious and completed within 30 days, and document any reasons for a delay.
Suspicion vs Belief
Where there are Reasonable Grounds to suspect, but insufficient grounds to form a belief that there may have been an Eligible Data Breach (and therefore subject to Notification requirements), the Entity must act quickly to resolve that suspicion by carrying out an Assessment of whether Reasonable Grounds exist to form a belief that the relevant circumstances amount to an Eligible Data Breach.
The Assessment has two fundamental tests characterised by:
- A Seriousness Threshold: whether a Reasonable Person would conclude that there is a Likely risk of Serious Harm to any affected individual as a result of the unauthorised access, unauthorised disclosure or loss
- A Mitigation Threshold: whether containment and remediation has prevented the Likelihood of Serious Harm occurring for all individuals whose personal information is involved in the Data Breach.
A data breach is an Eligible data breach if:
- During the process of containment and remedial action there are Reasonable Grounds to believe that the Likely risk of Serious Harm cannot be mitigated through containment or remedial action
- During the process of Assessment there are Reasonable Grounds to believe that there is a Likely risk of Serious Harm to any affected individuals
- Even if you are not aware of any actual Serious Harm and including circumstances where Serious Harm does not ultimately eventuate.
Higher Standard for what may constitute the Likelihood of Serious Harm for individuals with vulnerabilities
Although the OAIC advises the Assessment of whether a data breach is Likely to result in Serious Harm “is determined from the viewpoint of a Reasonable Person in the Entity’s position”, an Entity in the MindSkiller® Virtual Marketplace providing mental healthcare or supporting the provision of mental healthcare may be Sufficiently Proximate to affected individuals where it knows or ought to know that such individuals may be more vulnerable to either the knowledge or consequences of a data breach. Therefore the Likelihood of Serious Harm is probable rather than simply possible.
In such circumstances, and in the event the affected information is Jointly Held, an Entity that is Sufficiently Proximate to vulnerable individuals:
- Needs to collaborate with the Entity that is undertaking the Assessment
- May need to engage with the affected individual(s) with a view to providing support.
Vulnerable individuals also include people with physical injuries and those under the age of 18 years of age.
When information is Jointly Held
When a Data Breach involves personal information Jointly Held by more than one Entity, only one of those Entities needs to undertake the Assessment and proceed with the Notification requirements in the event of an Eligible Data Breach.
The Entity with the Most Direct Relationship with an individual is the closest and best informed and therefore must undertake the Assessment as such an approach is best placed to allow affected individuals to better understand the Notification and how an Eligible Data Breach might affect them.
However, it is still the responsibility of each Entity to ensure that they can demonstrate that they are meeting their obligations under the Privacy Act. One way to achieve this is to collaborate with the other Entities to:
- Establish who has the Most Direct Relationship with affected individuals
- Share information relevant to the Assessment.
3 Circumstances where Dr Egg may need to assume control of the processes of Containment, Immediate Remedial Action, Assessment and Notification
In the interests of expeditiousness and depending on the circumstances of the data breach, Dr Egg reserves the right, without prior notice, to exercise its own judgement and take the lead role in undertaking containment, immediate remedial action, Assessment and Notification on a network-wide level where there are large numbers of:
- Entities jointly Holding compromised information
- Individuals at risk of Serious Harm.
Entities are responsible for their own compliance with the Privacy Act
Notwithstanding MindSkiller® exercising that right, Entities jointly Holding compromised information are still responsible for and need to be able to demonstrate their own compliance with the Privacy Act.
Therefore, these Entities need to collaborate with each other and with MindSkiller® as per the guidance provided by MindSkiller Notifiable Data Breach Scheme Policy (See: 5.6 Obligation to respond to the risk of Serious Harm - including circumstances where affected information is Jointly Held by Entities of the MindSkiller® Virtual Marketplace., 5.6.4 Shared Responsibilities - The Need to Collaborate).
4 What is Data Breach?
4.1 Data Breach
A Data Breach occurs when Held by an Entity there is:
- an unauthorised access to
- an unauthorised disclosure of
- an unauthorised disclosure of
4.2 Eligible Data Breach
A Data Breach occurs when Held by an Entity there is::
- Held by by an Entity there is:
- An unauthorised disclosure of
- Loss of personal information
- A Reasonable Person would conclude that the unauthorised access, unauthorised disclosure or loss would be Likely to result in Serious Harm to any of the individuals to whom the information relates
- The Entity has not been able to prevent the Likely risk of Serious Harm with remedial action.
4.3 Suspected Eligible Data Breach
Not every unauthorised access, disclosure or loss of personal information will constitute an Eligible Data Breach and be subject to Notification requirements.
There is a seriousness threshold, specifically, the Likelihood of Serious Harm to any of the affected individuals. The ability of the Entity to mitigate that Serious Harm is also a consideration (See: 6 Prelude to Notification - Containment, Remedial Action and Assessment).
Consequently, when an Entity suspects that there may have been an Eligible Data Breach, it needs to move quickly to resolve that suspicion (See: 6.3 Suspicion vs Belief)..
4.4 Holding Personal Information
An Entity ‘Holds’ personal information when:
- It physically possesses a record containing the personal information and can access that information physically
- By using an electronic device
- It has the right or power to deal with the personal information, even if it does not physically possess or own the medium on which the personal information is stored.
Therefore ‘Holding’ extends beyond mere physical possession to include the ability to view or read personal information (See: 8.1 When is information Jointly Held?).
4.5 Unauthorised Access
Unauthorised access of personal information occurs when personal information that an Entity Holds is accessed by someone who is not permitted to have access.
Examples of unauthorised access include:
- An employee of an Entity accessing sensitive customer records of an acquaintance without any legitimate purpose
- A computer network being compromised by an external attacker resulting in personal information being accessed without authority
- An unrelated party accesses the device of a Help Provider and sights personal information of a Help Seeker.
4.5.1 Unauthorised Access - Protection of login details
Entities have an obligation under the Privacy Act, MindSkiller® Terms of Use and MindSkiller® Notifiable Data Breach Scheme Policy to protect their login details against unauthorised access (See: Terms of Use 11, Appendix III - Retailers Agreement).
Examples of unauthorised access of login details includes but is not limited to:
- Any individual or organisation that accesses login details protecting personal and/or sensitive information which has been the subject of consent where that individual or organisation has not expressly received said consent
- Any individual or organisation that accesses login details where that individual or organisation does not have actual authority, legal authority, lawful authority or power of attorney to do so.
4.6 Unauthorised Disclosure
Unauthorised disclosure occurs when an Entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside that Entity and releases that information from its effective control in a way that is not permitted by the Privacy Act.
Examples of unauthorised disclosure include:
- Personal information mistakenly given or emailed to the wrong person
- An employee of an Entity accidentally publishes a confidential data file containing the personal information of one or more individuals on the internet
- A Help Provider allows an unrelated party to sight personal information of a Help Seeker on their device.
4.7 Loss
Loss refers to the accidental or inadvertent loss of personal information Held by an Entity, in circumstances where it is Likely to result in unauthorised access or unauthorised disclosure.
Examples of loss include:
- An employee of an Entity accidentally leaves personal information (including hard copy documents, unsecured computer equipment or portable storage devices containing personal information) on public transport or in a cafe
- Theft of devices such as laptops or mobile phones that contain personal information.
4.7.1 Loss when Unauthorised Access or Unauthorised Disclosure is not Likely
If personal information is lost in circumstances where any subsequent unauthorised access to or unauthorised disclosure of the information is not Likely, there is no Eligible Data Breach.
Examples of incidences of loss which are not an Eligible Data Breach include:
- When the personal information is remotely deleted before an unauthorised person could access the information
- When the information is encrypted to a sufficiently high standard making unauthorised access or unauthorised disclosure unlikely
- Where it can be conclusively determined that a lost device had not been accessed.
5 Serious Harm
5.1 Specific types of Serious Harm
Serious Harm to an individual may include significant physical, psychological, emotional, financial or reputational harm.
5.2 Consequences that result in Serious Harm
Following a data breach, Entities should anticipate a broad range of potential consequences that may result in Serious Harm for individuals. Examples include:
- Identity theft
- Significant financial loss by the individual
- Threats to an individual’s physical safety
- Loss of business or employment opportunities
- Humiliation
- Damage to reputation and/or relationships
- Workplace or social bullying
- Marginalisation.
5.3 Likelihood of Serious Harm - The Reasonable Person Test
Whether a Data Breach is Likely to result in Serious Harm requires the objectivity as determined from the viewpoint of a Reasonable Person in the Entity’s position rather than the position of an individual whose personal information was part of the Data Breach or any other person.
A Reasonable Person:
- Is properly informed
- Utilises information immediately available or following reasonable inquiries
- Undertakes an Assessment of the Data Breach.
What is reasonable can be influenced by relevant standards and practices.
5.4 Likelihood of Serious Harm - Probable vs Possible
“Likely" means the risk of Serious Harm to any individual is more probable than not (rather than just simply possible).
5.5 Factors to consider when assessing the Likelihood of Serious Harm
When assessing the Likelihood of Serious Harm, Section 26WG of the Privacy Act states to consider:
- The kind of information in question
- The sensitivity of the information
- Whether the information is protected by one or more security measures (and the Likelihood that any of those security measures could be overcome)
- The persons or kind of persons who have obtained or who could obtain the information
- Whether a security measure was used to make the information unintelligible or meaningless to those who are not authorised to obtain the information (and whether that technology can be circumvented)
- The nature of the harm
- Any other relevant matters.
Given that some of the matters referred to above involve overlapping considerations, the OAIC recommends that when deciding whether or not there’s a Likelihood of Serious Harm, an Entity should prioritise three primary matters:
- The type(s) of personal information involved in the Data Breach
- The circumstances of the Data Breach
- Nature of the Serious Harm
5.5.1 The type(s) of personal information involved in the Data Breach
Some kinds of personal information are more likely to cause an individual Serious Harm if compromised, whereas fairly innocuous information, such as someone’s name alone or an email address out of context, may involve less risk.
Examples of the kinds of information that may increase the risk of Serious Harm if there is a Data Breach include:
- Sensitive information, such as information about an individual’s health
- Documents commonly used for identity fraud (including Medicare card, driver’s licence, and passport details)
- Financial information
- A combination of personal information (rather than a single piece of personal information).
5.5.2 The circumstances of the Data Breach
5.5.2.1 Whose personal information was involved in the Data Breach?
Certain categories of people may be at a greater risk of Serious Harm. A Data Breach involving the names and addresses of a group of individuals might not, in certain circumstances, be Likely to result in Serious Harm to a specific individual from that group if that information is already publicly available.
However, it would be regarded as a “relevant matter” pursuant to section 26WG of the Privacy Act if the compromised personal information relates to a group of individuals from a vulnerable segment of the community who are at greater risk of Serious Harm.
Examples of such vulnerable segments of the community include but are not limited to:
- Children under the age of 18 years
- Groups known to have physical and/or psychiatric disabilities.
5.5.2.2 Do the circumstances of the Data Breach affect the sensitivity of the personal information?
A Data Breach that publicly associates any individual’s personal information with a sensitive product or service could increase the Likelihood of Serious Harm.
Examples of such sensitive products or services include but are not limited to the names of, or representations implying:
- Mental health services
- Disability support services
- Discreet dating services
- Rehabilitation services
- Providers of pharmaceutical products.
5.5.2.3 How many individuals were involved?
If the Data Breach involves the personal information of a large number of individuals, the scale of the Data Breach may affect an Entity’s Assessment of Likely risks. Even if an Entity considers that each individual will only have a small chance of suffering Serious Harm, if the personal information of enough people is involved in the Data Breach, it becomes more Likely that some of those individuals will experience Serious Harm.
5.5.2.4 Is the personal information sufficiently encrypted, anonymised, de-identified or otherwise rendered inaccessible?
An Entity should assess whether the information has been rendered unreadable through the use of security measures designed to protect that stored information whereby in the event of Data Breach it cannot be accessed or used. When assessing whether the security measures (e.g. encryption) that have been applied are adequate, the Entity should consider whether the methodology is an industry-recognised secure standard at the time of the Assessment, and have regard to whether the unauthorised recipients of the personal information would have the capability to circumvent any safeguards. An Entity should not assume data is secure simply because it is encrypted, if the attacker possesses both the data and the key to decrypt that data.
5.5.2.5 What parties have gained or may gain unauthorised access to the personal information?
Examples of such situations include but are not limited to an:
- Unauthorised access by an attacker(s) targeting a particular individual or group of individuals for malicious purposes
- Unauthorised disclosure of an individual’s medical condition to an employer where that condition does not otherwise affect that individual's ability to perform their duties
- Unauthorised disclosure of an individual’s criminal record that may significantly increase the risk of Serious reputational Harm.
5.5.3 Nature of the Serious Harm
In assessing the risk of Serious Harm to any individual, Entities should consider:
- A broad range of potential kinds of harms
- Various scenarios of those harms
- The Likelihood of those different scenarios.
5.6 Obligation to respond to the risk of Serious Harm - including circumstances
Where affected information is jointly held by Entities of the MindSkiller Virtual Marketplace.
5.6.1 Sufficiently Proximate - Knows or Ought to Know
An Entity is Sufficiently Proximate to an affected individual if it knows or ought to know of a scenario where that individual is vulnerable and therefore at increased risk of Serious Harm. An Entity is Sufficiently Proximate to that affected individual if it knows that an:
- Affected individual has a psychiatric condition that may be exacerbated by knowledge of the Data Breach
- Affected individuals are vulnerable pursuant to one or more of the relevant factors outlined in section 26WG of the Privacy Act (See: 5.5 Factors to consider when assessing the Likelihood of Serious Harm).
An Entity that is Sufficiently Proximate to that affected individual has an obligation:
- Conclude that there is a Likelihood of Serious Harm pursuant to section 26WG of the Privacy Act (Relevant Matters)
- Commence Notification requirements
- In circumstances where the affected information is Jointly Held by multiple Entities of the MindSkiller® Virtual Marketplace, advise the Entity with the Most Direct Relationship with the affected individual (and therefore responsible for the Assessment and Notification) of the risk of Serious Harm (See: 5.6.2 Entity with the Most Direct Relationship and 7 Notification Requirements - Eligible Data Breach).
Examples of relationships that are Sufficiently Proximity include but are not limited to:
- Clinician-patient relationships
- Help Provider-Help Seeker relationships.
5.6.2 Entity with the Most Direct Relationship
The Entity with the Most Direct Relationship with an individual is the closest and/or best informed. It must:
- Undertake the Assessment (see Section 6.4 Assessment) and if necessary, proceed with Notification requirements (see Section 7.2 Notification - Preparation of a Statement) as such an approach is best placed to allow affected individuals to better understand the Notification and how an Eligible Data Breach might affect them
- Advise those Entities of the MindSkiller® Virtual Marketplace that are jointly holding the same record and the MindSkiller® Virtual Marketplace that there has been a Data Breach
- In the event of an Eligible Data Breach, include those Entities jointly holding the same record and the MindSkiller® Virtual Marketplace in the Notification Statement.
Examples of an Entity with the Most Direct Relationship include but are not limited to a:
- Retailer with a patient-clinician relationship
- Help Provider with a peer support relationship with a Help Seeker.
Where an Entity has the Most Direct Relationship with some but not all individuals at risk of Serious Harm, that Entity has a responsibility to meet its legislative obligations under the Privacy Act to make contact and collaborate with the other Entities of the MindSkiller® Virtual Marketplace that are jointly Holding the same record with a view to establishing which Entities have the Most Direct Relationships with the remaining affected individuals (See: 5.6.4 Shared Responsibilities - The Need to Collaborate).
5.6.3 Sufficiently Proximate vs Most Direct Relationship
Being Sufficiently Proximate is independent of whether an Entity has the Most Direct Relationship with an affected individual. For example, where personal information is jointly held by multiple Entities of the MindSkiller® Virtual Marketplace, several of those Entities may be Sufficiently Proximate to a vulnerable individual but only one of those Entities will also have the Most Direct Relationship.
Regardless of whether an Entity with the Most Direct Relationship is cognisant of the risk of Serious Harm to an affected individual, Entities that jointly Hold the same record have a shared responsibility to collaborate with each other to:
- Demonstrate that they are meeting their own legislative obligations under the Privacy Act
- Establish who has the Most Direct Relationship with the affected individual(s) with a view to conducting an Assessment of the Data Breach (See: 6.5.1 Containment and Immediate Remedial Action where affected information is Jointly Held by Entities of the MindSkiller® Virtual Marketplace)
- Contribute additional, relevant information to improve the Assessment process (See: 5.6.1 Sufficiently Proximate - Knows or Ought to Know).
The Entity with the Most Direct Relationship also needs to collaborate with Dr Egg to establish and/or confirm the identities of other Entities jointly holding the affected information with a view to:
- Collaborate with those Entities for the purposes of the Assessment
- Subsequently identifying them in the Notification Statement (See: 7.2.2 Notification - Statement must identify and include Entities of the MindSkiller® Virtual Marketplace that are Jointly Holding information).
6 Prelude to Notification - Containment, Immediate Remedial Action and assessment
6.1 Containment, Immediate Remedial Action and Assessment
In the event of a Data Breach an Entity’s must:
- Contain the breach where possible
- Take immediate remedial action if possible and concurrently
- Commence an Assessment process to determine whether that Data Breach is Likely to be an Eligible Data Breach.
6.2 Eligible Data Breach - The Reasonable Person Test
The test of whether a Data Breach is an Eligible Data Breach is if a Reasonable Person would conclude that there is a Likely risk of Serious Harm to any of the affected individuals as result of the unauthorised access, unauthorised disclosure or loss.
Such a conclusion is reached when a reasonable person believes, not merely suspects, that Reasonable Grounds exist to support the Likelihood of Serious Harm (See: 6.3 Suspicion vs Belief).
If a Reasonable Person would not conclude that there is a Likely risk of Serious Harm, then Notification would not be required, as it is not an Eligible Data Breach. Only Eligible Data Breaches are Notified, that is when the risk of Serious Harm cannot be mitigated through containment and/or remedial action.
However, if a Reasonable Person would conclude that there is a Likely risk of Serious Harm, an Entity needs to immediately Notify, even if they are not aware of any actual Serious Harm or even in circumstances where Serious Harm does not eventuate.
6.3 Suspicion vs Belief
Where there are Reasonable Grounds to suspect, but insufficient grounds to form a belief that there may have been an Eligible Data Breach, the Entity must act quickly to resolve that suspicion by carrying out an Assessment to determine whether there are Reasonable Grounds to believe that the circumstances amount to an Eligible Data Breach.
6.4 Assessment to determine whether there are Reasonable Grounds to believe that the circumstances amount to an Eligible Data Breach
The Assessment must:
- Be reasonable and expeditious.
- Commence immediately after the person responsible for an Entity’s compliance, or someone else with appropriate seniority, becomes aware that a suspected Eligible Data Breach may have occurred. Entities should have systems in place to address their information security obligations under Australian Privacy Principle 11 so as to enable such situations to be promptly identified and reported.
- Take all reasonable steps to ensure that it is completed within 30 days from the date the Entity became aware of the Data Breach. If the Entity cannot reasonably complete an Assessment within 30 days, it should document the reasons for the delay.
An Assessment should involve a three stage process:
- Initiate: upon suspicion of an Eligible Data Breach, an Entity needs to initiate an Assessment. Specifically, identifying which person or group of people will do the Assessment and what will be involved.
- Investigate: quickly gather as much relevant information as possible about the suspected Eligible Data Breach including what personal information is affected, who may have had access to the information, the Likely impacts and any other relevant matters.
- Evaluate: make a decision based on the gathered evidence to establish whether there are Reasonable Grounds to form the belief that there is a Likelihood of Serious Harm and therefore an Eligible Data Breach.
6.5 Containment and Immediate Remedial Action
At any time, including during an Assessment, an Entity can and should take all reasonable steps to reduce the Likelihood of Serious Harm to affected individuals caused by a suspected Eligible Data Breach.
An Entity’s immediate priority is to contain the Data Breach where possible. This means taking immediate remedial action to limit any further access or distribution of the relevant personal information.
If containment and remediation prevents the Likelihood of Serious Harm occurring for all individuals whose personal information is involved in the Data Breach, then the Data Breach will not be an Eligible data Breach and Notification will not be required.
If containment and remediation prevents the Likelihood of Serious Harm to some individuals within a larger group whose information was compromised in a Data Breach, Notification to those individuals for whom Serious Harm has been prevented is not required. However, the other individuals for whom the Likelihood of Serious Harm was not prevented will require Notification.
For Data Breaches where information is lost, containment and remediation is adequate if it prevents all unauthorised access and/or all unauthorised disclosure of personal information.
If at any time during the course of an Assessment, it becomes clear that there are Reasonable Grounds to believe that there is a Likely risk of Serious Harm which cannot be mitigated through containment and/or remediation, the Entity needs to promptly comply with the Notification requirements.
Examples of containment and immediate remedial action may include:
- Recovering documents or recalling emails sent in error,
- Contacting recipients of information sent in error and requesting that they do not open an offending email but instead delete it or
- Requesting or recommending that an Entity remove or amend certain computer access privileges.
6.5.1 Containment and Immediate Remedial Action where affected information is Jointly Held by Entities of the MindSkiller® Virtual Marketplace.
Examples of containment and immediate remedial action include:
- Where an Entity has consent from an affected individual to share information with other Entities in that individual’s Care Pathway, it should contact the affected individual to recommend that the affected individual temporarily suspend that consent until such time that the Assessment of the Data Breach is completed.
- Sourcing additional information to potentially be actioned. For example whether the affected individual has:
MindSkiller® Platform), where the affected information or record has been disclosed or shared thus making it “jointly” Held.
- Activated any new consents that may possibly post-date the Data Breach incident.
- Healthcare goods and services.
7 Notification Requirements for an eligible data Breach
7.1 Notification - When an Entity must Notify
An Entity must Notify when:
- They have Reasonable Grounds to believe that an Eligible Data Breach has occurred (See: 6.3: Suspicion vs Belief).
- Directed to do so by OAIC.
7.2 Notification - Preparation of a Statement
The Entity must prepare a statement about the eligible data Breach and give a copy to the OAIC as soon as practicable. The statement must:
- Set out the Entity’s identity and contact details
- Include a description of the Eligible Data Breach
- Detail the kind(s) of information concerned
- Set out recommendations about the steps that affected individuals should take in response to the Eligible Data Breach.
The Entity must take reasonable steps to:
- Provide that statement to each of the affected individuals to whom the relevant information relates
- Provide the statement to each of the individuals who is at risk as a result of the Eligible Data Breach (if practicable)
- Publish a copy of the statement on its website and take reasonable steps to publicise it.
7.2.1 Notification - Statement must identify and include other parties
Where an Eligible Data Breach affects other parties, including individuals, organisations or other digital platforms, the Statement should identify those other parties and include their contact details.
This situation could potentially arise in circumstances of outsourcing agreements, I.T. vendor agreements, joint ventures, supply chain arrangements, entanglements with government or shared services arrangements where information is jointly Held (See: 8.1 When is information Jointly Held?).
Entities may also need to consider whether other authorities should be contacted to provide specific actions and protections in addition to Notifying affected individuals and the OAIC. For example, where health information that has been compromised is Jointly Held by the My Health Record system, it may be appropriate to seek guidance from the Australian Digital Health Agency.
7.2.2 Notification - Statement must identify and include Entities of the MindSkiller® Virtual Marketplace that are Jointly Holding information
Entities that are Jointly Holding information include:
- Retailers who have received consent from affected Individual Nominated User(s) in common to share clinical information
- Retailers and other Entities on the MindSkiller® Virtual Marketplace and/or the MindSkiller® Platform who may not have consent to share clinical information but may still be jointly Holding information.
See: Section 5.6.4 Shared Responsibilities - The Need to Collaborate
8 Entities of the MindSkiller® Virtual Marketplace and MindSkiller® Platform that are Jointly Holding information - Other NDB Scheme considerations
8.1 When is Information Jointly Held?
An Entity is deemed to be Holding personal information if it has the right or power to deal with that personal information, even if it does not physically possess or own the medium on which the personal information is stored (See: 4.4 Holding Personal Information).
Therefore, on the MindSkiller® platform:
- All Entities that can view the personal information of an individual user in common are Jointly Holding the same record
- An Eligible Data Breach of one Entity may also be an Eligible Data Breach of each of the other Entities where that record is Jointly Held.
It should be noted that shared, real time clinical information on a Care Pathway is only one example of personal information that is Jointly Held.
Information can still be Jointly Held between Entities on the MindSkiller® Platform where one or more of those Entities do not have consent to share real time clinical information on a Care Pathway, but still hold personal information and records.
In such an instance, both Entities have obligations under the Privacy Act and the MindSkiller® NDB Scheme (See: 6.5.1 Containment and Immediate Remedial Action where affected information is Jointly Held by Entities of the MindSkiller® Virtual Marketplace).
8.2 Which Entity undertakes the Assessment and Notification?
When a Data Breach involves personal information Jointly Held by more than one Entity, only one of those Entities needs to undertake the Assessment and proceed with the Notification requirements in the event of an Eligible Data Breach (see Section 5.6.2 Entity with the Most Direct Relationship).
Notwithstanding that only one Entity is obliged to undertake the Assessment and proceed with the Notification requirements, it is still the responsibility of each Entity to ensure that they can demonstrate that they are meeting their obligations under the Privacy Act (see Section 5.6.4 Shared Responsibilities - The Need to Collaborate, (Section 5.6.1 Sufficiently Proximate - Knows or Ought to Know and Section and (Section 5.6.3 Sufficiently Proximate vs Most Direct Relationship).
9 Reviewing the Incident
Entities should learn from Data Breach incidents once the containment and remediation, Assessment and Notification steps have been completed.
9.1 Lessons Learned - Retailer Perspective
An Eligible Data Breach incident is an opportunity to:
- Utilise lessons learned to strengthen the Retailer’s own personal information security and handling practices
- Prevent or reduce the potential for a similar breach occurring in the future.
Measures may include:
- A security review and understanding the root cause of the Data Breach
- Education and training
- Implementing a prevention plan to prevent a recurrence
- A review of policies and procedures.
9.2 Lessons Learned - Mindskiller® Virtual Marketplace Perspective
An Eligible Data Breach incident is also an opportunity to improve the experience of engaging the Mindskiller® Virtual Marketplace. For example:
- Did the Mindskiller® Policy (NDB Scheme) and accompanying forms provide adequate guidance?
- Were the Retailer’s managers appropriately supported?
- Have there been any suggestions to improve the experience?
10 Ongoing Prevention Measures
10.1 Periodic System Testing
Entities should consider undertaking periodic system testing (as appropriate for that Entity) with a view to maintaining functionality, quality assurance and integrity. For example:
- Cybersecurity testing, also known as penetration testing, the process of identifying security weaknesses and vulnerabilities in a system, may be advisable in some situations
- Practising reporting systems that address an Entity’s information security obligations under Australian Privacy Principle 11 so as to enable Data Breaches to be promptly identified and reported.
10.2 Australian Signals Directorate - Cyber Security Guidelines
The Australian Cyber Security Centre sits within Australian Signals Directorate and is the Australian Government’s technical authority on cyber security. Cyber Security Guidelines are provided at https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines
10.3 Positive Risk Culture
Entities should consider utilising education and training to promote a positive risk culture where staff at every level appropriately manage the risks associated with Data Breaches as an intrinsic part of their day-to-day work. Such a culture supports an open discussion about uncertainties and opportunities, encourages staff to express concerns, and maintains processes to elevate concerns to appropriate levels.