Important Changes:
Australia’s New Notifiable Data Breaches Scheme

Since 22nd February 2018, many businesses that operate in Australia (including CareMonkey) are subject to Australia’s new notifiable data breaches scheme.

At CareMonkey, privacy and security are our top priority. CareMonkey has a Data Security Compliance Program to ensure we operate in accordance with relevant laws and regulations in Australia, United Kingdom and United States. This article relates to breach notification according to Australian laws. For USA and UK we follow the laws as per HIPAA and GDPR.

As part of our security program, we have many internal policies and procedures including Data Classification, Sensitive Data Handling, Breach Notification and Incident Management. We have updated our policies to include the recent introduction of the Notifiable Data Breaches Scheme.

How is CareMonkey actively safeguarding user data?

CareMonkey is committed to protecting the privacy, security and integrity of our customer’s data. We implement a broad range of physical, technological and procedural safeguards to ensure the highest levels of data security. For Australian customers and users, all CareMonkey data is stored in Australia and is subject to Australian laws. For more detailed information on CareMonkey’s security safeguards, please visit our CareMonkey Security page.

What constitutes a notifiable data breach?

According to the Office of the Australian Information Commissioner (OAIC), an eligible data breach occurs when three criteria are met:

  1. There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds,
  2. This is likely to result in serious harm to one or more individuals, and
  3. The entity has not been able to prevent the likely risk of serious harm with remedial action.

What will we do in the event of a data breach?

CareMonkey has a Critical Incident Response Team (which includes our Data Protection Officer, Developers, and Senior Management), and a Breach Response Plan that is reviewed annually.

Below is a high level summary of the steps CareMonkey will take in the event of a suspected data breach.

Step 1 – Incident detection and preliminary assessment

  • CareMonkey users, employees and contractors can report suspected operational and security breaches to CareMonkey Support via live chat, email or phone.
  • CareMonkey will take immediate steps to conduct a preliminary investigation, where we will identify and classify the suspected breach.

Step 2 – Contain breach

If the preliminary investigation confirms a suspected breach, we will take immediate steps to:

  • Contain the breach.
  • Limit distribution of the affected personal information.
  • Limit possible compromise of other information.

Step 3 – Evaluate risks associated with the breach

The next step is to undertake a reasonable and expeditious assessment to:

  • Gather all relevant information on the breach.
  • Make a decision, based on the investigation, about whether the breach is an eligible data breach.
  • Determine who needs to be made aware of the breach.
  • Document everything at each step.

Step 4 – Notification

As per the Notifiable Data Breach Scheme, CareMonkey will notify affected organisations and users as soon as possible once the facts are known, if:

  • There is a chance of serious harm, or if a notification would give the users or customer organisation the ability to avoid serious harm.
  • An incident is likely to cause humiliation or embarrassment for the individual.
  • Their medical data was lost or stolen or viewed by the wrong people.

If the user affected is a member of a group such as a school, CareMonkey will work with the organisation to decide on who communicates to the user (e.g. the parent).

CareMonkey will inform the OAIC, including the Australian Privacy Commissioner, of any eligible data breaches, providing ongoing updates on key developments.

Step 5 – Review to prevent future breaches

In the event of a breach, CareMonkey will:

  • Fully investigate the cause of the breach.
  • Record an Incident Report.
  • Report to the OAIC Executives on outcomes and recommendations in the event of a notifiable breach.
  • Implement recommendations from the investigation to prevent future breaches.