Should practice managers and owners rethink how they protect patient privacy?

Your customer database is a key asset of any business. Yet small business owners are often too busy to give much thought to how they collect, store and use this vital information.

The recent international Facebook security breach, in which millions of users’ personal details were shared without their knowledge, has been a massive wake-up call to any business storing personal data.

Customers are now much more conscious of their privacy rights and will walk away if that can’t be assured.
The Marketing Association of New Zealand’s privacy consultant Keith Norris says retailers need to show customers they take privacy seriously. “A good way to do that is to have a privacy policy somewhere on your website where customers can easily find it,” he says.

Any small to medium business (SME) with a customer database is already affected by New Zealand's Privacy Act in exactly the same way as a large corporation or government department.

Norris says all businesses, no matter how small, should have a designated Privacy Officer who is responsible for caring for customers’ data. That person should be familiar with the Privacy Act.

“As soon as you collect someone’s personal information - and that can be as little as their name and address - you have to tell them that you’re collecting it. You also have to tell them what you’re going to use it for and where it’s going to be stored. They must be able to access their personal information and update it at any time,” he says.
“If you haven’t got time to read all 12 principles of the Privacy Act, just read Principle 3 which tells retailers exactly what they have to do in collecting, managing and storing information.”

https://www.privacy.org.nz/the-privacy-act-and-codes/privacy-principles/collection-of-information-from-subject-principle-three/

Norris says changes to the Privacy Act currently being put in a bill before Parliament will have almost no effect on small businesses. “The changes are mainly to give the Privacy Commissioner more teeth to enforce the law. I don’t think any SMEs need be concerned. The only change that affects them is that they must report any privacy breach to the Privacy Commissioner,” he says. That means any unauthorised access to or disclosure of, personal information that could pose a risk of harm to your patients.

Optometrists, along with dentists, pharmacists and other health professionals are also subject to the Health Information Privacy Code which states that patients’ information must not be disclosed except in specific circumstances. Norris says the most sensitive area would be any other information about a patient’s health, aside from their eyesight, kept on file which could be used in some way maliciously by others.

https://www.privacy.org.nz/the-privacy-act-and-codes/codes-of-practice/health-information-privacy-code-1994/

The use of Facebook data by Cambridge Analytica has shown that even large organisations with supposedly high security are vulnerable. So does this mean small to medium businesses have to invest in bigger and better IT systems or enlist the services of an independent data specialist? Norris says that’s unnecessary for SMEs. “You can still run your business on a laptop. As long as your system is password protected and those passwords are kept secure then you’ve done all you can,” he says.

“Email is where most of us are vulnerable to cyber attack. A clever hacker can get into our email accounts by hacking our service provider,” he says. Business owners should never send out a mass email to everyone on their database without first hiring someone to encrypt the message to protect its contents from being read by others. “Pay an expert to do it. There are plenty of one-man IT contractors who will look after small businesses,” he says.

Emails and text messages also come under the anti-spam law, or Unsolicited Electronic Messages Act 2007, which all businesses should be well familiar with by now. The law states that you can’t send a commercial email or text to customers without first gaining their consent. The best time to ask for that is when patients first enrol with your practice. Make sure your enrolment form has a box they can tick if they’d like to receive further information and updates about your business. You also need to provide a clear and easy way for people to unsubscribe or stop receiving them.

https://www.dia.govt.nz/Spam---Commercial-electronic-messaging-in-New-Zealand#FactSheet

Norris points out that being privacy conscious doesn’t mean less marketing – it just means more transparent marketing. Business owners should be making the most of their customer database.

“Selling to existing clients is five times more effective than selling to a new client. Keep people in touch with your business, new ideas, products and services. Let them feel part of your business. That’s how businesses grow.”
A common method that small businesses use to find new customers is by going to a list broker for a list of potential customers who can be contacted with promotional material by addressed mail or phone.
Norris says it’s important to have a written contract with the list broker which clearly states that the people on the list consented to receiving marketing information. “Unwanted contact will mean any goodwill you might’ve had with that potential customer is entirely lost,” he says.

About the author:

Jennifer Dann is a freelance writer for the NZ Herald and various publications. She has 20 years’ experience as an award-winning journalist for the likes of Radio New Zealand and the Sunday Star Times.