Data segregation in the acquisition of medical practices – Data Protection

Data segregation

Key takeaways

• If you’re thinking about selling or buying a medical
  practice, identify as early as you can what data needs to be
  segregated and transferred as part of the transaction




• Know your privacy obligations and what these mean in the
  context of the sale or purchase




• Ensure that you have processes in place to get the segregated
  data safely and securely transferred

Given the recent increased levels of activity we have observed
in the buying /selling of medical practices and the current
intensive spotlight of privacy regulation (including in the health
industry), the process of proper data segregation is an important
one.

What is data segregation?

Data segregation is a process that ensures that only data which
is relevant to the acquisition of a target business is managed,
segregated and transferred to the acquiring entity.

Consideration of data segregation in any acquisition activities
is vital, particularly in circumstances where the data which is
held may be commingled with other,non-related data (which may not
need to be transferred to the acquiring entity).

Why is data segregation important?

The successful segregation of data is particularly important for
medical practices, as the personal information which is collected
in the rendering of health services (including an individual’s
name, date of birth, and address) is considered to be sensitive
information for the purposes of compliance under the Privacy Act
1988 (Cth) (Privacy Act). ?

This information is consequently subject to a higher level of
compliance, and the scope of its collection, use, management and
disclosure is more constrained than it may otherwise be in other
contexts.

Medical practices that are conducting mergers and acquisitions
(M&A) transactions in buying or selling their
practices must therefore take the upmost level of care inensuring
they have appropriate data segregation safeguards in place, to not
only ensure they comply with data protection laws, but also to
preserve the quality and value of their collected data. It should
be noted that amendments in the recently passed Privacy Legislation
Amendment (Enforcement and OtherMeasures) Bill 2022 (which is
currently awaiting royal assent) will increase the repercussions
organisations in breach of privacy laws may face.

Under this bill, a contravention of the Privacy Act may result
in a penalty of up to $50 million. The penalty will be calculated,
if possible, to be worth three timesthe benefit the offending
entity obtained from the breach, or otherwise to be30% of the
adjusted turnover the entity earned, during the breach period.

What does this mean for me ?

While data segregation is often an ‘after thought’ in
M&A transactions, data segregation should be considered as soon
as a medical practice begins contemplating the undertaking of
M&A activities, to ensure information is sufficiently protected
and that you have complied with your obligations under the Privacy
Act. The early consideration of data segregationis vital to ensure
you have appropriately managed any risks arising from the
obligations set out under the Privacy Act

Practically,we suggest that in acquiring a medical practice,
buyers should consider: ?

• identifying what data is necessary and required to be
  transferred as part of the acquisition, and what data can be left
  with the target entity;




• taking steps to ensure the data which is to be acquired can be
  segregated from the data which is not required as early as possible
  (including any steps which may be required to ensure that data
  which is not intended to be acquired has not been inappropriately
  transferred);




• implementing processes to ensure that any acquired data is
  appropriately managed and securely stored (including processes to
  address any in advertently obtained data as part of the acquisition
  process);and




• taking steps to ensure that the collection, use and disclosure
  of any data which may be acquired follows the requirements set out
  in the Privacy Act.

We can help you

If you have questions, or would like more information about how
we can assist you and your business, please call 1800 867 113 or to
organise a confidential discussion at a time that suits you, click here.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.