- Preventing data breaches
- What to do in the event of a breach
- How to notify
- What happens next?
- My Health Record data breaches
All private health providers are obligated to notify the Privacy Commissioner when an eligible data breach is identified.
A data breach that is eligible meets these criteria:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information.
- this is likely to result in serious harm to one or more individuals.
- remedial action has not been able to prevent the likely risk of serious harm.
Examples of eligible data breaches include:
- A device containing customers’ personal information is lost or stolen.
- A database containing personal information is hacked.
- Personal information is mistakenly provided to the wrong person.
When identified, a data breach needs to be contained (e.g. alerting those affected and contacting the police if necessary) and evaluated for how it occurred and whether remedial steps can be taken to prevent the likelihood of serious harm.
If risk of serious harm to individuals cannot be prevented you must contact and notify them and the commissioner as soon as possible. This is a requirement of the Notifiable Data Breaches scheme.
Note: the reporting requirements for My Health Record data breaches are a bit different, and are explained below.
- RACGP resources:
- Webcast Recording: Preparing for the Notifiable Data Breaches scheme (21/11/2017) - a webinar explaining what needs to be done to prepare for the change.
- Office of the Australian Information Commissioner's guide to managing data breaches.
If you have a data breach, follow the OAIC's Data Breach Action Plan.
The notification must set out:
- The identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned and;
- recommendations about the steps individuals should take in response to the data breach.
For the specifications of the notification, see the How to notify section of the OAIC web resource.
Submit a notification to:
- Telephone: 1300 363 992
- Facsimile: 02 9284 9666
- Post: GPO Box 5218, Sydney, NSW 2001
- Email: email@example.com
The Commissioner will acknowledge all notifications. They may also follow up with questions or advice, depending on the nature of the breach. Their priority is to provide guidance to the notifier and help individuals at risk of serious harm.
For more information see the Commissioner’s role in the NDB scheme.
So that trust is not lost, carefully communicate to those affected during and after the breach. Be open, transparent, and reassure that you have taken the steps to avoid a future breach.
The My Health Records Act 2012 was changed to incorporate notifications of data breaches involving the My Health Record system.
A My Health Record system data breach may include:
- The unauthorised collection, use or disclosure of health information in a My Health Record in a way that has broken the rules of the My Health Records Act.
- Any event that compromises (may compromise, has compromised or may have compromised) the security or integrity of the My Health Record system.
- Any circumstances that compromise (may compromise, have compromised or may have compromised) the security or integrity of the My Health Record system.
If a data breach involving the My Health Record system occurs, you must notify the Office of the OAIC and the Australian Digital Health Agency (ADHA). The ADHA will notify the individuals likely at risk on behalf of the organisation, but must be told to do so.
Details of what to include in your My Health Record data breach notification to the OAIC where applicable
- a description of the data breach outlining the confirmed or potential unauthorised collection, use or disclosure or threat to the security or integrity of the My Health Record system
- the type of personal information involved
- how many healthcare recipients were or may have been affected
- when the data breach occurred, or may have occurred
- what caused, or may have caused, the data breach
- whether the breach was inadvertent or intentional
- when and how you became aware of the breach
- whether the data breach has been contained
- what action has been taken or is being taken to mitigate the effect of the data breach and/or prevent further breaches
- whether the data breach appears to stem from a systemic issue or an isolated trigger
- any other entities involved
- whether your organisation has experienced a similar breach in the past
- any measures that were already in place to prevent the breach
- whether a data breach response plan was in place, and if it has been activated
- the name and contact details of an appropriate person within your organisation
- any other relevant factors.
Do not include any information about the identities of the affected people to the OAIC. This should be given to the ADHA separately.