/sites/default/files/styles/featured_extra_small_high_resolution/public/2022-11/2022-11-14%20-%20Image%20-%20Case%20study%201%20-%20Pexels%20-tima-miroshnichenko-5717206.jpg?itok=u_VYPd31
/sites/default/files/styles/featured_extra_small_portrait_high_resolution/public/2022-11/2022-11-14%20-%20Image%20-%20Case%20study%201%20-%20Pexels%20-tima-miroshnichenko-5717206.jpg?itok=kwesXyKR

Case study one

Our office was notified by Ahpra about an eligible data breach.

Make a complaint

Our office was notified by Ahpra about an eligible data breach. Ahpra explained the following:

  • An Ahpra staff member had mistakenly sent the name of a notifier to the health practitioner who was the subject of the notification. The notifier had said that they did not wish for their name to be disclosed to the practitioner.
  • Numerous attempts were made by Ahpra to contact the practitioner by email and phone to request that they delete the email, but a response was not received from the practitioner.
  • The notifier contacted Ahpra to express concern that the practitioner had sought to contact them, and they felt that the disclosure of their identity to the practitioner posed a threat to their wellbeing.
  • The Ahpra staff member immediately notified the police and the police detailed how the matter would be managed.

We sought more information from Ahpra about whether the practitioner had responded and Ahpra’s review of the circumstances that led to the incident. We also requested clarification about how Ahpra had contacted the notifier, and whether the appropriate information had been provided. In response, Ahpra advised that:

  • the practitioner had not responded to or engaged with Ahpra in relation to the data breach
  • the notifier had provided information about police action in relation to the matter
  • Ahpra had completed and documented its review of the matter as a Serious Incident
  • the staff member’s error appeared to be due to misreading information
  • the staff member had apologised to the notifier formally and advised that they had the right to make a complaint to our office, and provided details about how to contact us
  • the staff member’s future release of personal information would be supervised and guided
  • the staff member’s team had been made aware of the incident to remind them to be mindful of the issue.

We considered the information provided and decided that Ahpra had taken appropriate action to respond to the eligible data breach. We were satisfied that:

  • Ahpra had appropriately notified affected individuals as required
  • Ahpra undertook a review of the circumstances that gave rise to the inadvertent release of information
  • Ahpra had taken reasonable steps to mitigate the impact of the breach on the individuals at risk of serious harm and to minimise the likelihood of a similar breach occurring again.
Make a complaint

Find out how to make a complaint to the Ombudsman or Commissioner.

Apply for FOI review

Find out more about how to apply for review of Ahpra's FOI decision.

Elderly woman does the dishes

Hear more complaint stories

Hear more about how our office works with people to strive for positive change in the regulation of Australia's health professions.

Most people who contact us want to make a complaint to the Ombudsman. These complaints are usually about the notifications and registration processes for the 16 registered health professions in Australia.

Read more complaint stories

Can’t find what you’re looking for? Give us a call on 1300 795 265