Notifiable data breaches

Notifiable Data Breaches Scheme

Under the Notifiable Data Breaches Scheme, the Australian Health Practitioner Regulation Agency (Ahpra), the National Boards, accreditation authorities and specialist medical colleges, must notify our office about any data breach involving personal information that is likely to result in serious harm. This is called an ‘eligible data breach.’

The Notifiable Data Breaches Scheme’s main purpose is to ‘ensure individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm’. Essentially, by informing individuals about a data breach, they can act to reduce any potential problems or harms from the breach.

At the system level, the scheme also helps to keep those holding personal information accountable for protecting privacy and encourages them to take privacy breaches seriously. This in turn helps to build trust that entities handle personal information appropriately.

Eligible data breaches in the National Scheme

A data breach is when personal information is lost or subjected to unauthorised access or disclosure. For a data breach to be eligible, and therefore require notification to our office, it must be:

• likely to result in serious harm to any individual
• that remedial action taken by the organisation has not successfully prevented the likely risk of serious harm.

Ahpra, the National Boards, accreditation authorities and specialist medical colleges are also required to notify individuals involved of the eligible data breach and recommend steps they should take in response.

The Commissioner can direct an organisation to notify of an eligible data breach if the Commissioner has reasonable grounds to believe such as breach has happened.

Although notification is not formally required for breaches assessed to be unlikely to result in serious harm to those affected, we welcome voluntary disclosure of any data breaches.

How we handle eligible data breach notifications

The Privacy Act requires organisations at the written request of the Commissioner to give information, produce documents or answer questions related to the matter.

When we receive an eligible data breach notification, we may choose to make further enquiries about the data breach. This may be, for example, to get more information to assess the organisation’s response.

We then consider the information provided, including the type and sensitivity of the data breach and the number of people involved. We explore whether:

• the data breach has been contained or is being contained where possible
• the organisation has taken, or is taking, reasonable steps to mitigate the impact of the breach on those at risk of serious harm
• the organisation has taken, or is taking, reasonable steps to minimise the likelihood of a similar breach occurring again.

Based on our assessment of this information, we may take a range of actions including deciding:

• appropriate action has been taken
• to offer guidance and assistance in relation to possible remedial action or steps that can be taken by the organisation to reduce the likelihood of a similar breach occurring in the future
• to take regulatory action.

While the Commissioner can take regulatory action, we generally prefer to work collaboratively with organisations to ensure compliance with the Privacy Act.