Notifications of Data Breaches
Legislative changes have been made to the My Health Records Act 2012 in relation to notifying data breaches.
These changes took effect on 1 March 2016.
What is a data breach?
Under the My Health Records Act 2012 a data breach is:
- the unauthorised collection, use or disclosure of health information in an individual’s My Health Record;
- an event that has, or may have, occurred that compromises, may compromise, has compromised, or may have compromised, the security or integrity of the My Health Record system; or
- any circumstances that have or may have arisen (whether or not involving a contravention of the My Health Records Act 2012), that compromises, may compromise, have compromised, or may have compromised, the security or integrity of the My Health Record system.
Entities participating in the My Health Record system must notify the My Health Record System Operator (and, for entities that are not a state or territory authority, the Australian Information Commissioner) of data breaches.
What has changed?
The My Health Records Act 2012previously required entities participating in the My Health Record system (i.e. the My Health Record System Operator, registered repository operators, registered portal operators and registered contracted service providers) to notify the Australian Information Commissioner and/or System Operator of a data breach. Registered healthcare provider organisations were previously subject to a similar obligation through participation agreements.
Changes have been made so that entities participating in the My Health Record system (described above) are now required by the My Health Records Act 2012to notify data breaches. The changes have removed ambiguity to make clear that all of these entities must notify potential and actual data breaches.
Entities that do not comply with this obligation may be subject to a civil penalty of up to 100 penalty units ($21,000 for individuals and $105,000 for bodies corporate).
When does a data breach have to be notified?
A data breach must be notified as soon as practicable if it relates to events or circumstances that have existed, currently exist or may exist in the future. Even if a data breach has been resolved by the entity, the entity is still required to notify it.
The obligation to notify a data breach is triggered the entity becomes aware that a data breach has occurred. Determining whether or not a data breach has occurred can take time, particularly where an investigation or formal advice (such as from the organisation’s IT provider) is required. If there is a possibility that a data breach has occurred but has not yet been confirmed, this lack of certainty should not be a used as a reason for postponing notification and carrying out any necessary remedial actions.
In terms of timing, it is important to understand that the intent of the data breach notification obligation is to allow the System Operator to take any steps needed to ensure information in the My Health Record is protected and, equally importantly, to allow affected healthcare recipients to take steps to minimise any risks they may face and ensure their information is protected to their satisfaction.
If, for example, an entity discovers malicious software in their IT systems that may provide a backdoor into information in the My Health Record system, the entity would be expected to notify that breach as soon as they discover the malicious software since it could undermine the security of the My Health Record system, at the same time they endeavour to remove the software.
Who should the entity notify?
The obligation to notify data breaches varied depending on the type of entity that becomes aware of the data breach. The table below identifies who is to be notified of data breaches:
|Entity that becomes aware of a data breach||Body to notify|
|My Health Record System Operator||Australian Information Commissioner|
|An entity (other than the My Health Record System Operator) that is a state or territory authority or instrumentality||My Health Record System Operator|
|An entity (other than the My Health Record System Operator) that is nota state or territory authority or instrumentality||My Health Record System Operator and Australian Information Commissioner|
What other steps does the entity have to take?
In addition to notifying the data breach as soon as practicable, the entity must take certain steps depending on whether the data breach may have occurred or has been confirmed as having occurred. Among other things, the entity must take steps to contain and evaluate the data breach.
Potential data breaches
If there is a reasonable likelihood that a data breach may have occurred and its effects may be serious for at least one healthcare recipient:
- the entity must ask the System Operator to notify all healthcare recipients that would be affected; or
- if the entity is the System Operator, notify all healthcare recipients that would be affected.
The “seriousness” of the effects of each data breach should be assessed on a case by case basis and should take into consideration all the relevant circumstances.
The entity should then take some time to conduct some initial investigations to assess whether a breach has or may have occurred, however there is an expectation that this occurs within days rather than weeks or longer.
If an entity considers that a data breach may have occurred, or when the entity determines that an actual data breach occurred, and they have already given notice of the data breach on the basis that it may have occurred, they are not required to notify the data breach again.
Actual data breaches
If the entity is aware that a data breach has occurred, the entity must undertake a preliminary assessment of the causer of the data breach, evaluate any risks related to the data breach, and take steps to prevent further similar data breaches.
Additionally, the entity must either:
- ask the System Operator to notify all healthcare recipients that would be affected, and the general public if a significant number of healthcare recipients are affected; or
- if the entity is the System Operator, notify all healthcare recipients that would be affected, and the general public if a significant number of healthcare recipients are affected.
How should an entity notify a data breach?
Data breaches should preferably be notified in writing.
If the notification is to the Australian Information Commissioner, a data breach may be notified by email to email@example.com, by fax to (02) 9284 9666, or by mail to Office of the Australian Information Commissioner, GPO Box 5218, Sydney NSW 2001.
If the notification is to the My Health Record System Operator, it may be done by email to firstname.lastname@example.org.
What information should be included in a data breach notification?
As a minimum, the following information should be included in a data breach notification:
- a description of the breach outlining the suspected unauthorised collection, use or disclosure, or the event or circumstance;
- the date and time of the data breach;
- the cause of the data breach;
- the type of information involved;
- how many healthcare recipients were or may have been affected;
- whether the data breach has been contained;
- what action has been taken or is being taken to mitigate the effects of the data breach and/or prevent further data breaches;
- the name and contact details of an appropriate person within the entity; and
- any other relevant factors.
Why has this change been made?
The changes have been made to align the obligations of registered healthcare provider organisations with those of other entities participating in the My Health Record system. All entities are now subject to the same data breach notification obligations as set out in the My Health Records Act 2012 (section 75).
The changes have also been made to address previous uncertainty about whether the obligation applied only to events or circumstances that currently exist or may exist in the future, or whether they also applied to events or circumstances that have happened but which no longer pose a risk because they have been addressed or no longer exist. These ambiguities have been removed to make clear that all such occurrences must be notified.
Where can I get further information and guidance?
The Office of the Australian Information Commissioner has published a guide related to the My Health Record system that covers this matter in more detail. The guide is available on the Office of Australian Information Commissioner’s website.
You can contact:
- the My Health Record System Operator on 1800 723 471; and
- the Australian Information Commissioner on 1300 363 992.