In the case of a data breach that relates to the My Health Record system, healthcare professionals must notify the Agency as soon as possible.
Healthcare providers must notify the Australian Digital Health Agency of any potential or actual data breaches that relate to (or may relate to) the My Health Record system. Other data breaches that do not involve the My Health Record system may need to be handled in accordance with the Privacy Act 1988 Notifiable Data Breaches scheme.
Definition of data breaches – My Health Records Act 2012
The characteristics of a breach of health and personal information relating to the My Health Record system are outlined in the My Health Records Act 2012. According to this Act, a data breach involves:
- The unauthorised collection, use or disclosure of health information in an individual’s My Health Record; or
- A situation where:
a) an event that has, or may have, occurred or
b) any circumstances have, or may have, arisen
that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system (whether or not involving a contravention of the My Health Records Act 2012).
Notification of data breaches – My Health Records Act 2012
Entities using the My Health Record system must notify the Australian Digital Health Agency (System Operator) of any potential or actual data breaches, as soon as possible. Even if the data breach has been resolved, you must still notify the Australian Digital Health Agency.
For example, if a healthcare provider’s system is infected with malicious software this could compromise their system and may allow unauthorised access to the information in the My Health Record system. The provider would need to notify the Australian Digital Health Agency immediately and at the same time take steps to remove the malicious software from their system.
As the My Health Record System Operator, we need to take steps to ensure all of the information in the My Health Record system is secure. Healthcare consumers must also be allowed to take steps to mitigate any risks to their data.
Notifications are made in writing by contacting us.
This link contains further information on how to notify us, including:
- a checklist of details the you need to provide in a written notification(s)
- steps to take to confirm and evaluate a potential or actual data breach
- timing of notification(s).
You can learn more by reviewing the OAIC’s Guide to mandatory data breach notification in the My Health Record system.
Notifiable Data Breaches scheme – Privacy Act 1988
There are some situations where a data breach does not have to be reported under the My Health Records Act. This could include, for example, where a data breach does not relate to the My Health Record System at all.
These data breaches, however, may still need to be handled in accordance with Privacy Act 1988 Notifiable Data Breaches scheme, which includes a requirement to notify the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.
For more information about the Privacy Act 1988 Notifiable Data Breaches scheme or how it interacts with the My Health Record Act data breach notification obligations, visit the OAIC’s website.