Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Privacy breach: Medical records kept in garden shed

The Australian Privacy Commissioner, Timothy Pilgrim, has found a medical centre in Melbourne in breach of the Privacy Act 1988 by failing to take reasonable steps to secure sensitive medical records.

The Office of the Australian Information Commissioner’s (OAIC) investigation established that Pound Road Medical Centre (PRMC) stored medical records of approximately 960 patients in a locked garden shed at premises no longer operated or staffed by them. In November 2013, the shed was broken into and the medical records were compromised.

The Privacy Commissioner noted the seriousness of the case particularly as the records contained sensitive personal information such as full name, address, date of birth, Medicare number, treatment details including results of medical investigations and discharge summaries.

‘The Privacy Act requires organisations to take reasonable steps to protect the personal information of their customers. I can’t think of any circumstances in which it would be reasonable to store health records, or any sensitive information, in an insecure temporary structure such as a garden shed,’ Mr Pilgrim said.

The Privacy Commissioner also warned organisations about the importance of secure document storage.

‘Physical security of hard copy documents is just as important as digital security. There is no point in converting paper records to a secure digital system, and then leaving the paper files unsecured. If paper records are no longer needed, they should be disposed of securely,’ Mr Pilgrim said.

The majority of the medical records related to individuals who stopped being patients of PRMC before 2004. The Privacy Act requires organisations to securely destroy or de-identify personal information that they no longer require.

‘If organisations don’t need to keep personal information for a legal purpose, then they must have a system in place to dispose of it securely. Get out the shredder or hire a secure document destruction service. If you don’t, you’re putting your clients at risk of identity theft or fraud, and your company at risk of enforcement action.’

The Commissioner recommended that PRMC:

  • undertake a risk assessment in relation to records management and privacy practices
  • organise privacy training for all staff, and
  • develop a data breach response plan to assist with future incidents.

PRMC are in the process of implementing these recommendations.

The OAIC has published a data breach notification guide that outlines steps organisations can take to respond to data breaches.

Background notes for Editors

The full investigation report is available on the OAIC’s website at:

This investigation focussed on whether Pound Road Medical Centre was compliant with the National Privacy Principles (NPPs) as the data breach occurred in November 2013. The NPPs were replaced by the Australian Privacy Principles on 12 March 2014.

Media contact:     Ms Leila Daniels     0407 663 968