Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

GPs, gyms, and childcare centres may have obligations under the Notifiable Data Breaches scheme — will your organisation?

Private sector health service providers will be required to notify affected individuals and the Australian Information Commissioner of data breaches that are likely to cause serious harm under the Notifiable Data Breaches (NDB) scheme.

Health service providers’ refers to organisations, including small businesses, that provide a health service and hold people’s health information. This generally includes general practitioners (GPs), pharmacists, therapists, allied health professionals, gyms and weight loss clinics, and childcare centres among others.

The NDB scheme adds to the existing protections for health information — ensuring organisations respond to data breaches that are likely to cause serious harm quickly, and by providing individuals with the opportunity to take steps to protect their personal information after a data breach.

The NDB scheme requirements supplement the mandatory data breach reporting requirements of the My Health Records Act. The obligations of the NDB scheme will only apply to data breaches outside of the My Health Record system. There is also a higher threshold in the NDB scheme for notification — only those that are likely to result in serious harm to an individual trigger the notification requirements.

We have published various draft resources to help you understand your obligations and start preparing for the commencement of the NDB scheme on 22 February 2018.

The OAIC is also hosting a webinar on the scheme’s requirements on 21 November 2017. Sign-up to attend.

View the resources