Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Clarification regarding health data breaches

Regarding a media report today that references data breaches of health information, the Office of the Australian Information Commissioner (OAIC) wishes to provide the following information:

Since 22 February 2018, all organisations with obligations under the Privacy Act 1988 to secure personal information, including health service providers, have a legal obligation to notify affected individuals and the OAIC where there is a likely risk of serious harm to any of the individuals whose personal information is involved in the data breach. This reflects one of the primary purposes of the Notifiable Data Breaches (NDB) scheme  to ensure organisations notify individuals of a data breach involving their personal information to mitigate the risks of the data breach.

Ahead of the scheme commencing, the OAIC raised awareness of the scheme, including in the health services sector, to educate about the new obligations.

From 22 February to 31 March, the OAIC received 63 notifications.  15 of those concerned health service providers affecting a total of 119 individuals.

Once the OAIC receives a notification of a data breach it reviews the notice to determine whether the data breach has been contained, that the organisation has taken reasonable steps to mitigate the impact of the breach on the individuals at risk of serious harm, and that the organisation has taken reasonable steps to minimise the likelihood of a similar breach happening again.

If the OAIC considers an investigation is necessary the Commissioner can investigate an alleged interference with privacy on her or his own initiative. If the investigation finds a breach of the Australian Privacy Principles in the Privacy Act has occurred, there are various regulatory responses including receiving an enforceable undertaking, making a determination and seeking a civil penalty in the Federal Court of up to $2.1 million for organisations.

All private health service providers have obligations under the Privacy Act 1988. For more information, see the OAIC’s resources at