Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Australian Association of Pathology Practices submission

From: John O'Dea
Sent: Friday, 26 October 2012 8:44 AM
Subject: Submission on OAIC's Mandatory Data Breach Notification Guide


Dear [redacted],

Thanks for your email of 10 October to [details redacted], CEO, AAPP.

We've looked at the draft guidelines. They didn't raise alarm bells. It will apply to Pathology Repository Operators when and if they get off the ground. The definition of a breach seems pretty clear and the obligations to report to the OAIC are clear. There are civil penalties for non reporting. There are obligations to investigate breaches and minimise the impact which could become onerous if there are a large number of breaches but we cannot know the magnitude at this point. There are serious penalties for breaches and whereas these apply to Repository Operators, they do not apply to the SO. Is there a reason for this?

At this point, we do not propose to make a more detailed submission but please let me know if you would like further advice from us on any point.


John O'Dea
Deputy CEO, AAPP
Mobile [redacted]
Home [redacted]
email [redacted]