Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

PCEHR system mandatory data breach — text descriptions


September 2012


Data breach response process

Data breach occurs

Is the breach a notifiable data breach?

Notifiable data breach

The PCEHR Act requires particular entities to report data breaches where:

  • a person has or may have contravened the PCEHR Act in a manner involving an unauthorised collection, use or disclosure of health information in a consumer's eHealth record; or
  • an event occurs which has or may compromise the security or integrity of the personally controlled electronic health (eHealth) record system, and

where the entity is, has or may be directly involved in the contravention or event.

Voluntary data breach notification

  • A breach of the Privacy Act, rather than the PCEHR Act has occurred.
  • A privacy breach has occurred outside the eHealth record system. For example RROs and RPOs may have some systems and databases that do and some that do not interact with the eHealth record system.

Entities should follow the OAIC's voluntary guide when considering reporting data breaches voluntarily.


Key steps in responding to a notifiable data breach

Step 1: Contain the breach as much as reasonably practicable and undertake a preliminary assessment of the causes

  • Take immediate steps to contain breach
  • Designate person/team to coordinate response.


Step 2: Evaluate the risks associated with the breach

  • Consider what personal information is involved
  • Determine whether the context of the information is important
  • Establish the cause and extent of the breach
  • Identify the risk of harm.

Step 3: Breach notification (RROs and RPOs)

  • Must report notifiable data breaches to both the SO and OAIC (State and Territory entities are only required to report breaches to the SO).
  • Ask the SO to notify all affected consumers (and the general public where appropriate) of the breach on their behalf. The SO must comply with the request.

Step 3: Breach notification (SO)

  • Must report all notifiable data breaches it is involved in to the OAIC
  • Must notify all affected consumers (and the general public where appropriate) of the breach.


Step 4: Review the incident and take action to prevent future breaches

  • Establish a management team and fully investigate the breach
  • Review or develop a data breach response and prevention plan
  • Implement privacy enhancing technologies
  • Regularly review internal policies, procedures and staff training practices
  • Review service delivery partners and conduct due diligence where services are contracted.


Maintain information security

Protect information from misuse, loss and unauthorised access, modification or disclosure, entities should consider:

  • the sensitivity of the personal information
  • the harm likely to flow from a security breach
  • developing a compliance and monitoring plan, and
  • regularly reviewing their information security measures.

Return to 'Data breach response process' in draft guidelines