-
On this page
Published: 10 October 2023
When a reporting entity becomes aware that a My Health Record data breach has or may have occurred, they must notify the System Operator (Australian Digital Health Agency) and the Office of the Australian Information Commissioner (OAIC), unless they are a state or territory body. State or territory bodies must report a My Health Record data breach to the System Operator.
Data breaches that occur outside of the My Health Record system may need to be notified to the OAIC under the Notifiable Data Breaches (NDB) scheme.
What is a My Health Record data breach?
A reporting entity must make a My Health Record data breach notification if it becomes aware that:
- a person has, or may have, contravened the My Health Records Act 2012 (Cth) (My Health Records Act) in a manner involving an unauthorised collection, use or disclosure of health information included in a healthcare recipient’s My Health Record; or
- an event has, or may have, occurred (whether or not involving a contravention of the My Health Records Act) that compromises, may compromise, has compromised or may have compromised, the security or integrity of the My Health Record system; or
- circumstances have, or may have, arisen (whether or not involving a contravention of the My Health Records Act) that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system.
The contravention, event or circumstances must either have directly involved, may have involved or may involve the entity reporting the My Health Record data breach.
Who must report a My Health Record data breach?
The following entities (reporting entities) must report data breaches under the My Health Records Act:
- the My Health Record System Operator, the Australian Digital Health Agency (ADHA)
- registered healthcare provider organisations
- registered repository operators (RROs)
- registered portal operators (RPOs)
- registered contracted service providers.
If you are an individual and you want to:
- complain about how an entity has handled your personal information, make a privacy complaint
- tell the OAIC about a data breach affecting other people’s personal information, contact us using the online enquiry form.
When must a My Health Record data breach be reported to the OAIC?
All potential or actual breaches of the My Health Record system must be notified as soon as practicable after the reporting entity becomes aware of the data breach.
All reporting entities must report a My Health Record data breach to the System Operator, the ADHA: Report a My Health Record data breach to the ADHA.
Reporting entities that are not a state or territory authority or an instrumentality must also report a My Health Record data breach to the OAIC using the form below.
State and territory bodies may also be required to comply with their local mandatory reporting schemes or choose to voluntarily report data breaches to their local privacy regulator in addition to reporting to the System Operator.
For more information about notification obligations, reporting entities should review the Guide to mandatory data breach notification in the My Health Record system.
The OAIC My Health Record data breach form
To notify the OAIC of a My Health Record data breach, use the My Health Record data breach form.
Providing detailed information about the circumstances of the potential or actual My Health Record data breach will help the OAIC understand and respond to your notification if needed.
For more information about how the OAIC may respond to a My Health Record data breach, please see the Guide to mandatory data breach notification in the My Health Record system.
