OAIC opens investigation into Medlab over data breach

5 December 2022

The Office of the Australian Information Commissioner (OAIC) has commenced an investigation into the personal information handling practices of Medlab Pathology, owned by Australian Clinical Labs, in relation to its notifiable data breach.

This decision follows the OAIC’s preliminary inquiries commenced into the matter in October.

The OAIC’s investigation will focus on whether Medlab took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure, and whether they complied with the Notifiable Data Breaches (NDB) scheme.

The investigation will also consider whether Medlab took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs).

If the OAIC’s investigation satisfies the Commissioner that an interference with the privacy of individuals has occurred. the Commissioner may make a determination which can include declarations requiring Medlab to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage suffered by reason of the act or practice. If the investigation finds serious or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.

Under the NDB scheme, organisations covered by the Privacy Act 1988 must notify affected individuals and the OAIC as soon as practicable if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.

The NDB scheme ensures affected individuals are informed and can take steps to protect themselves from further risk. Following a breach, individuals need to be alert to any suspicious or unexpected activity on their personal accounts or devices.

“As the risk of serious harm to individuals can increase over time, a key focus for the OAIC is the time taken by entities to identify, assess and notify the office and affected individuals of data breaches,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“Organisations must also be proactive in minimising the risk of data breaches by putting in place reasonable security steps.”

In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.

About Commissioner-initiated investigations

The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of APP 1 under section 40(2) of the Privacy Act.

Under the NDB scheme, organisations covered by the Privacy Act must notify affected individuals and the OAIC as soon as practicable if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.

Further assistance

There are a number of resources that provide information on how organisations should respond to data breaches and how individuals can take steps to mitigate the risk from data breaches, including the OAIC website. Resources are also available at cyber.gov.au.