My Health Record Data Breach Notification
About this form
This form is intended for use by reporting entities, including organisations that are registered to participate in My Health Record as a healthcare provider organisation, contracted service provider, portal operator or repository operator.
Reporting entities must notify the Australian Digital Health Agency (the Agency), as system operator for My Health Record, of any actual or potential data breach. Data breach notifications must be submitted as soon as practicable after the reporting entity becomes aware that the breach has, or may have, occurred (regardless of whether or not the data breach has been confirmed).
A My Health Record data breach involves either (or both) of the following:
- unauthorised collection, use or disclosure of information in a person’s My Health Record
- an event or circumstance that has (or may) compromise the security or integrity of the My Health Record system.
My Health Record data breach notification requirements are outlined in the My Health Records Act 2012. Further information is available on the Australian Digital Health Agency website.
Note: Data breaches that do not involve My Health Record may need to be handled in accordance with the Privacy Act 1988 Notifiable data breaches scheme.
Asking the Agency to inform affected individuals
Asking the Agency to inform affected individuals
If a data breach has occurred, section 75(6)(d) of the My Health Records Act requires the reporting entity to ask the Agency to notify all healthcare recipients affected by the data breach (and the general public if a significant number of healthcare recipients are affected).
If a data breach may have occurred, section 75(5)(c) of the My Health Records Act requires the reporting entity to ask the Agency to notify all healthcare recipients that would be affected by the data breach, if there is a reasonable likelihood that the data breach has occurred and the effects might be serious for at least one healthcare recipient.
Notifying the Office of the Australian Information Commissioner
Notifying the Office of the Australian Information Commissioner
With some exceptions (see note below), reporting entities are also required to notify the Office of the Australian Information Commissioner (OAIC) of an actual or potential data breach. The OAIC will issue a data breach reference number, and a copy of this reference number should be provided to the Agency. For further information, and instructions on how to notify the OAIC, please visit the OAIC’s Report a My Health Record data breach webpage and refer to the Guide to mandatory data breach notification in the My Health Record system.
Note: the requirement to notify the OAIC does not apply if the organisation is a state or territory authority or instrumentality, which are only required to notify the Agency (see sections 75(2)(c) and 75(2)(d)) of the My Health Records Act). State and territory bodies may also be required to comply with mandatory reporting schemes for their jurisdiction or may choose to voluntarily report data breaches to their local privacy regulator in addition to reporting to the Agency.
Privacy policy
Privacy policy
For more information on how the Agency handles your personal information, how you can access and seek correction of the information, how privacy complaints can be made, and how the Agency deals with such complaints, please see the Agency privacy policy.