Private sector health service providers will be obligated to notify affected individuals and the Australian Information Commissioner of certain data breaches involving personal information from 22 February 2018 under the Notifiable Data Breaches (NDB) scheme.
The NDB scheme requirements supplement the mandatory data breach reporting requirements of the My Health Record system. The NDB scheme will apply to data breaches that occur outside of the My Health Record system. There is also a higher threshold triggering the obligations to notify under the NDB scheme — only data breaches that are likely to result in serious harm to an individual are notifiable. This harm could be physical, psychological, emotional, financial, reputational, or other forms of harm.
Understanding whether a data breach can result in serious harm, or whether this harm is likely or not, requires an evaluation of the context of a data breach, including the types of personal information involved, who has access to it, whether the data breach can be contained, and more.
If you are unsure if a data breach meets the threshold, you are required to undertake an assessment of the data breach within a maximum of 30 days.
The Office of the Australian Information Commissioner (OAIC) has a range of resources to assist you in preparing for the Notifiable Data Breaches scheme at www.oaic.gov.au/ndb
[Source: Office of the Australian Information Commissioner]