Mandatory data breach notification in the eHealth record system
Draft September 2012
A guide to mandatory data breach notification under the
personally controlled electronic health record system
Key messages ... 1
Key terms ... 1
Background ... 3
Who should use this guide? ... 3
Purpose and scope of this guide ... 3
Data breaches that are out of scope ... 3
State and Territory entities ... 4
The legislative framework ... 4
The interaction of the PCEHR Act and the Privacy Act ... 5
Role of the Information Commissioner under the eHealth record system ... 5
Role of the System Operator ... 6
Notifiable data breaches ... 6
Reporting requirements for RROs and RPOs ... 7
When to report a notifiable data breach ... 7
Who to report a notifiable data breach to ... 7
What to include in a notifiable data breach report ... 8
How to report a notifiable data breach ... 9
What happens when you report a notifiable data breach to the OAIC ... 9
What may happen if a notifiable data breach is not reported ... 9
The SO’s requirements for notifiable data breaches ... 10
Notifying consumers about notifiable data breaches ... 10
What the SO should include in its notification to affected consumers ... 11
How the SO should notify consumers ... 12
Responding to a notifiable data breach ... 12
Step 1: Contain the breach and undertake a preliminary assessment... 12
Step 2: Evaluate any risks that may be related to or arise from the breach. ... 14
Step 3: Notify affected consumers and the general public ... 17
Step 4: Take steps to prevent or mitigate risks and prevent further breaches ... 17
Regulation of notifiable data breach reporting ... 20
Enforcement powers... 20
Investigations in relation to notifiable data breaches ... 20
Data breach response process ... 22
Key messages
This document provides general guidance to help entities meet their mandatory data breach notification reporting obligations under the Personally Controlled Electronic Health Records Act 2012 (Cth) (the PCEHR Act). It also aims to assist entities to respond effectively to those data breaches.
The PCEHR Act requires particular entities to report data breaches where:
o a person has or may have contravened the PCEHR Act in a manner involving an unauthorised collection, use or disclosure of health information in a consumer’s eHealth record; or
o an event occurs which has or may compromise the security or integrity of the personally controlled electronic health (eHealth) record system, and where the entity is, has or may be directly involved in the contravention or event.
These are referred to as ‘notifiable data breaches’.
The Office of the Australian Information Commissioner has the role of receiving mandatory data breach notifications from particular entities and can seek a civil penalty if a notifiable data breach is not reported.
The System Operator also has the role of receiving mandatory data breach notifications from particular entities and can impose administrative sanctions.
Entities must report notifiable data breaches that they are or may be involved in, as soon as practicable after becoming aware of the breach.
The System Operator is the only entity responsible for notifying affected consumers.
Entities must take specific action in response to a notifiable data breach. This action includes containing the breach and undertaking a preliminary assessment of the causes; evaluating the risks; asking the System Operator to notify affected consumers; and taking steps to prevent or mitigate risks and further breaches.
Australian government agencies and private sector healthcare providers also have obligations under the Privacy Act 1988 (Cth) (the Privacy Act).
The Privacy Act requires these entities to put in place reasonable security
safeguards and to take reasonable steps to protect the personal information they hold from loss and from unauthorised access, use, modification or disclosure, or other misuse.
This guide is not aimed at State or Territory government entities regulated by the PCEHR Act. However, the advice in the guide may be useful to them.
This document applies to notifiable data breach notification under the PCEHR Act. For assistance with the voluntary reporting of data breaches by agencies and organisations regulated under the Privacy Act, see the OAIC’s voluntary data breach notification guide:
A guide to handling personal information security breaches.
Key terms
Consumer means an individual who has received, receives or may receive healthcare. The terms ‘consumer’ and ‘individual’ are used interchangeably throughout this Guide.
eHealth record means a personally controlled electronic health record.
Data breach means, in general terms, when personal information is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse.
Entity has the meaning set out in s 5 of the PCEHR Act
… (a) a person; or (b) a partnership; or
(c) any other unincorporated association or body; or (d) a trust; or
(e) a part of an entity… (under a previous application of this definition).
that participates in the eHealth record system and includes the System Operator, registered repository operators and registered portal operators. In this guide, ‘entity’
refers primarily to the System Operator, registered repository operators and registered portal operators.
Health information has the meaning set out in s 5 of the PCEHR Act (which is broadly similar to the definition under the Privacy Act):
… (a) information or an opinion about:
(i) the health or a disability (at any time) of an individual; or
(ii) an individual’s expressed wishes about the future provision of health services to him or her; or
(iii) healthcare provided, or to be provided, to an individual;
that is also personal information; or
(b) other personal information collected to provide, or in providing, healthcare; or (c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
The National Repositories Service is a data repository which will store certain key records that form part of a registered consumer’s eHealth record, including a consumer’s shared health summary.
Notifiable data breach refers to events described in s 75(1) of the PCEHR Act. These can
be summarised as situations where the SO or an RRO or RPO have become aware that:
a person has or may have contravened the PCEHR Act in a manner involving an unauthorised collection, use or disclosure of health information in a consumer’s eHealth record or
an event has occurred or circumstances have arisen (whether or not a contravention of the PCEHR Act) that compromise, or may compromise, the security or integrity of the eHealth record system; and
where the entity is, has or may be directly involved in the contravention or event.
1OAIC means the Office of the Australian Information Commissioner.
PCEHR Act means the Personally Controlled Electronic Health Records Act 2012 (Cth).
2Privacy Act means the Privacy Act 1988 (Cth).
3Personal information has the meaning as set out in s 6 of the Privacy Act:
information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Any personal information held by the SO, a RRO or a RPO under the eHealth record system will be health information.
A registered repository operator (RRO) holds one or more repositories of consumer health information, some or all of which have been registered under the eHealth record system by the SO. Data from RRO repositories may be included in eHealth records. RROs will operate in conjunction with the National Repositories Service.
A registered portal operator (RPO) operates an electronic interface or portal, which facilitates access to the eHealth record system. Portals will enable individuals and healthcare providers to access the eHealth record system and to use and manage their eHealth record. RPOs are registered by the SO.
A State or Territory entity means a State or Territory authority or instrumentality. State or Territory authority is defined in s 5 of the PCEHR Act.
The System Operator (SO) manages and operates the core aspects of the eHealth record system. The Secretary of the Department of Health and Ageing is currently the SO.
1 See s 75(1)(b) and (c) of the Personally Controlled Electronic Health Record Act 2012 (Cth) www.comlaw.gov.au/Details/C2012A00063.
2 www.comlaw.gov.au/Details/C2012A00063.
3 www.comlaw.gov.au/Details/C2012C00414.
Background
Who should use this guide?
This guide is for entities that are required by the PCEHR Act to report notifiable data breaches to the OAIC. This includes entities that are or have ever been the SO, or an RRO or RPO and who are Australian government agencies or private sector organisations.
This guide is not aimed at State or Territory entities, who must report notifiable data breaches to the SO rather than the OAIC (see ‘State and Territory entities’ below).
However, the advice in this guide may be useful to them.
Purpose and scope of this guide
Section 75 of the PCEHR Act requires the SO, RROs and RPOs to report data breaches in particular circumstances. These are referred to as ‘notifiable data breaches’.
This guide assists the SO, RROs and RPOs to understand their notifiable data breach reporting obligations under the PCEHR Act. It also aims to assist these entities to respond effectively to notifiable data breaches, as required under the PCEHR Act.
This guide sets out the steps that the SO, RROs and RPOs are required to take when responding to a breach and matters that these entities should take into account when doing so. This information is meant to assist these entities to evaluate the seriousness and impact of a notifiable data breach and the action appropriate in the circumstances. It also provides guidance for the SO about the notification of affected consumers, including what should be included in such a notification.
The guide is also designed to assist entities to improve the data security measures they have in place to protect health information held in the eHealth record system. Entities that experience a notifiable data breach have a legal obligation to take steps to prevent or mitigate the effects of further contraventions. The advice in the guide should assist entities to take practical steps to help ensure they meet this obligation.
Data breaches that are out of scope
There are some situations in which the SO, RROs and RPOs may be involved in a data breach that is not a notifiable data breach. This could include, for example, where a data breach has occurred outside the eHealth record system.
Example: A RRO has a number of databases, some of which do and some of which do not feed data into the eHealth record system. A consumer’s personal information is
improperly disclosed to a healthcare provider by the RRO, from one of the RRO’s
databases that does not interact with the eHealth record system. Because this breach has occurred outside the eHealth record system, and is therefore not subject to the
requirements of the PCEHR Act, it would not be a notifiable data breach and would not
require mandatory reporting. However a breach such as this may be a breach of the
Privacy Act.
Also, if entities other than the SO, RROs or RPOs, such as private healthcare providers, become aware of a data breach under the eHealth record system or within their own local records, this event would not be a notifiable data breach.
The OAIC encourages entities to consider voluntarily reporting data breaches, that are not notifiable data breaches, to the OAIC or their State or Territory privacy regulator;
particularly if there is a risk the breach could cause harm or humiliation to the affected individuals. Entities should bear in mind that the risk of harm or humiliation may be greater where certain types of personal information are disclosed, such as health information. Entities should also consider whether to notify affected individuals about the data breach.
The Privacy Act does not require agencies of the Australian, ACT and Norfolk Island governments or private sector organisations to report data breaches. However, these entities are encouraged to voluntarily report data breaches to the OAIC in accordance with the OAIC’s voluntary data breach notification guide: A guide to handling personal information security breaches.
State and Territory entities
State and Territory entities that experience a notifiable data breach are required under the PCEHR Act to report it to the SO, not to the OAIC. However, the advice in this guide may be useful when reporting notifiable data breaches to the SO.
State and Territory entities may choose to voluntarily report data breach notifications to their relevant privacy regulator.
The legislative framework
Section 75 of the PCEHR Act
4sets out the legal obligations that the SO, RROs and RPOs have in relation to notifiable data breaches. Specifically:
subsection 75(1)(a) describes the entities that have mandatory reporting obligations
subsections 75(1)(b) and (c) define what events will constitute a notifiable data breach under the PCEHR Act
sections 75(2) and (3) specify to whom the SO, RROs and RPOs should report notifiable data breaches and
section 75(4) prescribes the actions these entities must take in response to such a breach.
Further, s 75(2) of the PCEHR Act empowers the Information Commissioner to seek a civil penalty where RROs and RPOs fail to report a notifiable data breach.
4 www.comlaw.gov.au/Details/C2012A00063/Html/Text#_Toc327957233.
The interaction of the PCEHR Act and the Privacy Act
The Privacy Act 1988 (Cth) (the Privacy Act) regulates the handling of personal
information by Australian government, ACT government
5and Norfolk Island agencies and most private sector organisations.
The PCEHR Act regulates some aspects of the handling of personal information contained in the eHealth record system. The Act sets strict controls on the collection, use and disclosure of health information included in an individual's eHealth record. A collection, use or disclosure which is not authorised by the legislation is both a contravention of the PCEHR Act and an interference with the privacy of the individual under the Privacy Act.
The PCEHR Act does not regulate other aspects of information handling such as, for example, data security or data accuracy.
Whether the PCEHR Act or Privacy Act applies to a particular act or practice will depend on the type of privacy issue and whether the act or practice occurred within the eHealth record system. For example, an act or practice that occurs outside the eHealth record system, such as within an entity’s local records, will not be covered by the PCEHR Act.
Acts and practices not regulated by the PCEHR Act and that involve the handling of personal information by Australian government, ACT government,
6or Norfolk Island agencies and private sector organisations will continue to be regulated by the Privacy Act.
State or Territory privacy law may also apply in these circumstances.
Role of the Information Commissioner under the eHealth record system
The OAIC is an independent statutory agency headed by the Information Commissioner.
The Information Commissioner is supported by the Privacy Commissioner, the Freedom of Information Commissioner and the staff of the OAIC. The OAIC regulates the Privacy Act and Freedom of Information Act 1982 (Cth), and works to advance the development of consistent, workable information policy across all Australian Government agencies.
The OAIC regulates the handling of personal information in the eHealth record system by individuals, Australian government agencies, private sector organisations and some State and Territory agencies (in particular circumstances). To carry out its regulatory role in the eHealth record system the OAIC has been given a range of functions and powers,
including for notifiable data breach notifications.
The functions and powers the OAIC has in relation to notifiable data breaches include:
accepting reports about notifiable data breaches
providing advice to reporting entities
5 A slightly amended version of the Privacy Act applies to ACT agencies and is administered by the Information Commissioner. However, this regulation does not apply to health records within the meaning of the ACT Health Records (Privacy and Access) Act 1997 as these records are exempt documents for the purpose of section 6(2) of the ACT FOI Act, and therefore the Privacy Act.
6 For example, as referred to in Note 5, the Privacy Act does not regulate the handling of health records by ACT agencies.
conducting investigations to assess entities’ compliance with their obligations and
taking enforcement action, where the circumstances warrant it.
The regulatory section of this guide sets out the circumstance in which the OAIC will conduct an investigation about a notifiable data breach, and sets out the OAIC’s
enforcement powers. The section entitled ‘What happens when you report a notifiable data breach?’ discusses what action the OAIC takes when it receives a report including its role in providing advice to reporting entities about complying with their obligations.
Role of the System Operator
The SO manages and operates core aspects of the eHealth record system. These include:
healthcare consumer, healthcare provider, repository operator and portal operator registration
maintaining the National Repositories Service, system access controls, a clinical document index service and audit trail service
establishing a complaint handling framework and
education of system participants.
The SO will also receive notifiable data breaches from RROs and RPOs. It will liaise with the OAIC and may investigate, take corrective actions and help the reporting entity to mitigate any loss or damage that may result from the breach. The SO is required to notify affected individuals or the general public, where a significant number of people are affected. If an entity fails to report a notifiable data breach, the SO cannot seek civil penalty orders, but it may cancel, suspend or vary the registration of a RRO or RPO.
If the SO has or may have been involved in a notifiable data breach, it must report the breach to the Information Commissioner.
Notifiable data breaches
There are two situations where the SO, RROs and RPOs must report notifiable data breaches to the OAIC or the SO:
a person has or may have contravened the PCEHR Act through an unauthorised collection, use or disclosure of health information in a consumer’s eHealth record Example: A privately-operated pathology entity is a RRO, and its database feeds data into the eHealth record system. A staff member who has access to the database for their employment duties uses their access to view their son-in-law’s eHealth record, then discloses their son-in-law’s health information to their daughter. In this case an unauthorised collection, use and disclosure may have occurred.
an event occurs which has or may compromise the security or integrity of the
PCEHR system. This may or may not involve a breach of the PCEHR Act.
Example: A RPO provides the portal that allows consumers to access their eHealth record. It has just discovered that an unidentified party has used an external computer program to hack into the portal and has been using malicious software to capture people’s usernames and passwords when they log in through the portal. As a result, the usernames and passwords of all consumer participants in the eHealth system may have been compromised.
Reporting requirements for RROs and RPOs
When to report a notifiable data breach
Entities must report all notifiable data breaches that they are involved in or may be involved in, regardless of how serious they may seem. Generally an entity would be involved in a data breach if one or more of its records of personal information has been compromised internally or by an external party. This would include suspected breaches that are not yet proven.
Entities are not required to report notifiable data breaches that only involve other
entities. However, it would be good privacy practice to consider notifying the OAIC where an entity believes it has evidence of another entity being involved in a data breach.
Entities must report notifiable data breaches as soon as practicable after becoming aware of the breach. Generally this means reporting the breach shortly after becoming aware of it. However, reporting the breach should not be at the expense of initial efforts to
contain it. If it is not practicable to report the breach immediately, the data breach report should explain why it was not practicable in the circumstances.
Who to report a notifiable data breach to
RROs and RPOs must report notifiable data breaches to both the OAIC and the SO. RROs and RPOs cannot notify affected consumers directly about the breach, but must ask the SO to do this on their behalf.
Depending on the nature of the breach, it may also be appropriate for entities to advise:
the police, if theft or another crime is suspected
relevant Australian government agencies, such as Medicare, if the breach compromises Australian Government identifiers such as Individual Healthcare Identifiers or Medicare numbers
insurers, if required under contract
third party contractors or other parties who may be affected
internal business units not previously advised of the breach (for example,
communications and media relations, senior management).
What to include in a notifiable data breach report
The information that should be included in a notifiable data breach report will depend on the circumstances. While an entity must report a notifiable data breach as soon as practicable after becoming aware of the breach, it may not have all the information it needs when the initial report is made. In such cases, the entity will need to make an initial report to the OAIC and SO about the data breach and provide further details to the OAIC and SO as they become available.
The report should include the following kinds of details (where applicable):
a description of the breach outlining the unauthorised collection, use, disclosure or threat to the security or integrity of the eHealth record system
the type of personal information involved
how many individuals were or may have been affected
when the breach occurred
what caused the breach
whether the breach was accidental or deliberate or still being resolved
when and how the entity became aware of the breach
steps taken to contain the breach, a risk evaluation and detail about actions taken (or proposed) to prevent recurrence
steps that were already in place to prevent the breach
any other entities involved
whether the SO/OAIC has also been notified
the name and contact details of an appropriate contact person within the entity.
Notifiable data breaches reported to the OAIC should describe the breach but should not include information that would identify the affected consumer(s). This will prevent the OAIC from collecting unnecessary personal information. Notifiable data breaches reported to the SO should identify the affected individual(s) to enable the SO to contact them.
Privacy tip: Do not provide exactly the same notification to both the OAIC and SO. Before
reporting notifiable data breaches to the OAIC make sure you remove or conceal any
information that would identify individuals from the information provided.
How to report a notifiable data breach
Contacting the OAIC
Telephone: 1300 363 992 (local call cost, but calls from mobile and payphones may incur higher charges)
TTY: 1800 620 241 (this number is dedicated for the hearing impaired only, no voice calls)
Post: GPO Box 5218, Sydney NSW 2001 Facsimile: +61 2 9284 9666
Email: enquiries@oaic.gov.au
The OAIC’s preferred communication method is via email.
Contacting the SO
The SO may be contacted by telephone on 1800 723 471.
What happens when you report a notifiable data breach to the OAIC
The OAIC will assess each notifiable data breach report it receives to determine whether it contains sufficient information about the breach; that appropriate action has been or is being taken; and whether further action is warranted. It will consider whether the
circumstances warrant opening an own motion investigation, or whether to provide advice about further steps the entity could take in relation to the breach.
The OAIC’s functions in relation to the eHealth record system include providing advice to entities about their compliance obligations including about notifiable data breaches.
However, the OAIC cannot provide detailed advice about how to respond to a notifiable data breach, or approve a particular proposed course of action. Therefore entities may need to seek their own legal or other specialist advice, where necessary.
What may happen if a notifiable data breach is not reported
The Information Commissioner may apply to a Court for a civil penalty order if a RRO or a RPO fails to report a notifiable data breach it is or may be involved in, as soon as
practicable after becoming aware of the breach. If a RRO or RPO reports a notifiable data breach to just the SO but not the OAIC, or vice versa, this would constitute a failure to report, and a civil penalty may apply.
The civil penalty is up to $11,000 for an individual and up to $55,000 for a body corporate.
This penalty applies only to a failure to report notifiable data breaches and entities cannot be penalised for failing to voluntarily report a data breach that is not a notifiable data breach (see ‘Notifiable data breaches’ and ‘Voluntarily reporting data breaches’
above).
The Information Commissioner has prepared Enforcement Guidelines which outlines the approach that will be taken to the use of enforcement powers under the PCEHR Act and related legislation.
The SO’s requirements for notifiable data breaches
The SO must report all notifiable data breaches it is involved in to the OAIC. The SO should follow the same reporting process and requirements as set out above in the section for RROs and RPOs.
There is no penalty if the SO fails to report a notifiable data breach to the OAIC. However the Information Commissioner may investigate if there is a basis on which to suspect that a notifiable data breach has not been reported.
Notifying consumers about notifiable data breaches
Section 75 of the PCEHR Act requires consumers affected by a notifiable data breach to be notified of the breach. The SO is responsible for making such notifications.
The SO must notify all affected consumers if:
1. the SO has been involved in a breach, or may be involved in a breach (including suspected breaches that are not yet proven) or
2. an RRO or RPO has been, or may be involved in a breach (including suspected breaches that are not yet proven), reports a notifiable data breach to the SO and asks the SO to notify consumers on its behalf.
If a significant number of consumers have been or may be affected, it may be appropriate for the SO to also notify the general public when they inform affected consumers, for example if:
there has been a threat to the security or integrity of the eHealth record system and many people have been affected. The SO may wish to explain the
circumstances of the breach
there may have been a threat to the security or integrity of the eHealth record system, and while no individual data breaches may have occurred, they may in future
the SO believes public awareness of the breach may have a deterrent effect and prevent future breaches by the entity involved (as well as other entities who may learn from the situation).
The SO must notify all affected consumers of all breaches it has or may have been involved in, and of all notifiable breaches reported to it. This includes notifying
consumers who have deactivated their eHealth record. If the consumer has a nominated
or authorised representative, they should also be notified of the breach.
The SO should issue the notification to the consumer as soon as practicable after
becoming aware of the breach, to help the consumer mitigate the effects of the breach.
In some limited cases it may be appropriate to delay issuing a notification, for example:
if law enforcement authorities are involved. The SO should check with those authorities whether notification should be delayed to ensure the investigation is not compromised
if delaying the notification may be appropriate until the system has been repaired and tested or the breach contained in some other way.
What the SO should include in its notification to affected consumers
The information in the notification to affected consumers should assist them to reduce or prevent the harm that could be caused by the breach. The information the SO should include in the notification will depend on the circumstances of the particular notifiable data breach. However, as a guide, it could include:
a description of the breach, outlining the unauthorised collection, use or
disclosure or threat to the security or integrity of the eHealth record system. The SO should make clear what information specifically was or may be compromised.
It should refer to the relevant record(s) or provide the individual with a copy of the record, if they do not already have this
the type of personal information involved
when the breach occurred
what caused the breach
steps that were already in place to prevent the breach
whether the breach was accidental or deliberate
any other entities involved
steps taken to contain the breach, any risk evaluation and actions taken (or proposed) to prevent recurrence. This may include details of what the SO or responsible entity will do to assist the individual what steps the individual can take to avoid or reduce the risk of harm or to further protect themselves
how the breach may impact the individual and what steps the individual can take to avoid or reduce the risk of harm or to further protect themselves. This may include information to assist the individual to protect themselves against identity theft or further interferences with their privacy. For example, the SO could refer them to the OAIC’s website at www.oaic.gov.au, the Australian government’s cybersecurity website at www.staysmartonline.gov.au and the Attorney-General’s Department website at
www.ag.gov.au/www/agd/agd.nsf/page/Crimeprevention_Identitysecurity
contact information of areas or personnel within the SO and/or entity that can
answer questions, provide further information. This area should also provide a
point of contact for addressing specific privacy concerns, such as how an
individual can make a complaint to the responsible entity, and, where they are not satisfied with the response, how they can make a complaint to the SO.
How the SO should notify consumers
The SO should issue the notification in such a way that the consumer can be expected to receive it. The method of notification will depend upon the circumstances including whether the SO is notifying individual consumers or the general public.
In some cases notification should be issued by more than one means, for example a notice via the individual’s eHealth record, and by telephone, email or letter. Notification should be ‘standalone’ and should not be ‘bundled’ with other material unrelated to the breach, which may confuse recipients and lessen its impact.
If the SO is also notifying the general public, it could issue a public notice, such as a press release. If the SO is notifying the general public it should consider whether this method and content would increase the risk of harm, for example by alerting the person who stole a laptop of the value of the information on the laptop if it is not otherwise apparent.
Responding to a notifiable data breach
The PCEHR Act requires entities to take the following steps as soon as practicable, after becoming aware of a breach (in addition to reporting the breach).
7Entities that fail to carry out these steps may be subject to an investigation under the PCEHR Act or Privacy Act. Depending on the circumstances, they may also have their registration under the eHealth system varied, cancelled or suspended by the SO.
The RRO and RPO should undertake steps 1 and 2 either simultaneously or in quick succession and instruct the SO to undertake step 3 (notification) at the same time or as soon as possible. The SO should endeavour to undertake steps 1, 2 and 3 either
simultaneously or in quick succession. The decision on how to respond should be made on a case-by-case basis. In some cases, entities may choose to take additional steps that are specific to the nature of the breach.
Step 1: Contain the breach and undertake a preliminary assessment
Contain the breach
Take whatever steps are possible to immediately contain the breach.
For example, stop the unauthorised practice, recover the records, or shut down the system that was breached. It may also be appropriate to ask the SO to suspend access to the eHealth record system temporarily to help contain the breach.
If it is not practical to shut down the system, or if it would result in loss of evidence, then revoke or change computer
7 See s 75(4).
access privileges or address weaknesses in physical or electronic security.
Assess whether steps can be taken to mitigate the harm a consumer may suffer as a result of a breach.
Undertake a preliminary assessment of the causes
Entities should quickly appoint someone to lead the initial assessment. This person should be suitable experienced and have sufficient authority to conduct the initial investigation, gather any necessary information and make initial
recommendations. If necessary, a more detailed evaluation may subsequently be required.
Determine whether there is a need to assemble a team that could include representatives from appropriate parts of the entity.
Consider the following preliminary questions:
What personal information does the breach involve?
What was the cause of the breach?
What is the extent of the breach?
What harm or humiliation to individuals could be caused by the breach?
Ensure that all relevant parties are notified as soon as practicable
Determine who needs to be made aware of the breach (internally and externally) at this preliminary stage.
The OAIC and SO should be notified as soon as practicable. The affected individuals will also need to be notified by the SO.
Escalate the matter internally as appropriate. Inform the person or group within the entity responsible for privacy compliance or inform relevant internal investigation units.
If the breach appears to involve theft or other criminal activity, it will generally be appropriate to notify the police.
Other matters Where a law enforcement agency is investigating the breach, be careful not to destroy evidence that may help them determine the cause or to take corrective action.
Ensure appropriate records of the suspected breach are
maintained, including the steps taken to rectify the situation
and the decisions made.
Step 2: Evaluate any risks that may be related to or arise from the breach.
(a) Consider the type of personal information involved Considerations Comments and examples
Does the type of personal
information that has been
compromised create a greater risk of harm?
Some information is more likely to cause an individual harm if it is compromised, whether that harm is physical, financial or psychological.
For example, an inappropriate disclosure of a consumer’s health information may pose a greater risk of harm or humiliation to a consumer than, for instance, their name or address in isolation.
A combination of personal information typically creates a greater risk of harm than a single piece of personal information.
Whether the information is permanent or temporary is also important. Permanent information, such as someone’s name, place and date of birth, or medical history cannot be
‘re-issued’.
Who is affected by the breach?
Does the breach affect individual consumers, a large number of consumers, contractors, clients, service providers, or other entities?
Remember that certain people may be particularly at risk of harm. For example, an eHealth record containing mental health reports or showing evidence that the consumer has sought psychiatric treatment may be more sensitive than a record containing only shared health summaries from general practitioners.
(b) Determine the context of the breach Considerations Comments and examples What is the
context of the personal information involved?
What parties have gained
unauthorised access to the affected information?
The sensitivity of personal information also depends on the
context. For example disclosing information to others known
to the individual is more likely to cause humiliation. As
illustrated above, some types of health information are likely
to be more sensitive than others.
How could the personal information be used?
Could the information be used for fraudulent or other harmful purposes, such as to cause significant embarrassment to the affected individual?
Could the compromised information be easily combined either with other compromised information or with publicly available information to create a greater risk of harm to the individual?
(c) Establish the cause and extent of the breach Considerations Comments and examples Is there a risk of
ongoing breaches or further
exposure of the information?
What was the extent of the unauthorised access to or
collection, use or disclosure of personal information, including the number and nature of likely recipients and the risk of further access, use or disclosure, including via mass media or online?
Is the personal information adequately encrypted, deidentified or otherwise not easily accessible?
Is the information rendered unreadable by security measures that protect the stored information? Is the information displayed or stored in such a way that it cannot be used if breached? It is also important to keep encryption techniques up to date as technology and decryption methods evolve.
What was the source of the breach?
For example, did it involve external or internal malicious behaviour, or was it an internal processing error? Does the information seem to have been lost or misplaced?
The risk of harm to the individual may be less where the breach is unintentional or accidental, rather than intentional or malicious.
For example, the consumer may have a common surname which leads a staff member to accidentally access the wrong consumer’s eHealth record. The audit trail shows that the staff member immediately closed the consumer record once they became aware of their mistake. The risk of harm will be less in this case than if a staff member intentionally browses a
consumer’s record, or uses or discloses that information without a legitimate business reason.
What steps have already been taken to mitigate the harm?
Has the breach been contained? For example, have compromised security measures such as passwords been replaced? Has the full extent of the breach been assessed?
Are further steps required?
Is this a systemic problem or an
When checking the source of the breach, it is important to check whether any similar breaches have occurred in the past.
Sometimes, a breach can signal a deeper problem with system
isolated incident? security. This may also reveal that more information has been affected than initially thought, potentially heightening the risk.
How many individuals are affected by the breach?
If the breach is a result of a systemic problem, there may be more people affected than first anticipated.
Even where the breach involves accidental and unintentional misuse of information, if the breach affects many individuals, this may create greater risks that the information will be misused. The entity’s response should be proportionate.
While the number of affected individuals can help gauge the severity of the breach, it is important to remember that even a breach involving the personal information of one or two people can be serious, depending on the information involved.
(d) Assess the risk of harm to the affected individuals Considerations Comments and examples
Who is the recipient of the information?
Is there likely to be any relationship between the unauthorised recipients and the affected individuals?
For example, was the disclosure to an unknown party or to a person with whom the individual has a difficult relationship?
Or was the recipient a trusted, known entity or person that would reasonably be expected to return or destroy the information without disclosing or using it? For example, was the information disclosed to a former authorised
representative of the consumer or to another party bound by professional duties of confidentiality or ethical standards?
What harm to individuals could result from the breach?
Examples include:
identity theft
threat to physical safety
threat to emotional wellbeing
humiliation, damage to reputation or relationships
social bullying or marginalisation.
(e) Assess the risk of other harms
Considerations Comments and examples Other possible
harms, including to the entity that suffered the breach
Examples include:
the loss of public trust in the entity
reputational damage
loss of assets (e.g., stolen computers or storage devices)
regulatory penalties
legal liability
breach of secrecy provisions in applicable legislation.
Step 3: Notify affected consumers and the general public
When to notify Under section 75(4), it is mandatory to notify all affected consumers of a notifiable data breach.
Who should notify consumers?
Only the SO can notify affected consumers about notifiable data breaches.
Where an RRO or RPOs is involved in a breach, it must ask the SO to notify all affected consumers. The SO must comply with the request.
If the SO is involved in a breach, it must notify all affected consumers.
Who should be notified?
The SO must notify all affected consumers about a notifiable data breach.
Also, where a significant number of consumers are affected, the SO must notify the general public.
How to notify and what to include in the notice
See advice in the sections entitled ‘What the SO should include in its notification to affected consumers’ and ‘How the SO should notify consumers’.
Step 4: Take steps to prevent or mitigate risks and prevent further breaches
Good privacy practice is important for more than just ensuring that an entity is compliant with the requirements of the Privacy Act. If an entity mishandles the personal
information of its clients or customers, this can cause a loss of trust and considerable harm to the entity’s reputation. Additionally, if personal information that is essential to an entity’s activities is lost or altered, this can have a serious impact on its capacity to perform its functions or activities.
Entities are required to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure.
8What are reasonable steps will depend on context, including (but not limited to):
the nature of the entity
the nature of the personal information held
the risk of harm to individuals if there is a breach
the potential for harm (in terms of reputational or other damage) to the entity as a result of a breach
8 Agencies must comply with Information Privacy Principle 4 and organisations must comply with National Privacy Principle 4.
data handling practices, including how the entity stores, processes and transmits personal information (for example, paper-based or electronic records, or by using a third party service provider)
the ease with which security measures can be implemented
Entities may also be subject to agency or sector-specific legislative data security requirements. Some entities may also have common law duties relating to the confidentiality of particular information. Entities should have regard to relevant Australian and international standards as a guide.
9Additional resources on information security are widely available. Agencies should be aware of the Australian Government Information Security Manual (ISM), which governs the security of government ICT systems, and Australian Government Protective Security Policy Framework (PSPF), which sets out core security principles for Commonwealth agencies. Information for private-sector entities is available from Australia’s official national computer emergency response team CERT Australia.
Appropriate security safeguards for personal information need to be considered across a range of areas. This could include maintaining physical security, computer and network security, communications security and personnel security.
After assessing the causes of the breach and any associated risks, an entity should
consider whether to review its data breach prevention plan or, if there is no plan in place, develop one.
As an example, the prevention plan may include:
implementing privacy enhancing technologies to secure records of personal information, including access control, passwords, data retention procedures, copy protection, proactive detection of breaches such as intrusion detection, and robust encryption.
conducting regular security audits and testing of physical and technical security.
For example, assess whether and in what circumstances (and by which staff), personal information can be removed from the office, whether in electronic form on DVDs, USB storage devices such as memory sticks, portable computing devices such as laptops, or in paper files.
10 developing robust information-handling policies and conducting regular reviews of those policies. Make any necessary changes to reflect the lessons learned from a breach (for example, security, record retention and collection policies).
depending on the size of the entity, establishing a management team or person responsible for investigating and responding to breaches, establishing policy and procedures, training staff, and coordinating reviews and audits. They should be
9 See for example www.standards.org.au or www.iso.org/iso/home.htm.
10 Entities may wish to review the OAIC’s information sheet on portable storage devices and personal information handling, available at www.privacy.gov.au/materials/types/download/9294/6867.
trained in the eHealth record system notifiable data breach compliance
obligations. The team could include representatives from relevant areas that may be needed to investigate an incident, conduct risk assessments and make
appropriate decisions (for example, privacy, senior management, IT, public affairs, legal). The team could convene periodically to review the prevention plan, discuss new risks and practices, or consider incidents that have occurred in other entities.
creating a data breach response plan for dealing with future breaches. This could set out contact details for the responsible officers and clear lines of command, clarify the roles and responsibilities of staff. The plan could also document processes which will assist the entity to contain breaches, coordinate investigations and breach notifications, and cooperate with external
investigations. The plan may include a requirement for an audit at the end of the process to ensure that the prevention plan has been fully implemented. Ensuring that staff are aware of the plan and understand the importance of reporting breaches is essential if the plan is to be effective.
ensuring staff have been trained in information security and the appropriate handling of personal information. Staff should be trained in how to respond to breaches effectively, and should be aware of the relevant policies and procedures.
Staff should understand how to identify and report a potential breach to the appropriate manager(s). It may also be helpful to conduct ‘scenario’ training with team members to allow them to develop a feel for an actual breach response.
conducting privacy impact assessments to evaluate proposed new projects from the beginning, and assessing the entity’s existing systems or any changes to its systems.
11 reviewing employee selection and training practices.
reviewing service delivery partners and conducting due diligence where services (especially data storage services) are contracted. Monitor compliance with these policies through periodic audits.
12Consider researching and identifying external service providers that could assist in the event of a breach, such as forensics firms, public relations firms, call centre providers and notification delivery services. Their contact details could be included in the breach
response plan. This could save time and assist in responding efficiently and effectively to a breach.
11 The OAIC has published a guide to conducting PIAs, available at
www.oaic.gov.au/publications/guidelines/Privacy_Impact_Assessment_Guide.html.
12 Agencies may wish to review the OAIC’s publications on Government contract management, available at www.privacy.gov.au/government/contractors.
Regulation of notifiable data breach reporting
Enforcement powers
The Office of the Australian Information Commissioner has the role of receiving
mandatory data breach notifications from particular entities and can seek a civil penalty if a notifiable data breach is not reported. The functions and enforcement powers available under the PCEHR Act give the Information Commissioner the ability to:
13 seek a civil penalty from the courts
seek an injunction (order) from the courts to prohibit or require particular conduct
accept voluntary enforceable written undertakings from an entity requiring them to take or refrain from taking specified action(s) to comply with the PCEHR Act.
These may be enforced by the courts
use existing Privacy Act investigative and enforcement mechanisms, including conciliation of complaints, formal determinations and auditing Australian and ACT government entities.
The OAIC conducts investigations either after receiving a complaint from the affected individual(s) or by investigating on its own initiative, at its discretion (own motion investigations). The OAIC may publish the outcomes of its own motion investigations on its website, in consultation with the entity.
The OAIC cannot decide whether there has been a breach of the PCEHR Act until it has conducted an investigation.
Investigations in relation to notifiable data breaches
The OAIC may conduct investigations and take enforcement action in relation to notifiable data breaches in two different situations, including:
a reporting entity’s compliance with its notifiable data breach reporting obligations (described in this guide) and/or
a possible data breach by an entity.
Investigating notifiable data breach reporting obligations
If it appears that an entity may not have complied with its notifiable data breach
reporting obligations, the OAIC may open an own motion investigation. The OAIC may be alerted to this possibility by for example, media coverage; anonymous tip offs; individual complaints where no corresponding notifiable data breach report has been received; or notifiable data breaches reported to the SO but not the OAIC (or vice versa).
13 The Information Commissioner will release Enforcement Guidelines in the near future, which outlines the approach that will be taken to the use of enforcement powers under the PCEHR Act and related legislation.
Investigating possible notifiable data breaches
If the OAIC receives complaints from affected individuals about a possible data breach, it generally will consider opening an investigation, but there are exceptions. These include, for example, where the entity has adequately dealt with the matter; the complaint was made more than 12 months after the complainant became aware of the matter; or the complaint is frivolous, vexatious, misconceived or lacking in substance.
Where the consumer has been unable to resolve the matter with the entity directly, the OAIC may attempt to resolve the matter by conciliation between the parties. Where appropriate, the Commissioner may make determinations requiring certain remedies, for example that the respondent pays the complainant compensation for damages or
provide an apology. Determinations can be enforced by the Federal Court or Federal Magistrates Court.
If the OAIC receives a notifiable data breach but no complaint from the affected individual(s), it will assess whether an own motion investigation into the breach is warranted. The criteria the OAIC may use to open an own motion investigation may include:
the significance of the breach and sensitivity of the personal information involved
whether a large number of people have been, or are likely to be affected, and the consequences for those individuals
the likelihood that the breach is due to systemic issues within the entity
how the entity has responded to the data breach, including whether the entity has followed the response requirements of the PCEHR Act (outlined under ‘How to respond to data breaches’ above)
the systems and processes the entity already had in place before the breach occurred
whether the breach has been adequately dealt with
the progress of the entity’s own investigation into the matter. If the OAIC receives a notifiable data breach report while the entity’s internal investigation is
underway, the OAIC may wait until the internal investigation is complete
whether another body, such as the police, is investigating the breach.
This is not an exhaustive list and the Information Commissioner may take any other
relevant matters into account when deciding whether to exercise the discretion to open
an own motion investigation after receiving a report about a notifiable data breach.
Data breach response process
D A T A B R E A C H O C C U R S Is the breach a notifiable data breach?
N O T I F I A B L E D A T A B R E A C H
The PCEHR Act requires particular entities to report data breaches where:
a person has or may have contravened the PCEHR Act in a manner involving an unauthorised collection, use or disclosure of health information in a consumer’s eHealth record; or
an event occurs which has or may compromise the security or integrity of the personally controlled electronic health (eHealth) record system, and
where the entity is, has or may be directly involved in the contravention or event.
V O L U N T A R Y D A T A B R E A C H N O T I F I C A T I O N
A breach of the Privacy Act, rather than the PCEHR Act has occurred.
A privacy breach has occurred outside the eHealth record system. For example RROs and RPOs may have some systems and databases that do and some that do not interact with the eHealth record system.
Entities should follow the OAIC’s voluntary guide when considering reporting data breaches voluntarily
K E Y S T E P S I N R E S P O N D I N G T O A N O T I F I A B L E D A T A B R E A C H STEP 1 Contain the breach as much as
reasonably practicable and undertake a preliminary assessment of the causes
Take immediate steps to contain breach
Designate person/team to coordinate response
STEP 2 Evaluate the risks associated with the breach
Consider what personal information is involved
Determine whether the context of the information is important
Establish the cause and extent of the breach
Identify the risk of harm
STEP 3 Breach Notification (RROs and RPOs)
Must report notifiable data breaches to both the SO and OAIC (State and Territory entities are only required to report breaches to the SO).
Ask the SO to notify all affected consumers (and the general public where appropriate) of the breach on their behalf. The SO must comply with the request.
STEP 3 Breach Notification (SO)
Must report all notifiable data breaches it is involved in to the OAIC
Must notify all affected consumers (and the general public where appropriate) of the breach
STEP 4 Review the incident and take action to prevent future breaches
Establish a management team and fully investigate the breach
Review or develop a data breach response and prevention plan
Implement privacy enhancing technologies
Regularly review internal policies, procedures and staff training practices
Review service delivery partners and conduct due diligence where services are contracted.
M A I N T A I N I N F O R M A T I O N S E C U R I T Y
Protect information from misuse, loss and unauthorised access, modification or disclosure, entities should consider:
the sensitivity of the personal information
the harm likely to flow from a security breach
developing a compliance and monitoring plan, and
