If your practice suspects a data breach may have occurred as a result of a cybersecurity incident, under the Notifiable Data Breach (NDB) scheme you must notify affected individuals and the OAIC about an eligible data breach.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 establishes a Notifiable Data Breaches (NDB) scheme.
The NDB scheme sets mandatory notification and control requirements for data breaches involving personal information held by an organisation. It outlines criteria for determining if a data breach is considered ‘eligible’ (notifiable) and the subsequent reporting requirements.
Organisations covered by the Australian Privacy Act 1988 are subject to the requirements of the NDB scheme. This includes health service provider that hold health information.
An eligible data breach occurs when:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
- this is likely to result in serious harm to one or more individuals, and
- the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.
If your practice has reasonable grounds to believe an eligible breach occurred, the NDB scheme requires you to promptly notify any individual at risk of serious harm and report the breach to the OAIC.
Detailed information on the NDB scheme including what constitutes an eligible data breach, reporting requirements and what rectification measures may need to be undertaken, can be found on the OAIC website.
Data breaches can occur:
- through unauthorised access to your databases
- through intentional and inappropriate disclosure of information by practice team members
- when personal information is incorrectly disclosed
- when sending a patient’s personal details and/or health information to the wrong recipient
- if a practice team member is deceived into improperly releasing the personal information of another person
- through loss or theft of laptops, mobile devices, or removable storage devices
- when discarded hard drives or digital storage media still contain your practice information
- through lost or stolen paper records.
Source of breaches
According to the Australian Government Office of the Australian Information Commissioner (OAIC) (2024), malicious or criminal attacks were the largest source of data breaches notified to the OAIC, accounting for 69% of breaches. Human error remained a major source of breaches, accounting for 29% of breaches.
This indicates that staff training is critical in minimising your practices risk of data breaches as part of a robust information security culture.
Top causes of human error breaches included:
- personal information emailed to the wrong recipient (42%)
- unintended release of publication (23%)
- failure to use BCC when sending email (8%)10
Managing notifiable data breaches in general practice
Step 1 - Maintain information governance and security
To reduce the risk of data breaches, make sure your privacy and data security practices, procedures and systems are up to date and reviewed regularly.
Step 2 - Identify suspected or actual data breach
A data breach involving personal information or compromising the security or integrity of the My Health Record system has occurred or is suspected.
Step 3 - Contain the suspected or actual data breach
Take immediate steps to contain the suspected or actual data breach.
Step 4 - Evaluate the risks
Assign to a data breach response team/person who promptly:
- investigates the incident
- evaluates the risks arising from the incident.
Step 5 - Is the suspected or actual data breach related to the My Health Record system?
Consider whether the breach or suspected breach is a data breach under the My Health Records Act 2012.
Data breaches under the My Health Records Act 2012 arise from:
- unauthorised collection, use or disclosure of health information in an individual’s My Health Record or
- events or circumstances that may compromise the security or integrity of the My Health Records system.
If Yes, go to Step 6
If No, go to Step 7
Step 6 - Notify the data breach to the Office of the Australian Information Commissioner (OAIC) and the My Health Record system operator (Australian Digital Health Agency)
Notify the OAIC and Australian Digital Health Agency as soon as practicable after becoming aware of the data breach. In some circumstances, you must also ask the system operator to notify affected healthcare recipients about the breach.
Go to Step 11
Step 7 - Does the suspected or actual data breach fall within the Notifiable Data Breaches scheme under the Privacy Act 1988?
Has personal information been (or is it suspected to have been) accessed by or disclosed to unauthorised parties, or lost?
Is the data breach likely to cause serious harm to individuals?
If Yes, go to Step 8
If No, go to Step 11
Step 8 - Is there remedial action that can be taken to reduce the likelihood of serious harm?
If Yes, go to Step 9
If No, go to Step 10
Step 9 - Despite the remedial action taken, is serious harm still likely?
If Yes, go to Step 10
If No, go to Step 11
Step 10 - As soon as practicable, notify the data breach to the OAIC and inform all individual/s at risk of serious harm.
Step 11 - Review the incident
Review and evaluate the incident and take action to prevent or mitigate the effects of future data breaches.
References
- Australian Government Office of the Australian Information Commissioner. (2025). Notifiable Data Breaches Report