Mandatory data breach notification under the Privacy Act 1988 (Cth), applies to the Commonwealth public sector and the private sector including organisations which hold health information and provide a health service (which is broadly defined). The mandatory breach notification requirements commenced on 22 February 2018.

By now you should have developed a data breach response plan and provided relevant training to your Board, management and staff.

The Office of the Australian Information Commissioner published in February 2018 a Guide to Managing Data Breaches in accordance with the Privacy Act 1988 (Cth), a copy of which is available at: https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response

The Guide provides some useful information, including how to prepare a data breach response plan and four key steps to respond to data breaches, namely:

• Step 1: Contain the data breach to prevent any further compromise of personal information.
• Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
• Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the Notification Data Breach scheme, it may be mandatory for the entity to notify.
• Step 4: Review the incident and consider what actions can be taken to prevent future breaches.

For further information, please refer to our previous article in our May 2017 Health Law Bulletin at: http://www.holmanwebb.com.au/blog/mandatory-data-breach-notification-to-commence-privacy-amendment-notifiable-data-breaches-act-2017-cth