Articles and Case Studies

Privacy Breaches – New Obligations

15 Nov 2017

privacy breach

From 22 February 2018, if a breach of personal information (data) occurs in your practice, you must notify the individuals involved and the Office of the Australian Information Commissioner (OAIC). This is known as the Notifiable Data Breaches scheme.

Here is a quick guide based on the resources published by the OAIC.

Making notifications

You must notify the individuals involved and the OAIC if:

  • personal information is:
    • lost (e.g. a laptop containing medical records is stolen)
    • accessed by an unauthorised person (e.g. hackers take control of your medical records)
    • disclosed to an unauthorised person (e.g. a fax containing medical information is sent to the wrong person); and 
  • this is likely to result in serious harm to someone; and
  • you can’t take steps to prevent the risk of serious harm.

Addressing the likelihood of serious harm may mean the breach is no longer “eligible” for reporting to the OAIC.

In order to assess whether serious harm is likely, consider the following:

  • Whose personal information? Certain people, such as young persons and vulnerable individuals, may be at more risk. 
  • How many individuals were involved? 
  • Is the personal information encrypted, anonymised, or otherwise not easily accessible?
  • What parties have gained, or may gain access to, the personal information? 

Notifying the OAIC

If such a breach occurs, you must promptly prepare a statement for the Australian Information Commissioner (the Commissioner). The OAIC’s website includes an online form to lodge notification statements and provide additional supporting information.

Your statement must include:

  • your organisation’s identity and contact details 
  • a description of the data breach
  • a description of the personal information involved
  • recommendations to individuals about the steps they should take to minimise the impact of the breach.

Notifying individuals

After notifying the Commissioner, depending on what is practicable, you must notify individuals in one of three ways:

  • Notify all individuals whose personal information was part of the data breach. 
  • Notify only those individuals at risk of serious harm. 
  • If neither option 1 or 2 above is practicable, you must publish a notification on your website (if you have one) and take reasonable steps to publicise the contents of the statement. 

When notifying individuals, you can use any method (e.g. a telephone call, SMS, physical mail, social media post, or in-person conversation), as long as the method is reasonable. You must provide the same information as provided in the statement to the Commissioner.

Online notifications

When publishing an online notification:

  • ensure the webpage on which it is placed can be located and indexed by search engines
  • publish an announcement on your social media channels
  • take out a print or online advertisement in a publication or on a website reasonably likely to reach individuals at risk of serious harm.

See also the article Privacy Know-How for an overview of the privacy law and some common issues we have identified from our interaction with MDA National Members.

Medico-legal Advisory Services
MDA National


  1. Office of the Australian Information Commissioner. Notifiable Data Breaches. Available at:

Practice Management, Regulation and Legislation, Anaesthesia, Dermatology, Emergency Medicine, General Practice, Intensive Care Medicine, Obstetrics and Gynaecology, Ophthalmology, Pathology, Practice Manager Or Owner, Psychiatry, Radiology, Sports Medicine, Surgery, Physician, Geriatric Medicine, Cardiology, Plastic And Reconstructive Surgery, Radiation Oncology, Paediatrics, Independent Medical Assessor - IME


Doctors Let's Talk: Get Yourself A Fricking GP

Get yourself a fricking GP stat! is a conversation with Dr Lam, 2019 RACGP National General Practitioner of the Year, rural GP and GP Anesthetics trainee, that explores the importance of finding your own GP as a Junior Doctor.


25 Oct 2022

Systematic efforts to reduce harms due to prescribed opioids – webinar recording

Efforts are underway across the healthcare system to reduce harms caused by pharmaceutical opioids. This 43-min recording of a live webinar, delivered 11 March 2021, is an opportunity for prescribers to check, and potentially improve, their contribution to these endeavours. Hear from an expert panel about recent opioid reforms by the Therapeutic Goods Administration and changes to the Pharmaceutical Benefits Scheme. 

Diplomacy in a hierarchy: tips for approaching a difficult conversation

Have you found yourself wondering how to broach a tough topic of conversation? It can be challenging to effectively navigate a disagreement with a co-worker, especially if they're 'above' you; however, it's vital for positive team dynamics and safe patient care. In this recording of a live webinar you'll have the opportunity to learn from colleagues' experiences around difficult discussions and hear from a diverse panel moderated by Dr Kiely Kim (medico-legal adviser and general practitioner). Recorded live on 2 September 2020.