Mandatory Data Breach Notification Laws and Australian Health Data Privacy: Fragments and Fault Lines
Data privacy breaches — unauthorised access to, disclosure, or loss of people’s personal information — are commonplace, particularly in the health sector. In Australia, provisions under the Privacy Act 1988 (Cth) and the My Health Records Act 2012 (Cth) require data breach notification to affected people and the regulator. However, this mandatory notification, as it pertains to health information, has two key problems: fragmentation, and lack of fitness for purpose. In this article, I analyse the goals of the Australian legislative developments and the extent to which these are met in relation to health data. I propose legal and procedural reforms to mend the fragments and fault lines so that breach notification can more effectively address healthcare data breaches in Australia.