Mandatory Data Breach Notification Laws and Australian Health Data Privacy: Fragments and Fault Lines

<p>Data privacy breaches — unauthorised access to, disclosure, or loss of people’s personal information — are commonplace, particularly in the health sector. In Australia, provisions under the <em>Privacy Act 1988</em> (Cth) and the <em>My Health Records Act 2012</em> (Cth) require data breach notification to affected people and the regulator. However, this mandatory notification, as it pertains to health information, has two key problems: fragmentation, and lack of fitness for purpose. In this article, I analyse the goals of the Australian legislative developments and the extent to which these are met in relation to health data. I propose legal and procedural reforms to mend the fragments and fault lines so that breach notification can more effectively address healthcare data breaches in Australia.  </p>