Reporting privacy breaches or incidents to the HCC

What do information privacy laws do?

In Victoria, information privacy laws operate to protect the privacy of individuals’ information.

The Privacy and Data Protection Act 2014 protects the privacy of an individual’s personal information held by Victorian government organisations and is administered by the Office of the Victorian Information Commissioner (OVIC).

The Health Records Act 2001 (HR Act) protects the privacy of an individual's health information held in the public and private sectors in Victoria and provides a right of access to individuals’ health information. Under the HR Act, the Health Complaints Commissioner can help to resolve complaints about the handling of health information.

Personal information and health information – what’s the difference?

Personal information is information or an opinion that is recorded in any form (including forming part of a database) about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion.

Health information means information or an opinion about:

an individual’s physical, mental or psychological health, including any disability,
a health service an individual has received or will be receiving,

that is also personal information; or

other personal information collected to provide a health service.

What is a privacy breach involving health information?

The HR Act contains 11 Health Privacy Principles (HPPs) that regulate how public and private sector organisations should handle personal health information in Victoria.

A privacy breach (also known as a ‘data breach’) occurs when there is a misuse, unauthorised disclosure or loss of personal health information.

A privacy breach can be accidental and, in some cases, malicious. It will usually involve a failure to comply with one or more of the HPPs.

Some examples are:

Sending an email or letter to an incorrect recipient.
Providing the personal details of an individual such as a mobile phone number to another person without the consent of the individual.
The loss or non-secure storage of personal information, where the incident is either identified by the organisation or by a member of the public who, for example, finds health records in a public place.

What an organisation can do

We encourage organisations to report such privacy breaches to the HCC even though the HR Act does not impose any mandatory breach reporting requirements upon organisations who are regulated by the HR Act.

For private sector organisations in Victoria who experience a privacy breach involving health information, they may have obligations under the Commonwealth Notifiable Data breach scheme. More information is available on the Office of the Australian Information Commissioner website.

OVIC’s Information Security Incident Notification Scheme

The information security incident notification scheme requires Victorian government agencies or bodies to notify OVIC of incidents that compromise the confidentiality, integrity, or availability of public sector information with a ‘limited’ business impact or higher on government operations, organisations, or individuals. This relates to both personal and health information. Further information is available at: ovic.vic.gov.au/data-protection/agency-reporting-obligations/incident-notification

If an organisation is required to make a notification to OVIC under this scheme, the HCC does not expect the organisation to also report the incident to the HCC unless it related to a breach of the HPPs.

How to report a privacy breach to the HCC

You can notify us of a privacy breach by using our enquiry form. You can call us on 1300 582 113 in the first instance if you would like to discuss the matter. The report should be made early on, which might be before you have all the details of what occurred. The HCC considers that notification to the HCC should occur within 14 days of the breach being identified.

Depending on the circumstances, we may need to have ongoing contact in relation to management of the breach and we usually require organisations to send us a report after the matter has concluded for us to review the steps taken.

Notification to the HCC should include:

Name of the organisation
Name of a contact person at the organisation
Type of health information involved
Description of the incident including copies of any relevant documents
Details about mitigation and changes in procedures to address the breach
Details about whether the affected individuals have been notified and a deidentified copy of any letter sent to affected individuals. We normally ask you to include contact details of the HCC in any notification to individuals, so they have the option of contacting us.

Please include the description and details in the "Enquiry Details" part of the form.

Resources for organisations

The Office of the Victorian Information Commissioner has useful information to guide organisations on how to respond to data breaches.

OVIC’s Managing the privacy impacts of a data breach webpage also has information on how an organisation can notify individuals affected by a data breach.