New data breach rules come into effect

March 15, 2018

From 22 February 2018, changes to the Privacy Act 2017 (Notifiable Data Breaches) mean health and care operators need to alter the way they manage data breach situations.

Read: The future of Performance Management in Health

The new legislation is aimed at strengthening protection of personal information and make sure serious data breaches are managed appropriately – an important element in today’s patient privacy regime.

Health and care organisations should develop a Data Breach Response Plan which will guide them on how to respond to any potential data breaches and meet their compliance obligations.

While they do their best to protect client and employee files and personal information, incidents of accidental and deliberate data breaches do occur.

Examples of data breaches might include:

  • Loss of laptops, USBs or mobile phones with client data or files on them
  • The accidental emailing of client or employee information to the wrong person
  • Cybersecurity breaches including hacking of system and ransomware and malware attacks
  • Release of unauthorised client or employee information to a third party or access to this information by an unauthorised person
  • Disclosing tax file numbers, photographic ID or other personal information where this has not been approved
  • Stolen credit cards

What to do if you become aware of a data breach

If personal information relating to any person (client or employee) has or might have been obtained by someone ‘outside the organisation’ who was not authorised to receive that information, then there is an obligation to report this immediately to an appointed Privacy Officer.

Under a Data Breach Response Plan, the Privacy Officer will assess the breach and determine whether remedial action can be taken or whether affected parties need to be notified and the matter reported to the Commissioner.

It is important all employees refer situations of Data Breaches to the Privacy Officer for assessment – even if a data breach may seem harmless or trivial. Failure to comply with the legislation risks substantial financial penalties for both individuals and organisations – up to $1.7m for companies and $340,000 for individuals.

Organisations within the health and care sector prime receptacles for confidential and sensitive personal information regarding their patients.  These legislative changes are therefore particularly relevant and need to be fully understood, along with the potential impact and ramifications of failure to comply. Forward planning in the event of a cyberattack or breach is paramount to being prepared to deal with this type of incident occurring.  Pitcher Partners would be happy to assist in this preparation.

Contact our experts

Other articles


Top of Page


Rob Southwell

Rob Southwell's picture


Managing Partner and Partner – Private Business and Family Advisory

> View profile

Nigel Fischer

Nigel Fischer's picture


Managing Partner - Private Business and Family Advisory

> View profile

Michael Minter

Michael Minter's picture


Managing Partner

> View profile

Leon Mok

Leon Mok's picture


Managing Director

> View profile

Brendan Britten

Brendan Britten's picture


Managing Partner and Executive Director/Partner- Business Advisory and Assurance

> View profile

Ben Brazier

Ben Brazier's picture


Managing Principal

> View profile

Partnership fraud


Paperwork and independent advice saves partnerships from fraud

Discover more

Kia Ora Horse Stud


Pitcher Partners fills a Financial Manager gap to keep the business on track

Discover more

Fuel Injection Company Administration


A fuel injection company began life as an Australian public company before being acquired by a UK publicly listed company while in the research and development stage of a “green...

Discover more

@PitcherPartner BACK TO BUSINESS | We asked for your input on key areas most important to you ahead of the . You believe…