UK: Mandatory Breach Reporting For Health Records – What You Need To Know

Last Updated: 13 September 2016
Article by Dean Carrigan and John Gallagher

Mandatory data breach reporting is the buzz word in privacy and cyber risk circles. Many Australian governments (including the incumbent) have sought to introduce legislation requiring all Australian businesses to report data breaches that compromise personal information collected or held by those businesses. But no government has yet succeeded. Except that is, for certain health service providers, who should take note – if you're handling certain types of health records, you may already be required to report such breaches.

What is 'mandatory reporting' – and is it relevant for my business?

The Privacy Act applies to Australian individuals and businesses with a turnover of over AUD 3 million, and to those providing a health service and who hold health information irrespective of turnover. Currently, the Privacy Act does not require that your customers or the Office of the Australia Information Commissioner (OAIC) be notified of a data breach that compromises their personal information. That is likely to change in time – and draft legislation could (if implemented) extend such mandatory reporting obligations to all businesses subject to the Privacy Act. In the meantime, notifications are encouraged by the OAIC as part of a data breach response plan, where the disclosing party thinks there may be a real risk of serious harm to the individual as a result of the breach.

I run a health services business – how does this affect me?

In addition to the requirements of the Privacy Act, healthcare providers accessing, processing and storing 'My Health Records' are subject to a mandatory data breach reporting regime. This regime has been in place since the inception of the My Health Record scheme in 2012 and requires notification, in certain circumstances to the My Health Record System Operator (i.e. the Secretary of the Department of Health) and the OAIC, of data breaches affecting an individual's My Health Record.

What is My Health Record?

Essentially, it is the future of digital health in Australia.

My Health Record is described by Government as "a secure online summary of your health information". It is an opt-in scheme, operating from an online platform, which stores in one place important health information relating to individuals. Healthcare providers including doctors, specialists and hospital staff can access these details online from anywhere, at any time, for the purpose of providing healthcare and in accordance with access controls set by the individual patient or default access controls, as the case may be.

Considering the sensitive nature of an individual's health information that is being stored in the individual's My Health Record, the provisions relating to mandatory breach reporting have been seen as an important element of the system and a safeguard for those providing their details for storage in the system.

However, the slow uptake of the system by Australian health providers and practitioners means that industry awareness of the mandatory reporting requirements attaching to the My Health Record platform is unlikely to be widespread.

Why is this now more important than ever?

A digital health records system has been on the radar for many years.

In June 2016, the My Health Record "opt-out" trials commenced in the Nepean region of Western Sydney and North Queensland where 1 million individuals have been provided with a My Health Record. Trials are due to close in October 2016 and reports indicate that there has been a very low opt-out rate.

In July 2016, the National E-Health Transition Authority became the Australian Digital Health Agency, and is expected to become the system operator for the My Health Record system. In August 2016, the Government appointed as the agency's CEO, the former National Director for Patients and Information in the UK National Health Service (NHS) who was responsible for the digital transformation of the NHS. And, the Government has launched a public consultation on the development of a framework for secondary use of My Health Record data, which opened in late August / early September 2016 and will close in November 2016.

It seems to us that this shift of focus and the move towards widespread implementation of the My Health Record system is indicative of the Government's continued support for the expansion and development of digital health in Australia. While important building blocks in the digital health system (such as universal use of secure messaging and standardised system interoperability) may be several years away, we believe that mandatory adoption and use, in the short to medium term, of the My Health Record system across health service providers in Australia is inevitable.

What are the challenges for healthcare providers operating (or soon to be operating) in the My Health Record platform?

The transition to digital health poses a wide range of challenges for healthcare providers, including:

  • ensuring that the onboarding of personal and sensitive information into the platform is done in compliance with all legal and regulatory requirements;
  • achieving ongoing technical and systems security integrity and compliance;
  • ensuring staff are properly trained in and aware of the risks associated with operating on an online platform;
  • implementing robust information handling policies and procedures and breach response plans; and
  • managing and tackling the increasing risk of malicious cyber incidents, such as malware and ransomware attacks, against healthcare providers (for example the recent virus attack on Royal Melbourne Hospital).

A comprehensive awareness of the obligations that arise under privacy and digital health legislation in Australia will be required for those operating in the health services industry, so as to avoid the potentially disastrous effects of improper use of health information and poorly managed responses to breaches.

What happens if I breach the My Health Record system requirements relating to reporting breaches?

Where a participating healthcare provider suspects, becomes aware of, or knows a data breach has or may have occurred, they must notify the OAIC or the System Operator. What constitutes a 'data breach' is all encompassing - any unauthorised collection, use or disclosure of health information included in an individual's My Health Record involving the entity or an event or circumstances involving the entity that compromises, may compromise, has compromised or may have compromised the security or integrity of the My Health Record system. A penalty of up to AUD 90,000 applies for failing to report such an incident.

As well as notifying of the data breach, there are other prescribed procedures a healthcare provider must undertake following an actual or suspected breach, including:

  • taking steps to contain and evaluate the breach;
  • if there is a reasonably likelihood that a breach has occurred with serious impacts for at least one healthcare recipient (i.e. one patient), the healthcare provider must ask the System Operator to notify all healthcare recipients that would be affected;
  • if the healthcare provider knows that a data breach has occurred, it must ask the System Operator to notify all healthcare recipients that would be affected; and
  • if a 'significant' number of healthcare recipients are affected, the healthcare provider must notify the general public.

Although there are no fines for failing to follow these additional prescribed procedures after a suspected or actual breach, there may be other more significant consequences such as cancellation of registration of operating licences, which would have reputational and commercial impacts for healthcare providers.

The OAIC also has investigative powers and can, as a result of a complaint, initiate an investigation. This could result in the healthcare provider being subject to injunctions, enforceable undertakings, court orders, and civil penalties for breaches involving an individual's My Health Record.

What can healthcare providers do?

Digital health is coming and healthcare providers should start preparing now. All healthcare providers, in particular those operating in the My Health Record system, should consider the following:

  • Review how your organisation manages its data: Know the kinds of data your organisation handles, and the value of the data. Know where it is stored, who has access to it and how it is secured.
  • Know your obligations in operating within the My Health Record system: What obligations are imposed under the Privacy Act and under the My Health Record system on you as a business handling such sensitive information?
  • Identify and understand relevant risk frameworks suited to your business: Consider different risk frameworks that may apply to your business. Decide on a framework, implement it and use it to evaluate your cybersecurity. Test the framework regularly and consider how it can be improved.
  • Be prepared: Have a breach response plan in place. Consider the different types of breaches your business could suffer. Your plan should set out roles within your breach response team, and identify third parties or experts (IT security, legal, public relations) that will assist you in a critical situation.
  • Consider insurance options available to your organisation: The terms of professional indemnity, public liability or other specialist classes of policy may not provide coverage for cyber related losses. Health practitioners and healthcare providers are advised to consult with their brokers or insurers to consider whether there are other products such as cyber policies that may provide the necessary cover.

Clyde & Co advises on the key legal, regulatory and commercial issues that face the healthcare sector around the globe. Our multidisciplinary global healthcare group draws upon expertise across the firm and comprises lawyers who specialise in litigation, projects and construction, real estate, corporate, insurance, intellectual property, commercial, IT, regulatory and employment.

We also advise clients on a broad range of privacy related matters, including in assisting businesses address their legal and regulatory obligations as well as in preparing for and responding to data breaches. We offer fixed price privacy packages to provide certainty and to help you effectively manage your legal costs.

Mandatory Breach Reporting For Health Records – What You Need To Know

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions