All data breaches of Consumer Data Right Information fall under the Notifiable Data Breaches scheme, which requires that you notify affected CDR consumers and the Office of the Australian Information Commissioner of eligible data breaches. A breach is eligible if it is likely to result in serious harm to a CDR consumer whose CDR data is involved.

Where a cyber incident lead to a breach of Consumer Data Right information, you must also report to the Australian Signals Directorate’s Australian Cyber Security Centre as soon as practicable once aware of the security incident.

All data breaches of Consumer Data Right Information fall under the Notifiable Data Breaches scheme, which requires that you notify affected CDR consumers and the Office of the Australian Information Commissioner of eligible data breaches. A breach is eligible if it is likely to result in serious harm to a CDR consumer whose CDR data is involved.

Where a cyber incident lead to a breach of Consumer Data Right information, you must also report to the Australian Signals Directorate’s Australian Cyber Security Centre as soon as practicable once aware of the security incident.

Under the Notifiable Data Breaches scheme, you must notify affected individuals and the Office of the Australian Information Commissioner of eligible data breaches. A breach is eligible if it is likely to result in serious harm to an individual whose personal information is involved.

You must conduct a reasonable and expeditious assessment of a suspected eligible data breach, taking all reasonable steps to ensure that the assessment is completed within 30 days.

If you are the sponsor of the medical device, you must notify the Therapeutic Goods Administration after becoming aware of a medical device that appears to be impacted or have been impacted by a cyber security issue and could directly impact health and safety.

If you are a user, you may choose to report as soon you become aware of a medical device that appears to be impacted or have been impacted by a cyber security issue and could directly impact health and safety.

You must report to the interim Australian Centre for Disease Control, in the Department of Health and Aged Care reportable events that relate to unauthorised access, loss, theft, accidental release, or a person becoming affected by a Security Sensitive Biological Agent. If a cyber incident enabled any such reportable event, you must include those details in the incident report.

In addition, some incidents must be reported to law enforcement.

An entity must notify the Australian Digital Health Agency where it becomes aware of:

a) the unauthorised collection, use or disclosure of health information in an individual's My Health Record in contravention of the My Health Records Act 2012; OR

b) an event or any circumstances that has, or may have, occurred or arisen that compromises, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system (whether or not involving a contravention of the My Health Records Act 2012).

An entity must notify the OAIC and System Operator (ADHA) where it becomes aware of:

a) the unauthorised collection, use or disclosure of health information in an individual's My Health Record in contravention of the My Health Records Act 2012; OR

b) an event or any circumstances that has, or may have, occurred or arisen that compromises, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system (whether or not involving a contravention of the My Health Records Act 2012).