Data Breach Policy

​

​

1. Purpose

​

This policy outlines the procedures for identifying, reporting, and managing data breaches at The DOCTORS Hope Island to ensure compliance with applicable legislation and to protect the privacy of our patients and staff.​

​

2. Scope

​

This policy applies to all employees, contractors, and third-party service providers of The DOCTORS Hope Island who handle personal and sensitive information.​

​

3. Definitions

​

• Data Breach: An incident where personal information is lost or subjected to unauthorized access, modification, disclosure, or other misuse.​

• Eligible Data Breach: A data breach that is likely to result in serious harm to any individuals to whom the information relates.

​

4. Legal and Regulatory Framework

​

The DOCTORS Hope Island  is committed to complying with the following legislation and guidelines:​

​

• Information Privacy Act 2009 (Qld): Governs the handling of personal information by Queensland public sector agencies. ​

​

• Notifiable Data Breaches (NDB) Scheme under the Privacy Act 1988 (Cth): Requires entities to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) about data breaches that are likely to result in serious harm.​

​

• My Health Records Act 2012 (Cth): Establishes the framework for the My Health Record system, including data breach notification requirements

​

• Mandatory Data Breach Notification (MDBN) Scheme (effective from July 1, 2025): Requires Queensland government agencies to notify affected individuals and the Office of the Information Commissioner (OIC) about eligible data breaches. 

​

5. Data Breach Response Plan

​

In the event of a suspected or confirmed data breach, The DOCTORS Hope Island will implement the following steps:​

​

5.1 Contain the Breach

​

• Immediately take action to contain the breach and prevent further unauthorized access or disclosure.​

​

5.2 Assess the Risks

​

• Evaluate the nature and scope of the breach, including the type of information involved and the potential impact on affected individuals.​ombudsman.qld.gov.au

​

5.3 Notify

​

• Internal Notification: Report the breach to the Practice Manager and the designated Privacy Officer.​

​

• External Notification: If the breach is assessed as an eligible data breach:​​

​

• Regulatory Authorities: Notify the OAIC and, if applicable, the OIC, in accordance with legislative requirements.

​

• Affected Individuals: Notify individuals whose personal information is involved, outlining the nature of the breach, the information compromised, and recommended steps they should take.​

​

5.4 Review and Prevent

​

• Investigate the cause of the breach and implement measures to prevent future occurrences, such as staff training and policy revisions.​

​​

6. Data Breach Register

​

The DOCTORS Hope Island will maintain a Data Breach Register to document all data breaches, including details of the incident, actions taken, and outcomes

​

7. Training and Awareness

​

All staff will receive regular training on data breach identification, reporting procedures, and their responsibilities under this policy.​

​

8. Policy Review

​

This policy will be reviewed annually or following a significant data breach to ensure its effectiveness and compliance with current legislation.​

​

9. Contact Information

​

For questions regarding this policy, please contact:​

​

• Privacy Officer: Chief Operations Officer

• Email:  admin@embracemedical.au

• Phone: (07) 5613 2022