(1) This section applies to an entity if:
(a) the entity is, or has at any time been, the System Operator, a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider; and
(b) the entity becomes aware that:
(i) a person has, or may have, contravened this Act in a manner involving an unauthorised collection, use or disclosure of health information included in a healthcare recipient's My Health Record; or
(ii) an event has, or may have, occurred (whether or not involving a contravention of this Act) that compromises, may compromise, has compromised or may have compromised, the security or integrity of the My Health Record system; or
(iii) circumstances have, or may have, arisen (whether or not involving a contravention of this Act) that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system; and
(c) the contravention, event or circumstances directly involved, may have involved or may involve the entity.
Note: This section applies to an entity when the entity becomes aware of a matter referred to in paragraph (b) regardless of when that matter arose or occurred or if the matter is ongoing at the time the entity became aware of the matter.
Notifying the System Operator or Information Commissioner
(2) If:
(a) the entity is a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider; and
(b) the entity becomes aware that:
(i) the contravention or event referred to in subsection (1) has or may have occurred; or
(ii) the circumstances referred to in subsection (1) have or may have arisen;
then, as soon as practicable after becoming aware, the entity must notify:
(c) in the case of an entity that is a State or Territory authority or an instrumentality of a State or Territory--the System Operator; or
(d) otherwise--both the System Operator and the Information Commissioner.
Civil penalty: 1,500 penalty units.
(3) If:
(a) the entity is the System Operator; and
(b) the entity becomes aware that:
(i) the contravention or event referred to in subsection (1) has or may have occurred; or
(ii) the circumstances referred to in subsection (1) have or may have arisen;
then, as soon as practicable after becoming aware, the entity must notify the Information Commissioner.
(4) If an entity has given notice under subsection (2) or (3) on becoming aware that the contravention, event or circumstances may have occurred or arisen then, despite subsection (2) or (3), the entity need not give notice again on becoming aware that the contravention, event or circumstances has occurred or arisen.
Steps to be taken if contravention, event or circumstances may have occurred or arisen
(5) The entity must, as soon as practicable after becoming aware that the contravention, event or circumstances may have occurred or arisen, do the following things:
(a) so far as is reasonably practicable contain the potential contravention, event or circumstances;
(b) evaluate any risks that, if the contravention, event or circumstances has occurred or arisen, may be related to or arise out of the contravention, event or circumstances;
(c) if there is a reasonable likelihood that the contravention, event or circumstance has occurred or arisen and the effects of the contravention, event or circumstances might be serious for at least one healthcare recipient:
(i) if the entity is not the System Operator--ask the System Operator to notify all healthcare recipients that would be affected; or
(ii) if the entity is the System Operator--notify all healthcare recipients that would be affected.
Note: A contravention of this subsection is not a civil penalty provision. However, contraventions of this Act may have other consequences (for example, cancellation of registration).
Steps to be taken if contravention or event has occurred or the circumstances have arisen
(6) The entity must, as soon as practicable after becoming aware that the contravention or event has occurred or the circumstances have arisen, do the following things:
(a) so far as is reasonably practicable, contain the contravention, event or circumstances and undertake a preliminary assessment of the causes;
(b) evaluate any risks that may be related to or arise out of the contravention, event or circumstances;
(c) if the entity is the System Operator:
(i) notify all affected healthcare recipients; and
(ii) if a significant number of healthcare recipients are affected, notify the general public;
(d) if the entity is not the System Operator--ask the System Operator:
(i) to notify all affected healthcare recipients; and
(ii) if a significant number of healthcare recipients are affected, to notify the general public;
(e) take steps to prevent or mitigate the effects of further contraventions, events or circumstances described in paragraph (1)(b).
Note: A contravention of this subsection is not a civil penalty provision. However, contraventions of this Act may have other consequences (for example, cancellation of registration).
(7) If an entity has given notice, or requested that the System Operator give notice, under paragraph (5)(c) then, despite paragraphs (6)(c) and (d), the entity need not give notice or request the System Operator to give notice under paragraphs (6)(c) and (d).
(8) The System Operator must comply with a request under paragraph (5)(c) or (6)(d).