Identifying whether the data breach notification regime applies to you

The mandatory data breach notification regime applies to the following bodies (s 26WE, the Act):

  • APP entities;
  • credit reporting bodies;
  • credit provider; and
  • file number recipients.

The regime will also apply to the above entities where they have disclosed information to an overseas recipient, or a body or person with no Australian link, as if they themselves held the information.

However, notification of a breach is not required under regime where that breach is required to be notified under the My Health Records Act 2012 (Cth).