Identifying whether the data breach notification regime applies to you
The mandatory data breach notification regime applies to the following bodies (s 26WE, the Act):
- APP entities;
- credit reporting bodies;
- credit provider; and
- file number recipients.
The regime will also apply to the above entities where they have disclosed information to an overseas recipient, or a body or person with no Australian link, as if they themselves held the information.
However, notification of a breach is not required under regime where that breach is required to be notified under the My Health Records Act 2012 (Cth).