Identifying whether the data breach notification regime applies to you
The mandatory data breach notification regime applies to the following bodies (s 26WE, the Act):
- APP entities;
- credit reporting bodies;
- credit provider; and
- file number recipients.
The regime will also apply to the above entities where they have disclosed information to an overseas recipient, or a body or person with no Australian link, as if they themselves held the information.
However, notification of a breach is not required under regime where that breach is required to be notified under the My Health Records Act 2012 (Cth).
See Identifying whether the data breach notification regime applies to you.