You are here


Survey Answer:

The State and Territory health record laws require organizations subject to those laws to take reasonable steps protect health information they hold from misuse and loss and from unauthorized access, modification or disclosure. There are no prescribed information security standards under the State or Territory health record laws, and what are “reasonable steps” must be determined on a case-by-case basis.
There are no data breach obligations that apply specifically in relation to health information or health service providers under the State and Territory health record laws. However, private sector health service providers may still be captured by the general data breach notification requirements under the Privacy Act (summarized above in the response to question 2.1).
As noted above, the Prudential Standards in Australia that apply to banks, general insurers, and super-annuation funds are not specific to IT security and do not contain any specific obligations in relation to IT security. The Prudential Standards impose general risk management obligations on regulated organiza-tions, which may encompass IT security matters. For example, under CPS and SPS 220, a regulated institution must maintain a risk management framework for the institution that enables it to appropriately develop and implement strategies, policies, procedures and controls to manage different types of material risks, and provides the Board with a comprehensive institution-wide view of material risks. For the purpose of this Standard, relevant “material risks” could include IT security risks.

Provided By:
Phil Catania: Corrs Chambers Westgarth