In Australia, legislation mandating notification of data breaches to those affected came into force early in 2018. A separate breach reporting scheme has been enacted for Australia's integrated electronic health record ‘My Health Record'.
Data breach notification laws originated in the US, form part of the General Data Protection Regulation in the EU and are proposed for New Zealand (Privacy Bill 2018). Mandatory breach notification is commonly justified on the basis that it enables individuals affected by the loss or theft of personal information to take steps to minimise their risk of harm. These laws are also purported to improve the security practices of organisations holding personal data, motivated by a newfound fear of publicity if a breach were to occur. However their application in the health context is problematic. It is not obvious how someone subject to a breach of personal health data might, once notified, take steps to reduce their consequent harm. Nor is it clear that the health sector is adopting enhanced security practices in response to the new laws.
In this paper I will provide an overview of what Mark Burdon described as the ‘conceptual incoherence’ of data breach notification law, examining their application in the healthcare context. I will analyse the drivers for the introduction of these laws, and their complexity in operating across a federated, public/private health system overlaid by the ‘My Health Record’ in Australia. I will draw conclusions about the laws' fitness for purpose in the digital health context.