Peter Leonard of Gilbert & Tobin writes:
On 13 December 2013, the Australian Privacy Commissioner (the Commissioner) opened an own motion investigation into Pound Road Medical Centre (PRMC). This was in response to media reports that there were boxes of unsecured medical records at 16 Amberley Park Drive, Narre Warren South (the site), which PRMC then con?rmed. The Commissioner’s investigation focused on whether PRMC took reasonable steps to protect personal information from misuse, loss, unauthorised access, modi?cation or disclosure. After considering the facts of the case, submissions from PRMC and the relevant provisions of the Privacy Act 1988 (Cth), the Commissioner came to the view that PRMC had breached the Privacy Act. The breaches were by failing to take reasonable steps to ensure the security of the personal information it held and also failing to take reasonable steps to destroy or permanently de-identify the personal information it held. However, as PRMC is acting appropriately in response to noti?cation of the data breach, no penalties were imposed.
Read more on Lexology.