Information Breach Policy

Applicable to: this Policy is applicable to all WA health system entities, as defined in this Policy.

Description: The purpose of the Information Breach Policy is to ensure that misuse and inappropriate access, use, disclosure and/or loss of information held within WA health system entities is investigated and solutions are identified and implemented to mitigate future breaches.

An information breach occurs when information that an entity holds is subject to unauthorised access, use or disclosure, or is lost, damaged or destroyed. An information breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems.

Examples of information breaches include:

  • loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
  • unauthorised access to personal information by an employee
  • inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person
  • disclosure of information to a scammer, as a result of inadequate identity verification procedures.

This Policy applies to all information generated, collected, accessed, used, managed, stored and disclosed by the WA health system entities including, but not limited to, information collected under the Health Services Act 2016, Health (Miscellaneous Provisions) Act 1911, Mental Health Act 2014, Private Hospital and Health Services Act 1927, Public Health Act 2016, Public Sector Management Act 1994 or any other written law.

This Policy is a mandatory requirement under the Information Management Policy Framework pursuant to section 26(2)(k) of the Health Services Act 2016.

This Policy is a mandatory requirement for the Department of Health pursuant to section 29 of the Public Sector Management Act 1994.

Date of effect: 06 May 2020

Policy Framework

Related documents

Supporting information