Why this matters for your practice
Serious harm is the single judgement call that decides whether a data breach is notifiable. Not every breach has to be reported. A breach only becomes a notifiable data breach when it is likely to result in serious harm and you cannot prevent that harm through remedial action. Get the assessment wrong in one direction and you over-report; get it wrong in the other and you have failed to notify, which is what the OAIC actually penalises.
For a healthcare practice the test usually leans toward "yes." Health information is sensitive, and its exposure can cause exactly the kinds of harm the test is concerned with.
The serious harm test
"Likely" means more probable than not, judged on the real circumstances of the breach rather than a worst-case hypothetical. You assess the harm to the individuals whose information was involved, not harm in the abstract. The harm does not have to be financial. It expressly includes physical, psychological, emotional, and reputational harm.
Factors the law tells you to weigh
The Privacy Act lists the matters relevant to the assessment, which include:
- The kinds of information involved, and how sensitive it is.
- Whether the information was protected by one or more security measures, such as encryption, and the likelihood any of those could be overcome.
- The persons, or kinds of persons, who have obtained or could obtain the information.
- The nature of the harm that could result.
Health records score high on sensitivity, which is why breaches involving them so often clear the threshold.
Why health data raises the stakes
Exposed health information can lead to discrimination, distress, relationship and reputational damage, and, where identity details are included, financial fraud. The combination of clinical detail plus identifiers is precisely what makes serious harm likely, and the OAIC expects health providers to weigh that realistically.
Common mistakes
- Treating serious harm as only financial. Psychological and reputational harm count.
- Assuming encryption always removes the risk. It helps, but only if the protection is genuinely robust and unlikely to be overcome.
- Assessing harm in the abstract. The test is about the actual individuals and the actual information involved.
Frequently Asked Questions
What does serious harm mean in a data breach?
Serious harm is the level of harm that makes a data breach notifiable. It is not defined exhaustively in the Privacy Act but includes physical, psychological, emotional, financial, and reputational harm. A breach is notifiable when serious harm to an individual is likely and cannot be prevented by remedial action.
How do I assess whether serious harm is likely?
You weigh the circumstances of the breach, including the kinds and sensitivity of the information, whether it was protected by measures such as encryption, who could access it, and the nature of the potential harm. "Likely" means more probable than not, judged on the real situation.
Does encryption mean a breach isn't notifiable?
Not automatically. Strong encryption can reduce the likelihood of serious harm enough that a breach is not notifiable, but only if the protection is robust and unlikely to be overcome. You still have to assess the specific circumstances rather than assume encryption ends the inquiry.
Related terms
Last reviewed