Date published:
Access to client records must be restricted to only those who require it.
Information contained on a program client’s file may be personal and sensitive in nature and is considered a Commonwealth Record. It is important that those requiring access have the appropriate authority to do so.
Some of the main concerns if access is not revoked immediately include:
- A former employee could continue to access the portal which may include viewing or downloading content. This would constitute a data breach
- Investigation of these breaches use valuable time and resources of the program and the provider to investigate the nature of access and establish whether it is a notifiable data breach under the Privacy Act 1988.
- Notifiable data breaches under the Privacy Act 1988 require further investigation and reporting from providers to clients and the Office of the Australian Information Commissioner.
- Inaccurate data when it comes to the number of portal users and what business they are linked to.
The Schedule of Service Items and Fees 2025-26 includes an expanded section addressing data breaches should they occur.
Please review your current users and ensure that any former employees no longer have access to the portal.
For more information regarding how to revoke user access please refer to the following User Guide.