The Privacy Act 1988 for Australian Medical Practices: A Practical Guide

Post Author:

TalentMed

Share This:
Australian medical practice manager reviewing privacy and data security policy at workstation, locked-screen and secure-disposal bin visible, demonstrating Privacy Act 1988 APP 11 compliance.

Compliance and Risk

The Privacy Act 1988 for Australian Medical Practices: A Practical Guide

Health information is among the most sensitive personal data a practice handles, and the Privacy Act 1988 (Cth) sets the legal floor for how it is collected, used, stored, disclosed and disposed of. The 13 Australian Privacy Principles (APPs) apply to every private-sector medical practice that turns over more than $3 million a year, and to almost every health service provider regardless of turnover under the small-business health-services exemption rule in section 6D. The practice manager owns the operational privacy programme: making sure the policy is current, staff are trained, breaches are escalated within 72 hours, and the evidence file is ready for the OAIC if it ever asks.

TalentMed Pty Ltd (RTO 22151) delivers the HLT57715 Diploma of Practice Management, which covers the governance, risk management and operational reporting competencies a PM needs to design and run a privacy programme that holds up under audit.

Why the Privacy Act applies to every medical practice

Most medical practices fall inside the Privacy Act 1988 by virtue of being health service providers, not because of their turnover. The general $3 million small-business exemption (section 6D) is overridden for businesses that provide a health service and hold health information (section 6D(4)(b)). In practice, that captures GP practices, specialist rooms, dental practices, allied health, psychology, and most clinical services regardless of size.

Section 6FA defines health information broadly (any information about an individual’s health or disability, plus genetic and health-service information that identifies them), and the My Health Records Act 2012 layers additional rules on top of the Privacy Act for any practice connected to the My Health Record system.

  • Privacy Act 1988 (Cth). The base law. Sets the 13 Australian Privacy Principles and creates the OAIC as the regulator. Health-services exemption to the small-business rule means turnover does not get a practice off the hook.
  • 13 Australian Privacy Principles (APPs). The operational rules covering open and transparent management, anonymity and pseudonymity, collection, use, disclosure, cross-border disclosure, government identifiers, quality, security, access, correction.
  • Section 6FA, health information definition. Captures clinical notes, test results, mental-health records, genetic information, and any identifying information collected in the course of providing a health service.
  • My Health Records Act 2012. Additional rules for practices using the My Health Record system. Higher-tier penalties for unauthorised access. Separate audit and access-log obligations.
  • Notifiable Data Breaches scheme (Part IIIC). Mandatory reporting of eligible data breaches to the OAIC and affected individuals as soon as practicable, generally within 30 days of becoming aware. Active since February 2018.
  • RACGP Standards 5th edition Criterion C6.1. Confidentiality and privacy of health information is an accreditation criterion for general practices, mirroring the APPs in operational language.

For how this fits the wider operational compliance picture, see RACGP Standards 5th edition and the accreditation cycle.

The 13 Australian Privacy Principles in practice

The 13 APPs are written in general terms; the practical translation into the practice is what the PM needs on file. Six APPs do most of the day-to-day work: APP 1, 5, 6, 11, 12 and 13. The others shape collection and disclosure rules in the privacy policy, but rarely surface in operational decisions.

APP What it requires Practical PM evidence
APP 1: Open and transparent management Maintain a clearly written, freely available privacy policy Privacy policy on the website and in the waiting room. Reviewed at least every two years and date-stamped
APP 5: Notification at collection Tell patients why information is collected, who it is shared with, and how to access it Collection statement on the new-patient form and on the website privacy page
APP 6: Use and disclosure Only use or disclose information for the primary purpose, or a directly related secondary purpose the patient would reasonably expect Documented consent process, register of disclosures (insurer, Medicare, third-party reports)
APP 11: Security of information Reasonable steps to protect information from misuse, interference, loss, unauthorised access Access controls, password policy, screen locks, secure disposal, encrypted backup, staff training records
APP 12: Access by the individual Provide access to the patient’s own information on request, generally within 30 days Subject-access-request register, fee schedule (if charged), written response template
APP 13: Correction Correct information that is inaccurate, out of date, incomplete, or misleading Correction-request log, audit trail in clinical software showing the change

The OAIC’s Guide to securing personal information and Health privacy guide translate APP language into healthcare-specific operational guidance and are the reference assessors and OAIC investigators use.

Consent: express, implied, and the boundaries

Consent is the engine of lawful collection, use and disclosure under the APPs, but the Act distinguishes between express and implied consent and the practical line is not always obvious. Get it wrong and a routine disclosure becomes a breach.

  • Express consent is required for sensitive disclosures: sharing records with a third-party insurer, releasing reports to legal representatives, sharing with another health service that is not part of direct care coordination, or any disclosure outside Australia (APP 8). Document the consent in writing or in the clinical record.
  • Implied consent covers ordinary direct-care information flow: the GP sharing relevant history with a referred specialist, the practice nurse accessing the file to administer a vaccine, the receptionist confirming an appointment with the patient. Patients reasonably expect this and the OAIC accepts it as implied where the practice’s privacy policy and collection statement explain it.
  • Permitted disclosures without consent apply to specific situations: serious threat to life or health, suspected unlawful activity, mandatory reporting (child protection, notifiable diseases), and lawful subpoenas or court orders. Document the legal basis.
  • Marketing communications require separate consent under APP 7. Clinical recall reminders are not marketing; promoting a new cosmetic service is.
  • Withdrawal of consent must be straightforward and must not penalise the patient. Document the withdrawal and update any related register.

Data security and reasonable steps under APP 11

APP 11 requires the practice to take “such steps as are reasonable in the circumstances” to protect information. The OAIC’s Guide to securing personal information sets out what reasonable steps look like in healthcare. The benchmark is risk-proportionate: a single-doctor rooms operation does not need an enterprise security operations centre, but it does need the basics done well and documented.

  • Access controls. Unique logins for every staff member, role-based access in the clinical software, immediate revocation when a staff member leaves, regular review of user permissions.
  • Workstation security. Auto-locking screens (5 to 10 minutes), no shared logins, no sticky-note passwords, no patient information visible on unattended monitors at reception.
  • Encrypted backup and storage. Backups encrypted at rest, ideally off-site or cloud-replicated, tested at restoration regularly. Cloud-storage location documented (APP 8 cross-border disclosure rules apply if data leaves Australia).
  • Secure disposal. Locked shred bins for paper. Certified data destruction for retired hard drives, mobile phones and USB media. Documented disposal certificates.
  • Staff privacy training. Induction privacy training, annual refresher, role-specific guidance for high-risk roles (reception handling phone disclosures, admin handling subject-access requests).
  • Vendor and contractor agreements. Written contracts with the IT provider, billing service, transcription service, cloud-storage vendor, and any third party with access to patient information. Each must include privacy obligations matching the practice’s APP responsibilities.

Cyber-incident risk is now the dominant operational privacy threat. Phishing, ransomware and credential theft are the most common breach vectors reported to the OAIC in healthcare. The APP 11 evidence file should include a recent cyber-risk assessment and an incident response plan that names a decision-maker for the first 24 hours.

The Notifiable Data Breaches scheme

Since February 2018 the Notifiable Data Breaches (NDB) scheme has required mandatory reporting of eligible data breaches to the OAIC and affected individuals. A breach is “eligible” if there is unauthorised access, disclosure or loss, AND the breach is likely to result in serious harm. Healthcare breaches almost always meet this threshold because health information is, by its nature, sensitive.

Severity tier Examples PM action
Tier 1: Suspected breach Lost USB, email sent to wrong address, suspicious login alert, ransomware indicator Contain immediately, isolate affected system, start investigation, document timeline. 30-day clock starts ticking from awareness.
Tier 2: Confirmed breach, low harm Wrong-recipient email retrieved unread, lost USB recovered before access Document, complete internal NDB risk assessment, decide whether eligibility threshold is met. Internal record only if not eligible.
Tier 3: Eligible data breach Patient records accessed by unauthorised party, ransomware encrypting clinical database, mass email exposing recipient list Notify OAIC via online form, notify affected individuals as soon as practicable, document remediation steps. Engage legal and IT-forensics support.
Tier 4: Major or systemic breach Database exfiltration, sustained unauthorised access, multi-system compromise Cyber-incident response plan activated, OAIC notification within 30 days, individual notifications, public communication, third-party-vendor review, board-level reporting.

The 30-day clock runs from the moment the practice becomes aware (or ought reasonably to have been aware) of an eligible breach. Use the time for proper investigation; do not delay notification once the eligibility threshold is clearly met.

The practice manager’s day-to-day privacy responsibilities

The PM owns the privacy programme as a system, even where individual tasks are delegated to clinical or admin staff. What the OAIC and RACGP assessors want to see is consistent ownership and an evidence file that proves the system runs.

  • Maintain the privacy policy and the collection statement. Review every two years, update sooner if practice systems change (new clinical software, new vendor, new clinical service).
  • Run privacy training at induction and annually. Track completion. Cover the APPs at a practical level, the NDB scheme, secure-disposal procedure, subject-access-request handling, and the consent boundary.
  • Process subject-access requests within 30 days. Maintain a register, document any fee charged (which must be reasonable and not used to deter access), and keep the response template ready.
  • Run the breach response. First-24-hour decision-maker named in the plan, contain-investigate-assess-notify cadence rehearsed, OAIC online notification form bookmarked.
  • Manage third-party agreements. IT provider, billing vendor, transcription, cloud storage. Written agreements with privacy clauses; review annually.
  • Run a privacy audit annually. Spot-check access logs, review user permissions, check secure-disposal evidence, confirm the published privacy policy is current, walk the consult rooms for visible patient information.

The audit is the discipline that makes the privacy programme survive turnover. Sit it alongside the operational dashboard at GP practice KPIs and dashboards and the infection-control evidence file at infection control in Australian GP practices.

2024 reforms and the road ahead

The Privacy and Other Legislation Amendment Act 2024 introduced the first tranche of reforms from the Government’s response to the Privacy Act Review. The reforms give the OAIC stronger civil-penalty powers, introduce a statutory tort for serious invasion of privacy, and lay groundwork for further reform tranches.

The new statutory tort lets a person sue directly for serious invasion of privacy where the conduct was intentional or reckless, the invasion was serious, and there is no overriding public interest. The practical implication: an unauthorised disclosure that historically ended at an OAIC complaint can now also surface in court. The standards have not changed; the consequences have.

The HLT57715 Diploma of Practice Management at TalentMed

The HLT57715 Diploma of Practice Management covers the governance, risk management and operational reporting competencies a PM needs to design and run a privacy programme that holds up under audit, accreditation, and OAIC investigation.

Duration

12 months, possible in 6 for motivated students. 100% online, self-paced.

Funding

VSL approved. Monthly payment plans, employer-funded and upfront options.

Intakes

Daily intakes, 365 days a year.

Outcome

Nationally recognised AQF Level 5 diploma, applicable across medical, dental, allied health and specialist practices.

Related reading

Keep exploring

RACGP Standards 5th edition

The standards your privacy programme evidences at accreditation, including Criterion C6.1.
Read the article

Infection control in GP practices

The other operational compliance pillar that lives alongside privacy.
Read the article

GP practice KPIs and dashboards

Where breach incidence and audit completion sit in the operations dashboard.
Read the article

Frequently asked questions

Yes. The general small-business exemption in section 6D of the Privacy Act 1988 does not apply to a business that provides a health service and holds health information (section 6D(4)(b)). Almost every medical, dental, allied health and specialist practice is captured by this carve-out regardless of turnover.

Section 6FA defines health information broadly: information about an individual’s health or disability, information about a health service provided to them, genetic information predictive of health, organ donation information, and any personal information collected in providing a health service. Clinical notes, test results, mental-health records and identifying details on appointment systems are all in scope.

Express consent is given verbally or in writing for a specific purpose and is required for sensitive disclosures (insurer reports, third-party legal disclosures, cross-border data transfer). Implied consent covers ordinary direct-care information flow that patients reasonably expect, such as a GP sharing relevant history with a referred specialist. The OAIC accepts implied consent where the privacy policy and collection statement explain the routine flow.

Under the Notifiable Data Breaches scheme an eligible data breach (one likely to result in serious harm) must be reported to the OAIC and affected individuals as soon as practicable, generally within 30 days of the practice becoming aware. Healthcare breaches almost always meet the eligibility threshold because health information is sensitive by nature. Use the OAIC’s online notification form.

APP 12 sets the expectation of a response within 30 days of receiving the request. The practice may charge a reasonable fee to cover the cost of providing access (not for making the request), but the fee must not be used to deter access. Maintain a register, use a written response template, and document any decision to refuse access on permitted grounds.

APP 8 governs cross-border disclosure. The practice must take reasonable steps to ensure the overseas recipient does not breach the APPs, or rely on a permitted exception (express consent, contracted overseas-recipient compliance, similar overseas privacy law). For practical purposes, document the cloud vendor’s data location, contractual privacy obligations, and the cross-border consent reflected in the privacy policy.

Reasonable steps proportionate to the risk. For a small practice that means unique staff logins, role-based access in the clinical software, auto-locking screens, encrypted backup, locked shred bins, written IT-vendor agreements, and annual privacy training. Document each measure and review the controls annually. The OAIC’s Guide to securing personal information is the practical reference.

The HLT57715 Diploma of Practice Management covers the governance, risk management and operational reporting competencies a PM needs to design, run and audit a privacy programme. The legal interpretation of complex privacy questions sits with privacy lawyers and the OAIC; the PM’s contribution is the system that makes everyday compliance happen and produces the evidence file at accreditation or investigation.

TalentMed Pty Ltd, RTO 22151. HLT57715 Diploma of Practice Management is a nationally recognised AQF Level 5 qualification, delivered fully online. General educational information only, not legal advice. Verify against current Privacy Act 1988, OAIC published guidance, RACGP Standards and My Health Records Act 2012.

On this page

HLT57715

Diploma of Practice Management

12 months. 100% online. VSL approved. Medical, dental, allied health and specialist applicable.

See the course →

Talk to a course adviser

Book a 15-minute call to discuss the practice management pathway. No pressure, no sales pitch.

Healthcare career news

Subscribe for monthly insights on practice management, healthcare reporting and clinic operations.

Want to find out more?

Enter your details below to receive a free information pack instantly.

Course information pack

Share this Article

Recent posts