Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Can I use patients’ personal information for direct marketing?

Under Australian Privacy Principle 7, personal information cannot be used or disclosed for the purpose of direct marketing unless an exception applies. The requirements of the exceptions depend on whether the personal information is ‘sensitive information’. Sensitive information includes health information, which includes information collected to provide, or in providing, a health service. This would include the names and address of a person if that information was collected in the course of providing a health service.

If sensitive information is to be used or disclosed for the purpose of direct marketing, the individual is required to have consented to the use or disclosure of the information for that purpose. This is the case even if the person is an existing patient of the practice, and even if the practice believes that the communication would be welcomed by, or beneficial to, the patient.

Therefore, in order to comply with privacy law, in most circumstances the health service provider will need to obtain the patient’s consent before sending communications (such as by letters) promoting services of the practice. Patients who have given their consent should also have the opportunity to opt out of receiving future communications.

Note APP 7 does not apply to the extent that the Do Not Call Register Act 2006 and the Spam Act 2003 apply. APP 7 will still apply to the acts or practices of an organisation that are exempt from these Acts.

What is direct marketing?

Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods or services. It is not uncommon for certain health service providers, in particular general practitioners, to send targeted information to existing patients informing them of services offered by the practice. This information is communicated to patients in a variety of ways, but could involve, for example, sending a letter by post to a patient.

In general, communication directly with patients that uses or discloses personal information to promote services offered by the practice is likely to fall within the definition of direct marketing. Whether a service is being ‘promoted’ will be a key issue in determining if the conduct constitutes direct marketing. For example, a letter sent to all patients of a practice about the availability of influenza vaccinations is likely to be direct marketing because it involves the use or disclosure of personal information to promote services offered by the practice.

Note: The OAIC is currently in the process of developing more detailed guidance for health service providers on this topic.