Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Business resource: Collecting patients’ health information

This is a draft business resource. The OAIC conducted a public consultation on a suite of new draft health privacy guidance resources for health service providers and consumers in late 2015. Those resources are currently being finalised.

docxWord version1.4 MB

This business resource explains the requirements under Australian Privacy Principle (APP) 3 in the Privacy Act 1988 (Cth) (Privacy Act) when collecting personal information to provide a health service.[1] These requirements include obtaining patients’ consent unless an exception applies, only collecting necessary information, collecting by lawful and fair means and notifying patients of collection. This resource is part of a series that outlines what private sector health service providers need to know about handling their patients’ health information. Some of the key health privacy terms used are explained in Business resource — Key health privacy concepts, while other terms are explained in the Australian Privacy Principles Guidelines.

Meaning of collection

APP 3 outlines your obligations when collecting solicited[2] health information.[3] Generally, collection means gathering, acquiring or obtaining personal information for inclusion in a record or generally available publication. In practice, you collect health information about a patient if you receive health information from the patient, or from another source, and you retain it. In situations where you receive information that you have not requested or have come across by accident (‘unsolicited’ information), then APP 4 will apply (see ‘Dealing with unsolicited personal information’ below).

Examples of collection include:

  • writing down what a patient says, including any opinion about, or interpretation of, what is said
  • requiring a patient to complete a form requesting details such as name, address, date of birth and medical history
  • keeping a specialist report provided by a patient for inclusion in their medical record
  • taking physical or biological samples from a patient and labelling these with the patient’s name or other identifier
  • storing video footage, photographs or audio recordings in which a patient can be reasonably identified
  • keeping emails or other correspondence containing personal information about a patient.

‘Health information’ is classified as ‘sensitive information’ for the purposes of the Privacy Act. This means that stricter requirements are imposed by APP 3 when collecting health information. For more information about what constitutes ‘health information’, see Business resource — Key health privacy concepts.

Obtain consent before collecting health information

Generally, you may only collect health information where you have the patient’s consent to do so (APP 3.3(a)). Exceptions to this requirement are discussed later in this resource.

Consent can be either express or implied.[4] Express consent is given explicitly, either orally or in writing. Implied consent arises where you can infer from the circumstances, and the conduct of the patient, that they are consenting to the collection of their health information.

The four key elements of consent are:

  • the individual is adequately informed before giving consent
  • the individual gives consent voluntarily
  • the consent is current and specific
  • the individual has the capacity to understand and communicate their consent.

Consent, as discussed in this resource, applies to decisions about how a patient’s health information is handled. It does not cover consent to receive treatment. In practice, consent to the handling of health information and consent to treatment often occur at the same time, though they are distinct authorities by an individual to do different things: to provide treatment and to handle health information in particular ways.

Example: Implied consent

A patient makes an appointment to see you. During the consultation, the patient describes their symptoms and provides you with other information about their medical history. You make notes during the consultation and, after the consultation, place these notes on the patient’s medical file. In this situation, it can generally be inferred that the patient has given you implied consent to collect their health information. 

For more detailed discussion of ‘consent’, see the APP Guidelines, Chapter B (Key concepts).

Only collect necessary information

In addition to obtaining consent, generally you must only collect health information if it is reasonably necessary for one or more of your functions or activities (APP 3.3(a)(ii)). This means you should only collect the minimum amount of health information necessary for providing a health service to an individual.

You should also be clear about the main reason why you are collecting the information because this will determine how you may use and disclose the information. Generally under APP 6, personal information may only be used or disclosed for the primary purpose for which it was collected, unless the individual consents to the use or disclosure for another purpose or an exception applies. See Business resource: Using and disclosing patients’ health information for more information about using and disclosing personal information.

For further guidance on what is ‘reasonably necessary’, see the APP Guidelines, Chapter B (Key concepts).

Collect information directly from the patient

You must only collect health information about a patient directly from the patient, unless it is not reasonable or practical to do so (APP 3.6). Deciding whether or not it is reasonable and practicable to collect personal information directly from the patient involves balancing a number of possible factors, including whether a reasonable person might expect their information to be collected directly or indirectly, how sensitive the information is and what is accepted practice (by consumers and the health sector).

There are a number of situations where collecting health information directly from a patient may not be reasonable or practical, and you may need to collect information from another source. This may include:

  • in an emergency where background health information is collected from relatives, or
  • where a pathologist collects a specimen and accompanying information from a referring provider.

Medical history-taking

You may need to collect health information about a patient’s family members, for example when taking a family, social or medical history. This situation involves the collection of health information about a third party, without their consent. To ensure that health service providers do not contravene the Privacy Act in these circumstances, the Privacy Commissioner has issued a public interest determination (PID). The PID authorises the collection of third party health information by health service providers where that information is necessary and relevant to the treatment, diagnosis or care of a patient.[5]

Collect information by lawful and fair means

You must only collect health information by lawful and fair means (APP 3.5).

For collection to be considered ‘lawful’, the manner in which information is collected must not breach any state, territory or Commonwealth law.

A ‘fair means’ of collecting information is one that does not involve intimidation or deception, and is not unreasonably intrusive. For example, it may be unfair to collect health information from a patient where they are required to disclose details of a particularly sensitive health condition in an area where they can be easily overheard.

Example: Unlawful collection

Under the Telecommunications (Interception) Act 1979 (Cth) and State and Territory listening devices laws, it is illegal to record a telephone consultation without the patient’s consent. Such collection via this method would breach APP 3.5. If a call is to be recorded or monitored, you must notify the individual at the beginning of the conversation so that they have a chance to end the call or ask not to be recorded.

Compliance tip

If you collect personal information from an individual in a place where they may be overheard, such as a waiting room or open pharmacy, this should be done in a manner sensitive to the surroundings.

Patients may be concerned or embarrassed about discussing health issues in an open or public area, so you may wish to take additional steps to make the patient more comfortable. For example, by talking so only the individual can hear what is said, taking the individual to one side, or using an available private room.

Notify patients of collection (privacy notices)

APP 5 requires you to take reasonable steps when collecting health information to either notify the patient of certain matters or ensure the patient is aware of those matters. You must take reasonable steps before or at the time of collection, or as soon as possible after, to make the patient aware of these matters. This requirement applies to all health information ‘collected’ about a patient, either directly from the individual or from a third party.

The matters are listed in APP 5.2 and include:

  • your identity and contact details
  • the fact and circumstances of collection
  • whether the collection is required or authorised by law
  • the purposes of collection
  • the consequences if personal information is not collected
  • your usual disclosures of personal information of the kind collected by the entity
  • information about your APP privacy policy
  • whether you are likely to disclose personal information to overseas recipients, and if practical, the countries where they are located.

Compliance tip

It is a good idea to ensure the patient is generally aware of which members of a ‘treating team’ have access to their health information, unless this is obvious from the circumstances. This may be a requirement for providers practising in the ACT. Contact the ACT Health Services Commissioner to find out more about this requirement.

Taking reasonable steps to notify patients of collection

For each matter, you must consider whether notifying the patient is reasonable in the circumstances.  There may be situations where it may not be practical to make the individual aware of the matters listed above. For example, in an emergency situation there simply may not be time to provide the notice or the individual may not be in a fit state to comprehend how their information will be handled. As soon as practical after the event, you should take reasonable steps to ensure the individual is notified, or made aware, of the APP 5 matters.

The main point is that an individual needs to be made aware of these matters. You are not required to give an individual the same information each time you have contact with the individual. However, if there is a change to your information handling practices, you would need to take reasonable steps to make sure the individual is aware of it.

For further information about taking reasonable steps to notify patients of collection, see the APP Guidelines, Chapter 5: APP 5 – Notification of the collection of personal information.

Examples: APP 5 notices

Examples of ways in which you might choose to provide APP 5 notification include:

If you collect personal information over the counter, you could prominently display a brief notice covering all the relevant information and give the individual more detailed information in a leaflet.

If you collect personal information using a form, you could include a collection notice outlining the matters listed in APP 5 on the form. In the case of a form on a website, the APP 5 matters could be on the same page as the form or prominently linked to it; for example, it could come up before the individual completes the transaction.

Exceptions to obtaining consent to collect health information

Generally, you should obtain consent from a patient before collecting their health information. However, there are a limited number of situations where you may collect health information without consent (APP 3.4). These are outlined further below.

Laws requiring or authorising collection

You may collect health information if the collection ‘is required or authorised by or under an Australian law or a court/tribunal order’.

Example: Law requiring collection

Under state and territory public health legislation, health service providers are required to record information about individuals with certain diseases and notify the relevant health authority.

For example, under the NSW Public Health Act 2010, doctors, hospitals and pathology laboratories are required to record information about patients with certain medical conditions, such as AIDS, malaria, measles, tetanus and typhoid, and notify the NSW Department of Health. 

Lessening or preventing a serious threat to life, health or safety

You may collect health information without consent if:

  • it is not reasonable or practical to obtain the individual’s consent to the collection, and
  • you reasonably believe the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to the public health or safety.[6]

Where it is unreasonable or impracticable to obtain consent, you must reasonably believe that the collection is necessary to lessen or prevent a serious threat. In summary, there must be a reasonable basis for the belief, and not merely a genuine or subjective belief. It is your responsibility to be able to justify your reasonable belief. Health service providers are not excused from obtaining consent by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it impracticable to obtain consent will depend on whether the burden is excessive in all the circumstances.

A ‘serious’ threat is one that poses a significant danger to an individual or individuals. This can include a threat to a patient’s physical or mental health and safety. It could include a potentially life threatening situation or one that might reasonably result in other serious injury or illness. The threat may be to the life, health or safety of any individual and is not limited to a person seeking treatment and care.

A ‘serious threat to public health or safety’ relates to broader safety concerns affecting a number of people. For example, the potential spread of a communicable disease.

Example: Necessary to lessen a serious threat to an unconscious patient

An individual is in hospital and unconscious as a result of a stroke. The hospital needs further information from the patient’s general practitioner to determine how best to treat him. Given the patient’s condition, it is not practical to obtain his consent to the collection. Further, the hospital reasonably believes that the collection of this information from the general practitioner is necessary to lessen the serious threat to the patient’s health. In these circumstances, the collection of health information without the patient’s consent is permitted.

Providing a health service

You may collect health information about an individual if the information is necessary to provide a health service to a patient, and either:

  • the collection is required or authorised by or under an Australian law (other than the Privacy Act), or
  • the health information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which are binding on the health service provider.[7]

In deciding whether the collection of health information is ‘necessary’ to provide a health service, you should consider if there are reasonable alternatives available. If you cannot effectively pursue your legitimate functions or activities without collecting personal information, then the collection would generally be considered as necessary for your functions or activities.

The Privacy Act does not specify which bodies qualify as ‘competent health or medical bodies’. Common examples include medical boards and other rule-making bodies recognised in an applicable Australian law. An important requirement is that the collection of health information is done so in accordance with the rules established by such a body, the health service provider is bound by those rules and those rules impose obligations of professional confidentiality. Generally, a binding rule is one that will attract a sanction or adverse consequence if breached.

Conducting research; compiling or analysing statistics; management, funding or monitoring of a health service

You may collect health information about an individual if the collection is necessary for research relevant to public health or public safety, the compilation or analysis of statistics relevant to public health or public safety, or the management, funding or monitoring of a health service, and certain other criteria are met.[8]

For more information about this exception, see Business resource: collecting, using and disclosing health information for health research and Business resource: collecting, using and disclosing health information for health management activities.

Other exceptions

The Privacy Act contains a number of other exceptions where you may collect health information without consent. These include:

  • to take appropriate action in relation to suspected unlawful activity or serious misconduct
  • to locate a person reported as missing
  • where it is reasonably necessary for establishing, exercising or defending a legal or equitable claim
  • where it is reasonably necessary for a confidential alternative dispute resolution process.

For more information about these exceptions, see the APP Guidelines Chapter C: Permitted general situations.

Other considerations when collecting health information

Anonymity and pseudonymity

Generally, you should provide patients with the option of not identifying themselves, or of using a pseudonym, when dealing with you (APP 2). A patient may prefer to deal anonymously or pseudonymously with a health service provider for various reasons, including to access counselling or other services without this information being linked to their identity and potentially becoming known to others.

Before collecting any information from a patient, you should consider whether your functions can be discharged through anonymous transactions or by allowing a patient to use a pseudonym. However, you do not have to do so where:

  • you are required or authorised under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves, or
  • it is not practical for you to deal with individuals who have not identified themselves or who use a pseudonym.

There may be consequences for a patient if they do not identify themselves, for example, they may not be able to claim a Medicare or health fund rebate. However, it is implicit in APP 2 that health service providers should still ensure that, if applicable, individuals are made aware of their opportunity to deal anonymously or to use a pseudonym. For example, your privacy policy could explain the circumstances in which a patient may deal anonymously or by pseudonym with you, and the procedures for doing so.

See the APP Guidelines, Chapter 2: APP 2 — Anonymity and pseudonymity for more information.

Dealing with unsolicited personal information

APP 4 outlines the steps you must take if you receive unsolicited personal information. Unsolicited personal information is information that you come across by accident, or receive but have not requested.

If you receive unsolicited personal information you should, within a reasonable period of time, determine whether you could have collected the information under APP 3 (see above). If you could have collected the information under APP 3, then you must deal with the information in accordance with APPs 5 – 13.

If you could not have collected the information under APP 3, then you must destroy or de-identify the personal information as soon as practicable if it is lawful and reasonable to do so.

For further information, see the APP Guidelines, Chapter 4: APP 4 — Dealing with unsolicited personal information.

The information provided in this resource is of a general nature. It is not a substitute for legal advice.


[1] For further information about your obligations see the APP guidelines, Chapter 3: APP 3 — Collection of solicited personal information

[2] A health service provider ‘solicits’ health information if it explicitly requests another entity (including a patient) to provide personal information, or it takes active steps to collect personal information.

[3] The meaning of ‘health information’ is discussed in more detail in the overview resource of this series. Generally, all personal information collected in the course of providing a health service is ‘health information’ under the Privacy Act.

[4] See s 6(1) of the Privacy Act for the definition of ‘consent’.

[5] For more information, see Public Interest Determination No. 12 – Collection of Family, Social and Medical Histories and Public Interest Determination No. 12A – Collection of Family, Social and Medical Histories, which are available from the OAIC website at

[6] This exception is known as a ‘permitted general situation’ and is contained in APP 3.4(b) and s 16A of the Privacy Act. More information is contained in the APP Guidelines Chapter C: Permitted general situations.

[7] This exception is known as a ‘permitted health situation’ and is contained in APP 3.4(c) and s 16B(1) of the Privacy Act. Permitted health situations are discussed generally in the overview resource of this series.

[8] This exception is known as a ‘permitted health situation’ and is contained in APP 3.4(c) and s 16B(2) of the Privacy Act. Permitted health situations are discussed generally in the overview resource of this series.