Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Business resource: Handling health information under the Privacy Act: A general overview for health service providers

This business resource is part of a series that outlines what private sector health service providers need to know about handling their patients’ health information. It provides a general overview of this guidance series and summarises the range of obligations that apply to providers under the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth).

Most people consider their health information to be highly personal. Knowing their privacy will be respected when they use a health service helps give people the confidence to access the health services they need.

The health service providers guidance series at a glance

How Australian privacy law applies to health service providers

The Privacy Act 1988 (Cth) regulates how all private sector health service providers handle health information. The Privacy Act applies to all private sector health service providers, irrespective of their annual turnover.[1] You are considered a ‘health service provider’ if you provide a health service and hold health information, even if providing a health service is not your primary activity. Health service providers are covered by the Privacy Act for all activities involving the handling of personal information, not just activities that relate to providing a health service.

State and territory public sector providers such as public hospitals are regulated by State or Territory privacy law. If you practice in both the public and private sector, generally when working in the private sector the Privacy Act applies, while in the public sector the relevant State or Territory law applies. Sometimes there is a mix of private and public sector providers across both private and public sector sites, such as co-located public and private hospitals. What legislation applies depends on who holds the records. For example, if you work in a public hospital, the record will be managed by the hospital and covered by local legislation. If you retain records of that information for your private practice, those records would be covered by the Privacy Act.

Local health privacy law in NSW, Victoria and the ACT also applies to the private sector. If you practice in NSW, Victoria or the ACT, you need to comply with both the Privacy Act and your local State or Territory law.[2] To assist you in complying with your obligations, the OAIC has included in this series some examples of where State or Territory laws may apply more specific requirements than the Privacy Act. However, these are examples only and you should continue to consult with your local regulator to obtain a full understanding of your obligations.

PCEHR system

If you participate in the Personally controlled electronic health record system, you must also comply with the Personally Controlled Electronic Health Records Act 2012 and Healthcare Identifiers Act 2010, their accompanying Rules and Regulations, and other requirements contained in your participation agreement with the System Operator. See the eHealth and Healthcare identifiers pages on this website.

Professional and ethical codes and standards

You may have additional obligations under professional and ethical codes of practice and standards to protect the confidentiality of health information. The Privacy Act does not prevent these codes and standards from applying.

What information does the Privacy Act apply to?

The Privacy Act applies to personal information, which is information or an opinion about an identified individual, or individual who is reasonably identifiable from the information, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

The Privacy Act does not apply to information about deceased persons. However, if information about a deceased person includes information or an opinion about a living individual, it will be ‘personal information’ about that living individual, so the living individual’s privacy interests should be considered when handling the information.

Compliance tip

If you practice in NSW, Victoria or the ACT, other health and privacy legislation may apply to the personal information of individuals who have been deceased for up to 30 years. Contact your state or territory regulator to find out more about any additional requirements.

What am I required to do under the Privacy Act?

The Privacy Act requires you to comply with thirteen Australian Privacy Principles (APPs), which set out how you must handle personal information. Your privacy obligations under the APPs are summarised below.

In addition, the OAIC has published APP guidelines, which explain in detail the requirements of each APP. The resources in this series provide more specific guidance on how a number of the APPs apply in the health sector. However, this series does not address every APP, and we recommend that you consult this series together with the guidelines for complete coverage of your APP obligations. See also our APP checklist, APP quick reference tool and Guide to undertaking privacy impact assessments.

Open and transparent management of personal information (APP 1)

APP 1 requires your organisation to manage personal information in an open and transparent way. You must take reasonable steps to implement practices, procedures and systems to ensure that you comply with the APPs and that you can deal with privacy inquiries or complaints.

In addition, you must have a clearly expressed and up–to–date privacy policy about how you manage personal information, which must address specific matters. You must take reasonable steps to make the policy available free of charge and in an appropriate form. It would usually be available on your organisation’s website (if you have one).However, given that patient contact with healthcare providers tends to be face to face rather than over the web, you should also consider ways to make your policy available to your patients and not just rely on web publication.  We recommend that you implement at least one of the following steps:

  • display the policy prominently at your practice and keep copies of the  policy available at reception
  • hand a copy  to all new patients when they register with you
  • refer to the policy (and how to obtain a copy) in your registration forms, collection notices and other consent forms.

You will be best placed to determine which of these steps is most relevant or appropriate for your organisation. Further information is contained in the OAIC’s Guide to developing an APP privacy policy.

Patients who wish to be anonymous or use a pseudonym (APP 2)

There may be situations where a patient does not want to identify themselves to you, for example when attending a sexual health clinic. You must give patients the option of dealing with you anonymously or by using a pseudonym, unless you are required or authorised by law to deal with identified individuals, or it would be impracticable to deal with anonymous or pseudonymous individuals.

Collecting personal information (APPs 3–5)

Under APP 3 you generally can only collect sensitive information, such as health information, if the patient consents to the collection, and the information is reasonably necessary for one or more of your functions or activities. Exceptions apply, a number of which are addressed in this guidance series.

You must collect personal information by lawful and fair means. You must also collect the information directly from the patient unless this would be unreasonable or impracticable.

For further information, see Business resource: Collecting patient’s health information, Business resource: Collecting, using and disclosing health information for health management activities and Business resource: Collecting, using and disclosing health information for research.

Unsolicited information

Under APP 4, if you receive unsolicited personal information (information you receive where you have taken no active steps to collect that information), you must determine whether or not APP 3 would have allowed you to collect it. If you determine you could not have collected the information, you must destroy or de-identify it as soon as practicable, if it is lawful and reasonable practical to do so.

Notifying patients

APP 5 requires you to take reasonable steps to notify the patient or ensure they are aware of a number of matters when or before you collect personal information (or as soon as practicable after). This includes the purpose for which you are collecting the information, and the bodies to whom that information will usually be disclosed.

Using and disclosing personal information (APPs 6–9)

APP 6 allows you to use or disclose personal information for the primary purpose for which you collected it. You may also use or disclose personal information that you collected for another (secondary) purpose, if the patient consents or if another exception under APP 6 applies. Exceptions include where the patient would reasonably expect this and the secondary purpose is directly related to the primary purpose or where the use or disclosure is for health management activities. APP 6 does not apply to personal information that is used or disclosed for direct marketing and does not apply to government identifiers (see below).

See Business resource: Using and disclosing patient’s health information, Business resource: Collecting, using and disclosing health information for health management activities, Business resource: Collecting, using and disclosing health information for research, Business resource: Using and disclosing genetic information to lessen or prevent a serious threat to the life, health or safety of genetic relatives and Business resource: Disclosure of health information and impaired capacity.

Direct marketing

Under APP 7 you must not use or disclose sensitive information, including health information, for direct marketing unless the patient consents. If they consent, they can later request not to receive further marketing communications, you must cease communications within a reasonable period and you cannot charge them for this.

Disclosing personal information overseas

Under APP 8, before you disclose personal information overseas, you must take reasonable steps to ensure the recipient does not breach the APPs (except for APP 1) in relation to the information. If you do disclose personal information overseas, you are accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs (s 16C). Some exceptions apply.

Handling government identifiers

Under APP 9 you must not adopt a government related identifier (such as a Medicare number) as your own way of identifying patients unless this is required or authorised by law. You can only use or disclose government identifiers in limited circumstances, such as where this is reasonably necessary to verify a patient’s identity.

Data security (APP 11)

You must take reasonable steps to protect your records of personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

If any of the personal information you hold is no longer needed for any purpose for which it may be used or disclosed under the APPs, you must take reasonable steps to destroy or de-identify it (unless the information is required to be retained by law). See Guide to securing personal information and De-identification of data and information.

Giving access to personal information (APP 12)

You must give patients access to their personal information on request, unless an exception applies. You must respond within a reasonable period (usually within 30 days) and give access in the manner requested where reasonable and practical. If you refuse to give access, or to give it in the manner requested, you must take reasonable steps to give it in a way that meets both parties’ needs and give a written notice. If you decide to charge the patient, the charge must not be excessive and must not apply to the making of the access request.

For more information, see Business resource: Access to health information held by health service providers.

Quality and correction of personal information (APPs 10 and 13)

APP 10 requires you to take reasonable steps to ensure that the personal information you collect is accurate, up-to-date and complete. In addition, you must take reasonable steps to ensure that the personal information you use or disclose is, having regard to the purpose of the use or disclosure, accurate, up–to–date, complete and relevant.

Under APP 13 you must also take reasonable steps to correct your records of personal information if they are inaccurate, out-of-date, incomplete, irrelevant or misleading (considering the purpose for which the information is held). If you correct information that you have previously disclosed to a third party,[3] you must take reasonable steps to notify that third party of the correction on request by the individual, unless it is impracticable or unlawful to do so. If a patient asks you to correct their personal information and you refuse, you must give them a written notice and on request associate a statement with their record. You must respond to their request within a reasonable period (usually within 30 days) and must not charge for the making of the request.

For more information, see Business resource: Correction of health information by health service providers.

What could happen if I breach the APPs?

If you breach the APPs, this will be an ‘interference with privacy’ under the Privacy Act. The Information Commissioner has the power to investigate possible interferences with privacy, either following a complaint by an individual or on his or her own initiative. We generally won’t investigate a complaint from an individual unless they have complained to you first and given you 30 days to reply.

We try to resolve complaints through conciliation, where we try to help both parties resolve the issues through discussion and negotiation. The Commissioner also has a range of enforcement powers including enforceable undertakings, determinations, and the power to seek a civil penalty for serious or repeated breaches of privacy. However, our preferred regulatory approach is to facilitate voluntary compliance and to work with you to ensure best privacy practice and prevent privacy breaches from occurring.

See Privacy fact sheet 11: How will the OAIC handle a privacy complaint against my organisation?, Privacy fact sheet 12: Conciliation of privacy complaints, Privacy regulatory action policy and Guide to privacy regulatory action.

If you experience a data breach which poses a real risk of serious harm, we recommend you notify the affected individual(s) and the OAIC. See Data breach notification — A guide to handling personal information security breaches. If you participate in the personally controlled electronic health record system, you will also have contractual obligations to notify the System Operator of data breaches in certain circumstances.[4]

The information provided in this resource is of a general nature. It is not a substitute for legal advice.


[1] The exemption under the Privacy Act that applies to businesses with an annual turnover of $3 million or less does not apply to entities (including individuals) that provide a health service and hold health information (other than in an employee record).

[2] See Health Records and Information Privacy Act 2002 (NSW), Health Records Act 2001 (Vic), and Health Records (Privacy and Access) Act 1997 (ACT).

[3] This applies to third parties covered by the APPs and includes all private health service providers and Australian government agencies. However it would be best practice to inform other third parties. See the APP guidelines, Who is covered by the APPs?

[4] See the Participation Agreement contract.