Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Privacy fact sheet 20: Consent and the handling of personal information in your eHealth record

pdfPrivacy fact sheet 20 485.17 KB

One of the defining features of Australia’s personally controlled electronic health record (eHealth record) system is that it is an opt-in system. That means that you must consent to having an eHealth record before one can be established.

As part of registering for an eHealth record you are asked to consent to having your health information uploaded to your eHealth record. However, further consent may need to be sought in some circumstances before specific information can be uploaded.

This fact sheet sets out what you are consenting to when you register for an eHealth record, and in what situations further consent may need to be sought. It also discusses the meaning of consent.

The eHealth record system

You can now register for an eHealth record. This record is designed to contain an electronic summary of your key health information such as prescribed medications, allergies and treatments you have received. Healthcare providers can upload health information to your eHealth record and view the information in it.

You can control who has access to your eHealth record, what information they can see and what records are uploaded by establishing access controls on your eHealth record. You should also talk to your healthcare provider about the type of information you do and do not want uploaded to your record.

More information about the eHealth record system can be found at

The role of the OAIC

The Office of the Australian Information Commissioner (OAIC) is the independent regulator of privacy aspects of Australia’s eHealth record system.

What are you consenting to?

When you register for an eHealth record, you are giving consent to records containing your health information being uploaded to the eHealth record system by registered healthcare provider organisations involved in your care.

This is subject to two important exceptions:

  • where you have told your healthcare provider that a particular record, all records, or a specific class of records must not be uploaded
  • where certain laws of a State or Territory require that consent to upload particular health information be given expressly or in a particular way.[1]

When registering for an eHealth record, you will also be asked whether you consent to the inclusion of certain types of Department of Human Services (DHS)-Medicare information. For more information on the inclusion of DHS-Medicare information please see Privacy fact sheet 22 — Medicare and your eHealth record.

If you want to restrict a particular record, all records or a specified class of records from being included in your eHealth record, you should discuss this issue with your healthcare provider.

You can exercise further control over your eHealth record, such as controlling which registered healthcare provider organisations have access to your eHealth record, by changing your privacy settings, known as ‘access controls’ — for more information please see Privacy fact sheet 19: How to manage your eHealth record.

State and territory legislation

The eHealth record system recognises that under some state and territory laws consent must be given expressly, or in a particular way, before information related to specific areas of health is disclosed.

Such specific areas of health include, depending on the relevant State or Territory, notifiable conditions such as HIV/AIDS status, information which relates to a cancer diagnosis, and information in the National Perinatal Statistics Collection.[2]

Unless specified in Regulation 3.1.1, a healthcare provider may rely on the standing consent provided on registration.

Consent under the Privacy Act

Under the Privacy Act 1988 health information is a subset of sensitive information and so stricter requirements apply to the collection and handling of health information. In particular, health information must only be collected where you have consented or where an exception applies.

The OAIC considers that consent to the collection of health information can be express or implied. Express consent is given explicitly, either verbally or in writing. Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual. However, to be valid, the key elements to consent are:

  • it must be provided voluntarily
  • you must be adequately informed
  • you must have the capacity to understand, provide and communicate your consent. [3]

If you are considering whether or not to register for an eHealth record you should consider what it means to ‘consent’ to information being uploaded to your eHealth record. It is important for you to educate yourself about the eHealth system, including what sort of personal information may be stored on a record and who can access it.

More information

For more information on protecting your privacy on the eHealth system, please see the OAIC’s Ten tips for protecting the personal information in your eHealth record.

[2] Specific laws that are recognised by the eHealth record system as requiring additional consent are detailed in Regulation 3.1.1 of the Personally Controlled Electronic Health Records Regulation 2012.

[3] Office of the Australian Information Commissioner, Guidelines on Privacy in the Private Health Sector, November 2001,