We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us

  • On this page

Published:  

Read Information Commissioner Elizabeth Tydd’s prepared talking points for the National Health Information Management Conference 2025 on 29 October 2025.

  • Many Australians view their health information as being particularly sensitive. Privacy is critical to ensuring community trust in the uses of health data.
  • The potential for digital health to improve both patient outcomes and the healthcare system cannot be denied – by any measure.
  • Your role as stewards of this valuable asset is confirmed by your profession and the increasing recognition of its importance to health care and the economy. It is a great pleasure to address you today on this matter of shared importance.
  • New technologies and increasing demand for interoperability and access to data all require strong consideration of how privacy and access to information can be supported and strengthened to realise health benefits while protecting Australians’ most sensitive information.
  • Advances in technology have enabled health data to be collected, stored, extracted, aggregated and analysed in novel ways that have the potential for public good such as informing government policy and public health research.
  • Today I will talk about information governance including privacy data trends relating to the health sector, with a focus on complaints, NDBs and the OAIC’s community attitudes to privacy survey.
  • I’ll also explore key challenges that can impact on the success of new initiatives involving health data. They are:
    • Artificial intelligence
    • Data provenance
    • Privacy as the foundation of trust
    • Consent and control over data
    • Use of deidentified data, and
    • Data security
    • The OAIC’s role as a co-regulator in health information governance.

Privacy data trends

  • As stewards of this information, you seek a single, trusted source of truth. This objective aligns with the objects of the FOI Act in treating government held information as a ‘national resource’ to be applied for a public purpose.
  • The security of this information is also vital to trust.
  • Health service providers make up a large proportion of complaints and notifiable data breaches made to the OAIC. This reflects the fact that health-related personal information is highly regarded by Australians.
  • Despite a large number of complaints and data breaches, the 2023 Community attitudes to privacy survey found that Australians trust health service providers and federal government agencies the most with their personal information.
  • This is especially true for older Australians, with those aged 55 and over more likely to rate health service providers as ‘very’ or ‘somewhat trustworthy’ (78% 55+ years, cf. 74% all adults).
  • However, there are some areas of caution within the Australian community in relation to more advanced forms of technology-driven medical analysis:
    • The majority of Australians are not comfortable with biometric analysis, which is defined as the use of a wide variety of techniques, such as AI, to make assumptions or predictions about the characteristics of an individual from their biometric data.
    • Less than half (45%) are ‘very’ or ‘somewhat comfortable’ with the use of biometric analysis to determine someone’s health or disease status.

Privacy complaints made to the OAIC

  • In the last financial year, health service providers, the financial sector and Australian government agencies were the sectors most likely to notify of a data breach, and most likely to be the subject of a complaint.
  • Health service providers were the sector with the most privacy complaints made to the OAIC in 2024-25, with the OAIC receiving 411 privacy complaints regarding health service providers.
  • In comparison, the OAIC received 384 privacy complaints regarding the finance sector and 350 privacy complaints regarding Australian government agencies.

Notifiable data breaches

  • Health service providers were the sector that made the most notifiable data breach notifications to the OAIC.
  • In 2023-24, health service providers made 217 data breach notifications to the OAIC.
  • In comparison, Australian Government agencies made 167 data breach notifications and the finance sector made 127 data breach notifications.
  • It would be prudent for those of us gathered today to consider the implications of what this means in terms of reputation and trust:
    • The OAIC received 1,113 notifications in calendar 2024, a record number and 25% increase from 2023.
    • IBM calculates that in 2024 the average cost to business of a data breach was $4.26 million.

Challenges in using health data

Artificial intelligence

  • The OAIC recognises that AI has the potential to benefit the Australian people and the economy by improving efficiency and productivity across a wide range of sectors, including the health sector.
  • However, the efficiency and productivity dividends of AI will not be realised if AI tools don’t enjoy the trust and confidence of the Australian public.
  • Australians care a lot about their privacy, and want more choice in and control of how their personal information is handled.
  • They are sceptical about the roll out of artificial intelligence without proper guardrails.
  • Importantly, according to the ACCC’s digital platforms consumer survey, 83% of Australians agree that companies should seek user consent before using their data to train AI models.
  • While the OAIC did not conduct an investigation, conducting preliminary enquiries only, the OAIC’s report into preliminary inquiries of I-MED provides a case study of what one company did to adhere to privacy laws when developing AI models.
    • The study demonstrates how good governance, and planning for privacy at the start of a new initiative, can support an organisation to adopt new and innovative data-driven technologies in a way that protects the rights of individuals.
  • ‘Rebalancing power and information asymmetries’ is one of the regulatory priorities for the OAIC in 2025-26.
    • Under this priority, the OAIC will focus on sectors and technologies that compromise rights and create power and information balances, such as practices that erode information access and privacy rights in the application of artificial intelligence.

Regulatory Responsibility

  • The OAIC has regulatory responsibility for 3 primary statutes and another 39 other statutes. The human rights we promote, and preserve are privacy and FOI. As AIC I also have the additional responsibility for systems, policies and procedures in relation to data governance in the Australian Public Service.
  • As a co-regulator we have regular dialogue with the Australian Digital Health Agency. We are able to share regulatory information and through our engagement better secure the health information of the Australian community. That security achieves two paramount outcomes:
    1. it builds trust to advance uptake; and
    2. it also ensures that we have secure vital sources of truth to advance the health and welfare of the Australian community.
  • Id like to take you to some of our regulatory powers to demonstrate our role as an effective co-regulator particularly in relation to digital health.
  • The Privacy Act interfaces with the My Health Records Act 2012 (MHR). In 2020 the MHR Act was amended to allow the Information Commissioner to disclose details of investigations to System Operator – being the CEO of Australian Digital Health Agency. This is an important power that has been utilised by the OAIC.
  • Ill step you through how important this power is in practice: the OAIC can receive privacy complaints under section 36 of the Privacy Act 1988. In investigating these complaints, we can use coercive powers such as notices to produce or requiring a person to appear and give evidence.
  • SECT 73 provides that Contravention of the MHR Act is an interference with privacy. 73(3) provides that: In addition to the Information Commissioner's functions under the Privacy Act 1988, the Information Commissioner has the following functions in relation to the My Health Record system:
    1. to investigate an act or practice that may be an interference with the privacy of a healthcare recipient under subsection (1) and, if the Information Commissioner considers it appropriate to do so, to attempt by conciliation to effect a settlement of the matters that gave rise to the investigation;
    2. to do anything incidental or conducive to the performance of those functions.
  • MHR Act creates offences under sections 59 and 59A of the MHR Act, authorised collection, use and disclosure of health information included in a healthcare recipient's My Health Record and   Unauthorised use of information included in a healthcare recipient's My Health Record for prohibited purpose
  • The MHR Act provides that a contravention of section 59(1) or 59(2) is an offence, subject to a term of imprisonment for 5 years or 300 penalty units, or both.
  • This is an effective interface that ensures that OAIC can investigate and take action including referral for criminal investigation.

Privacy as the foundation of trust

  • Privacy is fundamental to building and maintaining public trust. Australians are more engaged than ever before with their health data.
  • Privacy issues that are not properly addressed can impact the community’s trust and undermine the success of new data initiatives.
  • Ultimately, people need to see the benefits and value of the use of their personal information and understand the parameters around its handling and protection.
  • When entities provide transparency over personal information handling practices and are accountable, it gives consumers the confidence that their privacy is respected and they are more likely to be supportive of increased data activities.

Consent and control over data

  • It is critical that the individual consumer is placed at the centre of considerations when developing new ways of using health data. Doing so will help to ensure the community trust health service providers with the collection and handling of their sensitive health information.
  • Focus should be placed on robust notice and consent processes. Careful consideration must be given to how consumers can exercise choice and control over their personal information, particularly how consumers can be given notice of and exercise meaningful consent to secondary uses of their personal information.
  • For consent to be meaningful, consumers need to be provided with genuine choices around how their personal information will be handled, and those choices need to be inherently fair.
  • Meaningful consent also requires a consumer to be properly and clearly informed about how their personal information will be handled, so they can decide whether to give consent.

Use of deidentified data

  • De-identification can be a valuable tool in the context of health research, allowing the utility of data to be maximised while preserving consumer privacy.
  • Information that has undergone an appropriate and robust de-identification process is not personal information and is not currently subject to the Privacy Act. This requires there to be no reasonable likelihood of re-identification occurring in the context that the data will be made available
  • Appropriate de-identification can be complex, especially in relation to detailed datasets that may be disclosed widely and combined with other data sets.
  • In this context, de-identification will require more than removing personal identifiers. Additional techniques and controls will likely be required to remove, obscure, aggregate, alter and/or protect data so that it is no longer about an identifiable (or reasonably identifiable) individual.
  • De-identification is not a fixed or end state. Data may become personal information as the context changes.
  • Managing this risk will require regular re-assessment, especially where an entity receives additional data that may alter the state of the previously de-identified data.

Data security

  • It is important that any measures using health information that is personal information address data security.
  • Australians will have greater confidence in disclosing health information to GPs and other health service providers if they know that their data is being handled and stored securely in accordance with clear and consistent data security standards.
  • APP1 requires entities to take steps beyond technical security measures in order to protect and ensure the integrity of personal information throughout the information lifecycle, including by implementing strategies in relation to governance, internal practices, processes and systems and dealing with third party providers.
  • APP 11 requires entities to take reasonable steps to protect the personal information they hold, which includes actively monitoring their risk environment for emerging threats and implementing appropriate mitigation strategies. This is a dynamic responsibility which scales proportionately to the volume and sensitivity of personal information held by an entity, the nature and size of the entity and the threat environment in which it operates.

Conclusion

  • Health data has the potential to provide so many benefits to improve health services and outcomes for all Australians.
  • It is important that the use of new technologies involving health data, such as AI, ensure that privacy rights are preserved to ensure public trust is maintained.
  • It is evident that health service providers are trusted with the health-related personal information of Australians, providing a good foundation for public trust in new initiatives involving health data.
  • The OAIC consistently receives a large proportion of complaints and NDBs regarding the health sector. It is therefore imperative the health sector strive to continually improve systems to ensure that personal information is handled appropriately and that public trust is maintained to ensure the success of these new initiatives with a focus on:
    • Building trust
    • Carefully considered use of health data in AI
    • Individuals’ consent and control regarding their personal information
    • Sophisticated de-dentification, and
    • Data security
  • At the OAIC, we are looking to be a regulatory entity that approaches these issues in as holistic a manner as possible.
  • In the Australian Public Service context, the Freedom of Information Act recognises that information government holds is a national resource to be managed for public purposes and benefit.
  • Public health authorities have been global leaders in publishing public health data for public and private consumption and to foster innovation and advancements in medical research and treatment.
  • My vision is to see information – whether in the public or private sector – be recognised, managed and harnessed as the strategic asset it is.
  • My goal is to increase the understanding outside this room of the importance and value of effective information governance, and by extension, the importance of the work you do and the people who do it.
  • There is an opportunity – and in many cases, a requirement – for organisations and government agencies to step up as data stewards, particularly where that provides the opportunity to further improve the health and wellbeing of Australians.
  • I want to conclude with a recognition of your work and offer my thanks.
  • The work you do as stewards and trusted custodians of this information is vital not only to trust and accuracy it is vital to our future economic, social and physical well-being. It is an honour to work with you to achieve the positive outcomes you deliver for the community.
OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia