New guide released to help health sector improve privacy practice

8 October 2019
Tags: news

A comprehensive Guide to health privacy has been released by the Office of the Australian Information Commissioner (OAIC) to help keep patients’ personal information safe.

Over the past three years, health service providers have consistently been one of the top three sources of privacy complaints to the OAIC. They have also been the leading source of notifiable data breaches since mandatory notification started in February 2018.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the  guide brings together a wide range of OAIC advice for all health service providers covered by the Privacy Act 1988.

“I expect health service providers to be familiar with their privacy obligations and to take all reasonable steps to protect the personal information they are entrusted with,” Commissioner Falk said.

“This includes any organisation who provides a health service and holds health information, from a doctor or private hospital through to a dentist, gym or childcare centre.

Commissioner Falk urged health service providers to use the guide to improve their privacy practice.

“Health information is considered to be some of the most personal information about an individual, and it must be handled responsibly and transparently.”

“This guide is a step-by-step guide to help the health sector understand their privacy obligations and embed good privacy principles throughout their practice.

“It provides practical advice on meeting legal requirements and obtaining consent for the collection, use and disclosure of personal information.

“Where there are serious breaches of privacy, the OAIC has a range of regulatory powers to hold organisations to account, including auditing privacy practices, determining complaints or awarding compensation.

“We can also seek civil penalties through the Federal Court of up to $2.1 million per privacy breach.”

The Guide features an eight-step plan for better privacy practice:

  1. Develop and implement a privacy management plan
  2. Develop clear lines of accountability for privacy management
  3. Create a documented record of the types of personal information you handle
  4. Understand your privacy obligations and implement processes to meet those obligations
  5. Hold staff training sessions on privacy obligations
  6. Create a privacy policy
  7. Protect the information you hold
  8. Develop a data breach response plan.

The guide is available at

Health sector organisations can also download a poster highlighting the eight-step plan.