Recently, the Office of the Australian Information Commissioner (OAIC) released the findings of an assessment it made of the privacy policies of forty general practice clinics against Australian Privacy Principle 1 (APP1).


APP1 requires all entities that are subject to the Privacy Act 1988 (Cth), which includes all health service providers, to have a clearly expressed and up to date policy about how the entity will manage personal information. Although the assessment only related to general practice, its comments are clearly applicable to all health service providers.

More specifically, APP1.3 requires health service providers to have an up to date policy, APP1.4 advises the minimum requirements of the policy and APP1.5 and 1.6 provides for access to the privacy policy.

The OAIC assessed the content of the privacy policies and access to those documents.

In summary, some of the main recommendations coming out of the assessment are:

  • If a GP practice has a website then the policy should be available on the website
  • The practice should make a hard copy of the privacy policy available to patients at the clinic
  • The policy should be easy to read
  • The policy should contain the position title, telephone number, postal address and email address of a contact person at the practice to whom a request to access and correct personal information should be directed (although a generic telephone number and email address can be used in case of staff changes)
  • In addition to advising patients that the practice collects information relating to their medical care the policy should go further to detail that the patient’s name, date of birth, address, Medicare or individual health care identifiers will also be collected
  • Practices should include further information advising patients how the practice collects information such as patient registration forms, the consultation process or from third parties such as other health care providers, pathology labs
  • Practices should be encouraged to include further details about how personal information is held securely, for example, with the use of passwords to protect electronic information and storing files in secure cabinets
  • The policy should clearly state all of the “usual” purposes for which the information is collected, held, used and disclosed which may mean also stating in the policy that information may be used for quality assurance, accreditation purposes or by IT service providers
  • Expanded detail on the complaint resolution process such as asking patients to make the complaint in writing, that the organisation will respond to the complaint in a reasonable time (usually 30 days) and the ability of the complainant to take the matter to the OAIC if dissatisfied with the practice’s response
  • There was also a specific emphasis on E-Health which included the My Health Records Act 2012 (Cth) and the Healthcare Identifiers Act 2010 (Cth) and the use of electronic transfer of prescriptions (eTP) services.   If the clinic uses the My Health Record system then it should inform the patients that the clinic may collect, use and disclose their health information for the purpose of using the My Health Record system.

As with every practice policy, the contents should be reviewed on a regular basis to ensure compliance with the relevant legislative obligations and that it reflects your current practice requirements.

We recommend you undertake a review of your practice’s privacy policy and should you have any particular questions, please contact the Claims and Legal Services department at MIGA for further assistance.

Other resources

  1. General Practice Clinic – APP1 Privacy Policy Assessment

  2. OAIC Guide to Developing an APP Privacy Policy

  3. RACGP’s Practice tools

    The RACGP’s privacy policy template for general practices and privacy policy pamphlet template

Prefer to read a PDF of the Bulletin? Download it here

We'd love to hear your feedback, comments and ideas