How do the Australian Privacy Principles apply to dental practice records, software and data breaches?
Patient dental records — clinical notes, intra-oral photography, OPG and CBCT imaging, consent forms, payment data — are health information under the Privacy Act 1988. Dental practices are covered by the Act regardless of turnover. The thirteen Australian Privacy Principles govern collection, use, disclosure, security and access. Practices using Dentrix, Praktika, EXACT or Core Practice are responsible jointly with the software vendor for the records held. The Notifiable Data Breaches scheme requires assessment and notification of eligible breaches to the OAIC and affected patients, typically within 30 days.
Reviewed 2026-05-03Privacy Act 1988 (Cth), Schedule 1 — Australian Privacy Principle 11.
If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information … from misuse, interference and loss; and from unauthorised access, modification or disclosure.
The substance, in plain English.
Every dental practice in Australia is an APP entity, regardless of turnover. Section 6FB of the Privacy Act sweeps in any private-sector entity providing a health service. Solo dentists, group practices and DSO-owned chains all carry the same baseline obligations. Patient dental records are health information and are afforded the highest tier of protection — the consent and use limbs are stricter than for ordinary personal information.
APP 1 requires an up-to-date privacy policy, accessible from the homepage and in the practice. APP 3 requires that collection of patient information be necessary for the practice's functions and, for sensitive information including health, be done with consent. APP 5 requires patients to be notified at point of collection about how their data will be used. APP 6 limits secondary use — sharing imaging with a third-party lab for crown fabrication is a permitted directly-related purpose; bulk-uploading patient lists into a marketing CRM for re-engagement campaigns is not, without separate consent.
APP 11 (security) is the most heavily enforced limb for dental practices. Practice-management systems holding clinical records — Dentrix, Praktika, EXACT, Core Practice, Oasis, D4W — must be configured with role-based access controls, audit logging and encrypted backups. Staff training on phishing and credential hygiene is part of "reasonable steps". The practice and the software vendor are joint holders of the records for Privacy Act purposes; vendor agreements should specify breach-notification flow-through.
Records retention is governed primarily by state-level health-records statutes that overlay the Privacy Act. NSW (Health Records and Information Privacy Act 2002, s.25), Victoria (Health Records Act 2001) and the ACT prescribe a minimum of 7 years from the last service for adult patients, and until age 25 for minors. Other states and territories rely on common-law and limitation-period guidance with materially the same effect. Premature destruction of records is a separate breach in addition to any privacy issue.
The Notifiable Data Breaches scheme requires the practice to assess whether unauthorised access, disclosure or loss of personal information is likely to result in serious harm. Where it is, the practice must notify the OAIC and affected patients as soon as practicable, generally within 30 days of becoming aware. The OAIC's July–December 2024 report records the health sector as the top-reporting sector — 121 health-sector notifications, 20% of all notifications nationally — and the half-year to June 2025 saw the sector retain top spot at 18%. Ransomware on practice-management systems is the dominant breach vector.
Maximum penalty: Civil penalties for serious or repeated interferences with privacy: up to $50 million, three times the value of any benefit obtained, or 30% of adjusted turnover for the relevant 12-month period — whichever is greatest — for body corporates under the December 2022 Privacy Act amendments. Lower-tier penalties apply for less-serious breaches..
Recent enforcement under this provision:
- 2025
OAIC Notifiable Data Breaches report — health sector top of list
OAIC's report for July–December 2024 recorded 121 health-service-provider notifications (20% of all sector notifications, the top sector). The January–June 2025 report kept the health sector in first place at 18%. Ransomware and credential compromise on practice-management systems are the dominant causes.
- 2025
OAIC NDB statistics dashboard (2018–present, ongoing)
OAIC's interactive dashboard exposes notification volumes, breach causes and affected-individual counts by sector since 2018. The dashboard confirms health-service providers as the most-notifying sector across the period, with breach causes shifting toward ransomware and human-error misdirected disclosure.
- 2022
Privacy Act amendments — penalty uplift
Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 lifted the maximum penalty for serious or repeated interference with privacy by a body corporate to $50m / 3x benefit / 30% of adjusted turnover, materially raising the financial exposure for dental groups handling patient health records.
Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022
A worked example.
A four-location Sydney dental group runs Praktika as its practice-management system, with patient records, OPGs and intra-oral photography stored in the vendor's cloud. A receptionist clicks through a phishing email impersonating the vendor support portal; the attacker uses the credentials to extract a 14,000-record export including names, dates of birth, Medicare numbers, treatment notes and imaging. Under APP 11 the group must show it had "reasonable steps" in place — MFA on the system, role-based access, audit logs reviewed, staff training current. Under the NDB scheme the group has roughly 30 days from becoming aware to assess and notify the OAIC and affected patients. State-level retention rules (s.25 of the NSW HRIP Act for adults, age-25 floor for minors) determine which records had to be in the system in the first place; the breach notification must specify what was exposed and what mitigations are being taken.
The questions that come next.
Does the Privacy Act apply to a sole-practitioner dentist with under $3 million turnover?
Yes. The small-business exemption to the Privacy Act has a carve-out for any entity providing a health service — section 6FB of the Act. Solo dentists are APP entities and have the full obligation set, including APP 11 security requirements and Notifiable Data Breach scheme reporting. State-level health-records statutes (NSW, Victoria, ACT) overlay further obligations on top.
Can we send patient OPG or intra-oral photography to a third-party crown lab?
Yes — this is a directly-related secondary use under APP 6.2, provided patients have been notified at point of collection (APP 5) that imaging may be sent to laboratories for prosthetic fabrication. Best practice is documenting the disclosure in the privacy policy and the consent-to-treatment form, and using the lab's secure transfer channel rather than open email. The practice and the lab are both APP entities responsible for the data they hold.
How long must we keep dental records?
Adult records: 7 years from the date of the last service in NSW (HRIP Act s.25), Victoria (Health Records Act 2001) and the ACT, with materially equivalent limitation-period expectations in other jurisdictions. Records of patients treated as minors: until the patient turns 25, regardless of state. Implant records, medico-legal cases and forensic-relevance records typically warrant longer retention. Premature destruction is a separate breach in addition to any privacy issue.
What triggers the Notifiable Data Breach scheme?
An eligible data breach is unauthorised access to, disclosure of or loss of personal information held by the practice that is likely to result in serious harm to the affected individuals. Likelihood of harm is assessed by the kind of information involved (health information is high-sensitivity), who has accessed it, and the likely use. Once the practice becomes aware of a possible eligible breach, it has 30 days to assess and, if confirmed, notify the OAIC and affected patients.
Who is liable when the breach is in the practice-management system, not the practice?
Both the practice and the vendor are likely to be APP entities holding the records, and each has independent obligations under APP 11 and the NDB scheme. Vendor agreements should specify breach-notification flow-through, allocation of investigation cost and indemnity. The practice cannot contract out of its statutory obligation to notify affected patients — but it can recover via the contract.
Read it for yourself.
Brief us with the regulator already in line one.