What does the Privacy Act require of an Australian medical clinic holding patient records?
The Privacy Act 1988 and the 13 Australian Privacy Principles bind every private-sector health service provider in Australia regardless of turnover. Patient health information is sensitive information under APP 11 — it must be protected by reasonable security steps, used or disclosed only as the patient would expect under APP 6, and managed under a documented privacy policy under APP 1. Any unauthorised access, loss or disclosure that is likely to result in serious harm triggers the Notifiable Data Breach scheme under Part IIIC of the Act.
Reviewed 2026-05-03Privacy Act 1988 (Cth) — Schedule 1, Australian Privacy Principle 11.1.
If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information … from misuse, interference and loss; and from unauthorised access, modification or disclosure.
Source: Privacy Act 1988 — Schedule 1 (Federal Register of Legislation)
The substance, in plain English.
Every private-sector medical practice is bound by the Privacy Act, full stop. The standard $3 million small-business turnover exemption does not apply to health service providers — a sole-practitioner GP holding clinical records is in scope from day one. The 13 Australian Privacy Principles apply to the whole information life-cycle: collection, storage, use, disclosure, access, correction and destruction.
Patient health information is sensitive information and gets the highest protection in the Act. APP 1 requires the practice to maintain a documented, current privacy policy publicly available on the website, covering what is collected, why, how it is held, how to access or correct it, and how to complain. APP 6 limits use and disclosure to the primary purpose of collection (clinical care) and a narrow set of secondary purposes — usually direct related care, billing, accreditation or where the patient would reasonably expect it.
APP 11 is the security limb. The OAIC's Guide to Health Privacy treats reasonable steps as scaling with the sensitivity of the data: multi-factor authentication on practice-management systems (Best Practice, Medical Director, Pen CS, Genie Solutions), encrypted backups, role-based access control, audit logging of clinical record access, and an incident-response plan. The 2025 OAIC determination against Australian Clinical Labs makes clear that under-investment in basic cyber hygiene is itself the contravention — not just the breach that follows.
Part IIIC creates the Notifiable Data Breach scheme. Once the practice has reasonable grounds to suspect an eligible data breach, it has up to 30 days under s.26WH to assess, and must notify the Commissioner and affected patients as soon as practicable under s.26WK. Late notification is a separate, additional contravention — it cost ACL $1.6 million on top of the security failure penalty.
Third-party data sharing — referrals, pathology, allied-health letters, secure-messaging platforms, EMR vendors, medical-marketing agencies — must be governed by a written agreement that flows the privacy obligations through. The practice remains accountable for any APP breach by a contracted handler operating on its instruction.
Maximum penalty: Up to $50 million for a body corporate per serious or repeated interference with privacy under s.13G (or 3× the benefit obtained, or 30% of adjusted turnover during the breach period, whichever is greater); up to $2.5 million for an individual..
Recent enforcement under this provision:
- 2025
Australian Information Commissioner v Australian Clinical Labs Limited
Federal Court ordered ACL to pay $5.8 million on 8 October 2025 — the first civil penalty under the Privacy Act — for the February 2022 Medlab Pathology cyberattack that exposed records of more than 223,000 individuals; $4.2m for APP 11.1 security failures, $800k for failure to assess under s.26WH, $800k for failure to notify under s.26WK.
- 2025
OAIC Notifiable Data Breaches Report — health sector volume
Health service providers were the most-notified sector in the July–December 2024 period at 121 notifications (20% of the 595 total), and remained the leading sector at 18% in January–June 2025; malicious or criminal attacks drove 69% of breaches, human error 29%.
- 2019
OAIC GP-clinic My Health Record assessment
OAIC privacy assessment of 150 general-practice clinics and 150 community pharmacies on the My Health Record emergency-access function found inconsistent compliance with APP 1.2 and APP 11.1 and the Rule 42 written security and access policy obligation, and prompted broader RACGP–OAIC clinic-level guidance.
OAIC — My Health Records security and access policy assessment 1: GP clinic survey
- 2025
OAIC NDB statistics — health sector trend
Across multiple reporting periods the health sector has consistently been the most-notified industry in the NDB scheme, with the OAIC's January–June 2025 figures recording 532 total notifications (10% down on the prior period) and an average of more than 10,000 individuals affected per cyber incident.
OAIC blog — Latest Notifiable Data Breach statistics for January to June 2025
A worked example.
A multi-site GP network in NSW runs Best Practice on a Windows server in the back office of each clinic, with reception staff sharing a single login. A locum credentialed three months earlier still has active access. The marketing manager exports a list of patients prescribed semaglutide in the past 90 days into a spreadsheet, and emails it to an external creative agency for a re-engagement campaign. Three APP failures stack up at once: APP 11 (no MFA, no role-based access, shared credentials), APP 6 (secondary use of sensitive information for direct marketing without consent), and APP 1 (no documented data-sharing arrangement with the agency). If the spreadsheet is intercepted in transit or the agency's mailbox is compromised, the practice has 30 days under s.26WH to assess and must notify under s.26WK — and the security gap is its own contravention even if no breach follows. The fix: MFA on the server, named per-user accounts with quarterly access review, the campaign run from de-identified counts only.
The questions that come next.
Does the Privacy Act apply if I'm a sole-practitioner GP turning over under $3 million?
Yes. Health service providers are excluded from the small-business exemption under s.6D(4) of the Privacy Act — every private-sector medical practice is an APP entity from the first patient record. The OAIC's Guide to Health Privacy is the authoritative practice-level reference.
How long do I have to notify the OAIC of a data breach?
From the moment the practice has reasonable grounds to suspect an eligible data breach, s.26WH allows up to 30 days to complete an assessment. Once you have reasonable grounds to believe a breach has occurred, s.26WK requires notification to the Commissioner and affected patients as soon as practicable. Late notification was a separate $800,000 penalty in AIC v ACL.
Can I use a patient mailing list for marketing?
Direct marketing using sensitive health information is heavily restricted by APP 7 and APP 6 — the patient must have consented to the use, or it must be within their reasonable expectations from the original collection context. Generic clinic-news emails to the broader patient base may be acceptable; cohort-targeted promotion of a specific treatment is not, without specific consent.
Who is responsible if my EMR vendor or marketing agency has the breach?
The practice. Under APP 11 the entity that holds the personal information remains accountable for reasonable security steps, including the security of any contracted data handler. The OAIC treats vendor and agency arrangements as flow-through obligations, governed by a written agreement and ongoing oversight.
Are paper records covered by the same rules as digital records?
Yes. The APPs apply to personal information in any form — paper charts in a back-office filing cabinet attract the same APP 11 reasonable-steps obligation as a cloud-hosted EMR. The reasonable steps differ (locked storage, supervised access, secure destruction) but the standard is identical.
Read it for yourself.
Brief us with the regulator already in line one.