What do APP 11 and the Notifiable Data Breaches scheme require of an Australian telehealth platform?
Australian Privacy Principle 11 requires telehealth platforms to take reasonable steps to protect personal information — and health information sits in the sensitive-information category, which attracts the highest expectation of care. The Notifiable Data Breaches scheme makes notification mandatory when an eligible breach is likely to result in serious harm. The health sector accounted for 22% of all NDB notifications in 2024 — the largest single sector — and 1,113 breaches were reported in 2024, the highest annual figure since the scheme began.
Reviewed 2026-05-03Privacy Act 1988 (Cth), Schedule 1 — APP 11.1.
If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information: (a) from misuse, interference and loss; and (b) from unauthorised access, modification or disclosure.
Source: OAIC — Chapter 11: APP 11 Security of personal information
The substance, in plain English.
Health information is sensitive information under the Privacy Act and the threshold for "reasonable steps" rises accordingly. For a telehealth platform that captures consult video, transcripts, prescribed medicines, symptom intake, demographic and payment data, the OAIC's Guide to Securing Personal Information sets the operational expectation: governance, encryption in transit and at rest, access controls and logging, monitoring, vendor due diligence, secure disposal and ongoing review. The Guide to Health Privacy (collated May 2025) layers the sector-specific overlay on top, including consent flows, secondary-use boundaries and the My Health Records Act interaction.
Cloud-hosted clinical infrastructure does not transfer the obligation. APP 11 applies to information the platform holds, including information held by a third-party provider on the platform's behalf. The OAIC's published guidance is explicit that adopting cloud computing requires the entity to assess the security controls of the provider, manage the relationship through effective contractual clauses, verify security claims and maintain regular reporting and monitoring. Reliance on the provider's certifications without independent verification is not "reasonable steps".
Chat logs, asynchronous messaging and consult recordings are clinical records for privacy purposes. Treating them as marketing-grade conversation data — exporting to a CRM without segregation, syndicating to a customer-data platform with broader access controls, training models on raw consult content — is the dominant pattern of breach the OAIC flags. The same applies to integrations: app-store data sharing, analytics SDKs that capture form fields containing health information, third-party live-chat tools that route messages through unverified processors.
The Notifiable Data Breaches scheme requires notification to the OAIC and to affected individuals when a breach is likely to result in serious harm. Health information is treated as automatically high-risk in the OAIC's published guidance. The scheme requires notification "as soon as practicable" once the entity is aware or ought to be aware of an eligible breach, with an assessment window of up to 30 days where uncertainty exists. In 2024 malicious or criminal attacks were 69% of notifications, with phishing (30%), compromised credentials (27%) and ransomware (24%) the dominant cyber vectors.
Vendor compliance is operational, not contractual. A telehealth platform that holds an SOC 2 report from each processor without conducting periodic assurance reviews, that does not maintain a current vendor register tied to data flows, that has not stress-tested its incident response against a ransomware scenario, that does not have segregated retention for sensitive information versus marketing data — sits below the OAIC's published expectations regardless of what the contracts say.
Maximum penalty: Up to $50 million for body corporates, or three times the benefit obtained, or 30% of adjusted turnover during the breach period (whichever is greater) for serious or repeated interference with privacy. Up to $2.5 million for individuals. Increased penalties in force from December 2022 under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022..
Recent enforcement under this provision:
- 2025
OAIC NDB Report — 2024 health sector
Health sector reported 22% of all NDB notifications in 2024, the largest single sector. Total 1,113 breach notifications across all sectors — the highest annual figure since the scheme began. 595 reported in second half of 2024, up from 518 in the first half.
OAIC — Notifiable Data Breaches Report: July to December 2024
- 2024
Medibank Private — 2022 breach (NDB scheme)
9.7 million current and former customers' health and personal information exfiltrated in October 2022. OAIC commenced civil-penalty proceedings in Federal Court in June 2024 alleging serious or repeated interference with privacy contrary to APP 11. Reference matter for the security expectations applied to Australian health entities.
- 2024
Australian Clinical Labs (Medlab Pathology) determination
OAIC commenced civil-penalty proceedings in Federal Court in November 2023 over the 2022 Medlab Pathology breach affecting 223,269 individuals. Pathology data, Medicare numbers and credit-card details were taken; alleged failure to take reasonable steps under APP 11 and delayed NDB notification.
OAIC — Commissioner takes action against Australian Clinical Labs
A worked example.
An Australian DTC men's health platform runs consults through a third-party video tool, stores transcripts in a cloud CRM shared with the marketing team for retention campaigns, pipes consult outcomes to a customer-data platform alongside ad-platform pixel events, and uses an analytics SDK on the booking funnel that captures the symptom-intake form fields. Three APP 11 problems land at once: clinical records are co-located with marketing data on access controls designed for marketing data; sensitive information is being shared with ad-tech processors via the SDK; the customer-data platform aggregates a single record that, if exfiltrated, exposes the prescription history of every patient. The remediation is structural — segregate clinical records from marketing infrastructure, remove form-field capture from analytics, replace the live-chat tool with a processor under a current data-processing agreement and assurance review, and run a vendor inventory against APP 11 reasonable steps. None of this is hypothetical for the category.
The questions that come next.
Does APP 11 apply to a telehealth platform with under $3 million turnover?
Yes. The small-business exemption under the Privacy Act does not apply to entities that provide a health service and hold health information. Health service providers are explicitly captured regardless of turnover. Every Australian telehealth platform is an APP entity for the patient-data parts of its operations.
Can we use US-based cloud processors for consult recordings?
APP 8 governs cross-border disclosure and requires the entity to take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to the information. Most major US cloud providers offer Australian regions; using the AU region is the cleanest position. If processing must occur offshore, reasonable steps include contractual binding to APP-equivalent obligations, technical controls (encryption with AU-held keys, no-export configuration where available) and ongoing assurance.
Are chat logs and SMS reminders clinical records for privacy purposes?
Yes — if the content includes health information about an identified or reasonably identifiable individual. Symptom messages, prescription confirmations, follow-up reminders that reference the medicine or condition all qualify. They attract the same APP 11 expectations as a structured clinical record. The dominant pattern of error is treating them as conversation data and putting them into systems sized for that.
What is the NDB notification window?
Notification must be made "as soon as practicable" once the entity is aware or ought reasonably to be aware of an eligible data breach. Where there is uncertainty about whether a breach is eligible, the entity has up to 30 days to assess. For health information, the OAIC's published view is that serious harm should be presumed unless evidence rebuts it; same-day notification is the cleanest position for confirmed exfiltration.
Can we train a model on consult transcripts if we de-identify?
De-identification is harder than the marketing copy suggests, particularly with free-text consult content where named entities, location, prescriber, dates and condition can re-identify in combination. The OAIC's published guidance treats de-identification as a process subject to ongoing risk assessment, not a one-off transformation. Train-time uses of clinical content require explicit consent, not just a policy line, and the APP 6 boundary on secondary use is narrow for sensitive information.
Read it for yourself.
Brief us with the regulator already in line one.