Privacy and managing health information in general practice


Last revised: 24 May 2023



 Common privacy terms used when managing health information2-4

  • The Australian Privacy Commissioner is the national regulator of privacy, conferred by the Privacy Act 1988 (Privacy Act) and other laws. The Australian Privacy Commissioner holds position within the OAIC. Their primary focus is on privacy, freedom of information and government information policy.
  • Confidentiality refers to a set of obligations imposed through law or ethics. For example, a patient discloses confidential information to their general practitioner (GP) on the understanding the information will only be used within the practitioner–patient relationship. The National Health and Medical Research Council (NHMRC) defines ‘confidentiality’ as ‘the obligation of people not to use private information – whether private because of its content or the context of its communication – for any purpose other than that for which it was given to them’.2
  • De-identified health information refers to health information that is ‘no longer about an identifiable individual or an individual who is reasonably identifiable’.3 Care should be taken to ensure re-identification does not occur. If health information is de-identified, it falls outside of the privacy legislation.
  • Health information includes information or opinions about the health or disability of an individual and a patient’s wishes about future healthcare. It also includes information collected during the provision of a health service (and therefore includes personal details such as names and addresses).3 Health information is regarded as one of the most sensitive types of personal information. For this reason, the Privacy Act provides extra protection for the way health information is handled.
  • Personal information is defined by the Privacy Act as ‘information or opinion about an identified individual, or an individual who is reasonably identifiable’.3 Personal information includes an individual’s:
    • name and address
    • signature
    • contact details
    • birth date
    • medical records
    • bank account details.
    Personal information might be held in any media. A general practice might record personal information on paper and in electronic records, X-rays, computed tomography (CT) scans, videos, photographs and audio recordings. Personal information might be collected by a GP directly from the patient or a third party in the course of providing a healthcare service.
  • Generally, the term ‘use and disclosure’ refers to whether third parties are involved. Neither ‘use’ nor ‘disclosure’ are easily defined terms.
  • A practice ‘discloses’ health information if it makes it accessible to persons, agencies or companies ‘outside the entity and releases the subsequent handling of the personal information from its effective control’.3 A GP may disclose health information if they discuss a patient’s conditions with other practitioners.


  1. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles quick reference. 2014 [Accessed 7 November 2022].
  2. National Health and Medical Research Council, Australian Research Council, Australian Vice-Chancellors’ Committee. National statement on ethical conduct in human research (2007) (updated 2018). 2018 [Accessed 16 January 2023].
  3. Commonwealth of Australia. Privacy Act 1988.1988 [Accessed 7 November 2022].
  4. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles guidelines: Privacy Act 1988. 2015 [Accessed 16 January 2023].
  5. Australian Government, Attorney-General. Parliament approves Government’s privacy penalty bill. 2022 [Accessed 16 January 2023].
  6. Medical Board of Australia, AHPRA. Good medical practice: A code of conduct for doctors in Australia. 2020 [Accessed 16 January 2023].
  7. Australian Government, Office of the Australian Information Commissioner. Business resource. Chapter 9: Research. 2019 [Accessed 16 January 2023].
  8. Australian Government, Office of the Australian Information Commissioner. Chapter 5: APP 5 – Notification of the collection of personal information. 2019 [Accessed 8 November 2022].
  9. Australian Medical Association. Frequently asked questions – Fees. [date unknown] [Accessed 8 November 2022].
  10. Australian Government, Office of the Australian Information Commissioner. Privacy for organisations: Trading in personal information. [date unknown] [Accessed 16 January 2023].
  11. National Health and Medical Research Council. Use and disclosure of genetic information to a patient’s genetic relatives under Section 95AA of the Privacy Act 1988 (Cth) – Guidelines for health practitioners in the private sector. 2014 [Accessed 16 January 2023].