We're aware of a cyber security incident affecting the electronic prescriptions provider MediSecure. The eRX Script Exchange (eRX) and the National Prescription Delivery Service (NPDS) continue to operate as usual and have not been impacted. Find out more and read our statement here.

Privacy and managing health information in general practice

Information management for general practice business information


Last revised: 24 May 2023




  • Health information must not be used or disclosed for direct marketing without patient consent.
  • Your practice must obtain patient consent to any services with commercial aspects, such as vaccinations.
  • Sending unsolicited commercial communications to your patients is generally prohibited.

Prohibitions on direct marketing

General practices might not ordinarily consider themselves as engaging in marketing activities. However, any promotion of a practice’s services, even scheduled reminders or as part of recommended clinical practice, might be considered direct marketing and therefore have privacy considerations.

Direct marketing in a clinical setting refers to any marketing technique where a practice is promoting goods and services directly to patients. Practices should note some daily clinical initiatives might inadvertently breach these laws. For example, letters that use or disclose personal information to promote and advise patients about flu vaccination services could be considered direct marketing.

In contrast, the Australian Privacy Commissioner considers that letters relating to ongoing care are less likely to breach privacy laws, especially if the letters simply inform the patient of scheduled assessments and do not specifically promote any services.

To avoid inadvertently breaching these laws, practices should obtain patient consent by:

  • requesting consent (via opt-in or opt-out mechanisms) on patient registration sheets and recording this consent in the management software
  • asking for consent as patients present to the practice
  • undertaking a directed consent campaign.

Refusal requests for marketing

Practices must have adequate procedures in place to ensure marketing messages are not sent to patients who have expressed their refusal.

The Spam Act and Do Not Call Register

It is important practices are aware of the applicable prohibitions (and their exceptions) when sending electronic (email or text messages) or telephone communications. The Privacy Act defers to the operation of the Spam Act 2003 and the Do Not Call Register Act 2006.

Generally, these Acts prohibit practices from sending unsolicited communications (by email, text message or telephone call) with the aim of selling goods or services. Practices sending solicited communications must ensure they meet any requirements first; for example, providing an unsubscribe function for mobile text message reminders.

  1. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles quick reference. 2014 [Accessed 7 November 2022].
  2. National Health and Medical Research Council, Australian Research Council, Australian Vice-Chancellors’ Committee. National statement on ethical conduct in human research (2007) (updated 2018). 2018 [Accessed 16 January 2023].
  3. Commonwealth of Australia. Privacy Act 1988.1988 [Accessed 7 November 2022].
  4. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles guidelines: Privacy Act 1988. 2015 [Accessed 16 January 2023].
  5. Australian Government, Attorney-General. Parliament approves Government’s privacy penalty bill. 2022 [Accessed 16 January 2023].
  6. Medical Board of Australia, AHPRA. Good medical practice: A code of conduct for doctors in Australia. 2020 [Accessed 16 January 2023].
  7. Australian Government, Office of the Australian Information Commissioner. Business resource. Chapter 9: Research. 2019 [Accessed 16 January 2023].
  8. Australian Government, Office of the Australian Information Commissioner. Chapter 5: APP 5 – Notification of the collection of personal information. 2019 [Accessed 8 November 2022].
  9. Australian Medical Association. Frequently asked questions – Fees. [date unknown] [Accessed 8 November 2022].
  10. Australian Government, Office of the Australian Information Commissioner. Privacy for organisations: Trading in personal information. [date unknown] [Accessed 16 January 2023].
  11. National Health and Medical Research Council. Use and disclosure of genetic information to a patient’s genetic relatives under Section 95AA of the Privacy Act 1988 (Cth) – Guidelines for health practitioners in the private sector. 2014 [Accessed 16 January 2023].