Privacy and managing health information in general practice

Key concepts

Australian Privacy Commissioner

The Australian Privacy Commissioner is the national regulator of privacy, conferred by the Privacy Act 1988 (Privacy Act) and other laws. The Australian Privacy Commissioner holds position within the Office of the Australian Information Commissioner (OAIC). 

Australian Privacy Principles

The Australian Privacy Principles (APPs) provide a consolidated and universal set of principle-based laws, focusing on transparency in the following five areas: 

  • Consideration of personal information (APPs 1 and 2)
  • Collection of personal information (APPs 3, 4 and 5)
  • Dealing with personal information (APPs 6, 7, 8 and 9)
  • Integrity of personal information (APPs 10 and 11)
  • Access to and correction of personal information (APPs 12 and 13)


The National Health and Medical Research Council (NHMRC) defines ‘confidentiality’ as ‘the obligation of people not to use private information – whether private because of its content or the context of its communication – for any purpose other than that for which it was given to them.’1 

Generally, confidentiality refers to a set of obligations imposed through law or ethics. A patient discloses confidential information to their general practitioner (GP) on the understanding the information will only be used within the practitioner–patient relationship.


Refer to Patient consent below.

De-identified health information

Health information is de-identified if it is ‘no longer about an identifiable individual or an individual who is reasonably identifiable’.2 Care should be taken to ensure no re-identification can occur. If health information is de-identified it falls outside of the privacy legislation.

Health information

Health information includes information or opinions about the health or disability of an individual and a patient’s wishes about future healthcare. It also includes information collected in connection with the provision of a health service (and therefore includes personal details such as names and addresses).2

Health information is regarded as one of the most sensitive types of personal information. For this reason, the Privacy Act provides extra protections for the way health information is handled. 


A GP or general practice ‘holds’ health information if they have possession or control of the relevant medical record. 

Personal information

The Privacy Act defines personal information as ‘information or opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable’.2 Personal information includes an individual’s name and address, signature, contact details, birth date, medical records and bank account details. 

It does not matter whether the information is true. Personal information can be held in any media. General practice may record personal information on paper and in electronic records, X-rays, CT scans, videos, photos and audio recordings. Personal information may be collected by a GP directly from the patient or from a third party in the course of providing a healthcare service.


In this resource, the term ‘practice’ refers only to general practices that operate as a single functional unit for the purposes of patient care, practice management and accreditation, and not to groupings of individual GPs. 

Use and disclosure

Neither ‘use’ nor ‘disclosure’ are defined terms. Generally, the distinction between use and disclosure refers to whether third parties are involved.

For example, a practice will ‘use’ health information when it holds and manages that information internally, such as for clinical or business practices. A GP will also use health information during a consultation.

A practice ‘discloses’ health information if it makes it accessible to persons, agencies or companies ‘outside the entity and releases the subsequent handling of the personal information from its effective control’.3 A GP may disclose health information if they discuss a patient’s conditions with other practitioners.

The Privacy Act

The Privacy Act regulates how most personal information is managed. It includes 13 APPs.

The Privacy Act applies to private sector organisations, as well as most government agencies, unless an exception applies. General practice is subject to stringent privacy obligations by virtue of handling health information.

Individuals found liable of privacy infringements can face penalties of up to $340,000 and corporations up to $1,700,000.

Health records legislation

Victoria, New South Wales and the Australian Capital Territory have their own health records legislation4–6 regulating the handling of health information, as detailed in sets of principles.

Such principles operate concurrently to the Privacy Act but are broadly consistent with the APPs. Their respective definitions of personal information and health information are also broadly similar.

However, the state and territory health records legislation may impose additional requirements in certain situations (for example, refer to Section 3.2. Sale or closure of a practice), and care should be taken to ensure compliance with both sets of laws where necessary.

Doctor–patient confidentiality

The Medical Board of Australia in its Good medical practice: A code of conduct for doctors in Australia states ‘a good doctor–patient partnership requires high standards of professional conduct’.7 Among other principles, this involves ‘protecting patients’ privacy and right to confidentiality, unless release of information is required by law or by public-interest considerations’.7

According to this code of conduct, ‘patients have a right to expect that doctors and their staff will hold information about them in confidence, unless release of information is required by law or public interest considerations’.7

Professional advice

This resource provides a high-level understanding of the regulatory and best practice framework for the management of information (personal information, sensitive information and health information) in a general practice setting. It is not tailored to any particular practice environment and the material is not exhaustive. The RACGP strongly recommends appropriate legal or professional advice is sought prior to reliance on its contents, or when integrating the content into practice procedures.

Patients have the ethical and legal right to make informed decisions about their health. Informed consent forms the basis for many Privacy Act exceptions, permitting collection, use and disclosure. 

Obtaining a patient’s informed consent should be the key guiding principle for GPs. Many medico-legal proceedings result from a failure to obtain such consent.

The requirement to obtain informed consent also applies to research undertaken by a practice.1

Informed consent

To provide informed consent, patients must have sufficient information about their own healthcare, and the ability to then make appropriate decisions.

The information required is context dependent. In relation to health information, it may include details of the scope of use and disclosure (if any), any benefits and risks, or referral or treatment needs. Patients should also be informed if it is likely their information will be sent outside of Australia and if so, to where.

GPs should be cognisant of local competency when determining whether patients are capable of giving informed consent (refer to Section 1.3.4. Competence, capacity and maturity to provide consent).

Inferred or express consent

A verbal or written consent may be:

  • express – when a patient signs or clearly articulates their agreement
  • inferred (or ‘implied’) – where the circumstances are such to reasonably infer the patient has consented.

Express consent should be sought wherever practical and/or where significant clinical risk is likely, for example, for a procedure or surgery. A signed form is an example (and is easier to demonstrate), but an informative and welldocumented discussion with a patient may equally satisfy this requirement.

Inferred consent should be relied on only when express consent cannot be reasonably obtained. If so, care must be taken not to overestimate the scope of that consent.

For example, it is reasonable to infer that patients consent to their health records being collected and used during repeat consultations. However, this consent would not necessarily extend to the disclosure of that information to third parties, such as including health summaries within referral letters. GPs should be wary of taking silence or a lack of objection as an indicator of consent; if there is any doubt, GPs should obtain express consent.

It is recommended that consent conversations are thoroughly documented. Problems may arise if a patient does not understand the potential uses of their health information. In circumstances where GPs must establish implied consent, comprehensive and concurrent consultation notes are extremely valuable. Notes should refer to the information provided, the nature of the discussion and the patient’s response.

Withheld consent

GPs should be careful when treating patients who refuse to provide certain health information or withhold consent for particular healthcare.

This is particularly problematic where the possibility of detrimental outcomes exists if certain information is not collected or used. This should be clearly explained to the patient.

In such circumstances, it is recommended GPs make detailed notes to document the discussion, the patient’s decision and the ultimate outcome. In certain circumstances this outcome may conflict with the GP’s underlying duty of care, and comprehensive consultation notes will be valuable.

Competence, capacity and maturity to provide consent 

Some patients may not be competent to provide adequate consent.

Various state and territory guardianship legislation documents provide a framework for obtaining substitute consent on behalf of patients who are incompetent because of age, illness or disability. GPs are advised to seek appropriate advice if these situations arise.

Age-related consent is dealt with at the state and territory level. As a general rule, if a child is sufficiently mature to understand what will happen to their information they will have capacity to consent.

New South Wales, South Australia and the Australian Capital Territory have legislation stipulating the age at which a child can provide valid consent. In SA, the age is 16 years or over; in NSW, the age is 14 years or over. The ACT requires a parent or guardian to consent for a child under the age of 18 years, unless the health practitioner assesses the child to have sufficient maturity and adequate understanding.

In Victoria, consideration should be given to the Medical Treatment Planning and Decisions Act 2016 and specifically to the concept of decision-making capacity.

The Privacy Act does not stipulate age; its guidelines assume people over the age of 15 have the ‘capacity’ to give informed consent.2 GPs must therefore assess the capacity and maturity of each child to understand and make informed decisions on a case-by-case basis. In unclear cases, GPs are entitled to request the patient presents corroborating consent from their parent or guardian.

This event attracts CPD points and can be self recorded

Did you know you can now log your CPD with a click of a button?

Create Quick log