Privacy and information security
Robust information security practices and policies are essential to safeguard health and business information.
Under the Privacy and Other Legislation Amendment Act 2024, organisations are explicitly required to take reasonable steps to protect personal information, which must include both technical measures (such as encryption, secure access controls, and system monitoring) and organisational measures (such as staff training, internal policies, and governance frameworks).
In clinical settings, using healthcare identifiers instead of names can further enhance privacy protections.
Topics in this section:
Privacy and information security
- Your practice must protect personal information it holds from:
- misuse, interference and loss
- unauthorised access, modification or disclosure.
- Cross-border disclosures (ie disclosing information to an overseas recipient or using cloud computing companies) must first undergo a thorough risk assessment to ensure no privacy breaches will occur.
- As previously discussed, it is essential for your practice to:
- conduct in-depth risk assessments
- ensure safe electronic transfer of information
- safely communicate via electronic mediums with patients
- securely de-identify and destroy patient data
- have an effective and updated security policy.
- Practices should refer to the RACGP Information security in general practice resource for guidance and further information on information and cyber security.
Case study: International consultation
Dr Murray, a GP, has been approached by a patient with an abscess on his leg. During the consultation, Dr Murray remembers a seminar, led by a professor from Canada, that discussed very similar wounds.
Dr Murray considers it appropriate to refer the wounds to the professor and takes several photographs of the abscess on his patient’s leg. These photographs were later emailed to Canada along with significant extracts of the patient’s notes (including some personal information).
Inadvertently, Dr Murray is likely to have breached the cross-border disclosure laws. Dr Murray could have managed the situation better if he:
- sent the photographs in a de-identified form
- sought the patient’s informed consent to the disclosure
- investigated the privacy laws that apply in Canada
- sought the professor’s assurance that the photographs would be examined in strict confidence, before sending them, and that they would be destroyed afterwards.
Create a policy: Clear screen
Your practice policy and procedures should include clearing screens for privacy.
Your policy should cover the following:
- remember to exit the previous patient’s electronic file before the next patient enters the consulting room
- position computer monitors to keep information private, including computers used by reception staff at the front desk
- use ‘clear screen’ function keys, which instantly close down an open file or switch off the monitor
- use password-protected screensavers
- log off when leaving computers unattended or use automatic session time-outs.
Create a policy: Clear desk
Your practice policy and procedures should include clearing desks for the purpose of securing information and data.
Your policy should remind staff that:
- at the end of each day, each practice team member clears their desks of all documents, notes and media
- all documents should be removed from printers and fax machines immediately after being copied, sent or received.