Privacy and managing health information in general practice

Use and disclosure of health information

Use or disclosure in the practice setting

Last revised: 24 May 2023

Use or disclosure in the practice setting

In the practice setting, patients will generally expect their information to be used for a wide variety of activities that are directly related to the healthcare services they receive.

These might include:

  • providing information about treatments
  • being treated by a person other than their treating GP, such as a specialist or during admission to hospital
  • internal assessment practices, such as to assess the feasibility of particular treatments
  • management, funding, complaint handling, planning, evaluation and accreditation activities
  • disclosure to experts or lawyers (for legal opinions), insurers or medical defence organisations to report adverse incidents or for the defence of legal proceedings
  • disclosure to clinical supervisors.7 Some practices might use or disclose health information for medical research, quality assessment or clinical audit activities. As these are not always expected by patients, practices should limit their use or disclosure except where consent is obtained. In any event, consent is often a key component to health research using human participants ethical approval (for more information, refer to the Health research section).

Case study: Primary purposes vs multidisciplinary care

Laura has been seeing her treating GP for many years. She suffered a stroke and now experiences stroke complications, some of which are likely to be permanent.

Laura’s healthcare now requires a coordinated effort between her treating healthcare professionals, including her neurologist, rehabilitation team and practice nurse.

In her distressed state, Laura might not expect her GP to organise this multidisciplinary team. Accordingly, her GP organises a consultation with Laura to discuss the benefits of multidisciplinary care, so that she can make an informed decision to allow disclosure of her health information to other health practitioners. Laura’s treating GP carefully notes the conversation and Laura’s express consent.

Laura’s GP has recognised that the primary purpose for using Laura’s health information is for the GP to treat and manage her stroke symptoms. Laura would expect this use as part of her regular healthcare. However, it is unclear whether Laura would expect her health information to be disclosed to other health practitioners. This disclosure by Laura’s GP might be considered a secondary purpose. Under the Privacy Act, the disclosure of the information necessary to treat and manage Laura’s stroke recovery is ordinarily prohibited, unless an exception applies; in this case, the two most applicable exceptions are consent and reasonable expectations.

It was therefore wise for Laura’s GP to seek Laura’s consent. Additionally, by discussing the care plan and the scope of involvement of the multidisciplinary team, Laura’s GP has managed her reasonable expectations regarding the use of her health information by the members of her team. This will allow greater flexibility in treating Laura and it is now reasonable to not require Laura’s consent to each exchange.


  1. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles quick reference. 2014 [Accessed 7 November 2022].
  2. National Health and Medical Research Council, Australian Research Council, Australian Vice-Chancellors’ Committee. National statement on ethical conduct in human research (2007) (updated 2018). 2018 [Accessed 16 January 2023].
  3. Commonwealth of Australia. Privacy Act 1988.1988 [Accessed 7 November 2022].
  4. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles guidelines: Privacy Act 1988. 2015 [Accessed 16 January 2023].
  5. Australian Government, Attorney-General. Parliament approves Government’s privacy penalty bill. 2022 [Accessed 16 January 2023].
  6. Medical Board of Australia, AHPRA. Good medical practice: A code of conduct for doctors in Australia. 2020 [Accessed 16 January 2023].
  7. Australian Government, Office of the Australian Information Commissioner. Business resource. Chapter 9: Research. 2019 [Accessed 16 January 2023].
  8. Australian Government, Office of the Australian Information Commissioner. Chapter 5: APP 5 – Notification of the collection of personal information. 2019 [Accessed 8 November 2022].
  9. Australian Medical Association. Frequently asked questions – Fees. [date unknown] [Accessed 8 November 2022].
  10. Australian Government, Office of the Australian Information Commissioner. Privacy for organisations: Trading in personal information. [date unknown] [Accessed 16 January 2023].
  11. National Health and Medical Research Council. Use and disclosure of genetic information to a patient’s genetic relatives under Section 95AA of the Privacy Act 1988 (Cth) – Guidelines for health practitioners in the private sector. 2014 [Accessed 16 January 2023].