Privacy policy template

Page last updated 12 May 2025

The RACGP has developed a privacy policy template for general practices to use as a way of meeting their compliance requirements with the Australian Privacy Principles (APPs). All general practices need a privacy policy that explains, in simple language, how the practice broadly handles its patients’ personal information. This reflects the central object of APP 1, which is to ensure that entities manage personal information in an open and transparent manner.

A privacy policy differs from a privacy collection notice. Both are required. See section below Privacy Collection Notices.

This template was developed with assistance from the Office of the Australian Information Commissioner (OAIC). The OAIC does not endorse this or any specific privacy policy template. The advice in this template is general in nature and current at the time of publication.

This template captures all items required by the OAIC including: 

  • practice name and contact details 
  • details of what kinds of personal information is collected and stored 
  • how practices collect personal information and where it is stored 
  • the reasons why personal information is collected
  • how practices use and disclose personal information 
  • how patients can access their personal information, or ask for a correction 
  • how patients can lodge a complaint if they think their information has been   mishandled, and how practices handle complaints 
  • if practices are likely to disclose patient information outside Australia.
It is not a legal requirement for patients to sign a Privacy Policy.
 

Practices should use this template as a guide only and must adapt its content to suit individual practice procedures. 

Download the template


The privacy policy template is designed to communicate to patients how the practice manages personal information and to complement other practice policies such as complaint resolution and breach notification procedures.

The sections in red text need to be revised and adapted to the specific procedures of each individual general practice.

The template contains highlighted sections with instructions, tips and additional information. Remove these highlighted sections as you progress.

Instructions

Instructions are indicated with a tick and highlighted in blue.

Tips

This template provides tips on what processes and procedures practices may need to change or be updated so they align with the information in the privacy policy.

Tips are indicated by a light globe and highlighted in yellow.

Additional Information

Additional information assists practices in determining the content of the overall policy and includes links to other RACGP resources and explanatory information.

Additional information is indicated by an exclamation mark and highlighted in red.

The finished policy should be relevant to how the practice handles information.

Once the privacy policy is complete its existence should be communicated to patients and it should be freely available. For example, display it at the practice reception and on the practice website and refer to it in practice registration forms and other forms or notices.

This policy should be reviewed regularly (annually is recommended) to ensure it remains applicable to current practice procedures and legal requirements. The policy should be updated if the way a practice handles patient information changes or if there are any relevant legislative changes.


Consider the audience as the privacy policy should not be treated as a legal document aimed at managing risk but as a tool to build trust with patients.

Customise the policy and make sure it is specific to the practice. Avoid just repeating content from the Australian Privacy Principles. 

Prioritise relevance by focusing on the most important aspects. Avoid covering every detail exhaustively. 

Keep it simple by using straightforward language. 

Adopt a layered approach, for example, for online publication provide a condensed summary of key points in the privacy policy with a link to the full version. 


Legal Compliance: General practices must comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs), which set out standards for handling personal information. 

Confidentiality: A privacy policy helps maintain the confidentiality of patients' health information, which is essential for patient trust and the integrity of the healthcare system. 

Patient Trust: Clear communication about how personal information is collected, used, and protected enhances patient trust and confidence in the practice. 

Risk Management: A privacy policy helps manage and mitigate risks associated with data breaches and unauthorized access to sensitive information. 

Transparency: It ensures transparency in the practice's operations, outlining patients' rights and the practice's obligations regarding personal data. 

Professional Standards: Adhering to privacy standards aligns with professional codes of conduct and ethical guidelines for healthcare providers. 


Privacy Policies and Privacy Collection Notices serve different purposes for informing individual’s about the collection, storage and handling of their personal information.

Designed to ensure compliance with APP 5, Privacy Collection Notices are intended to be issued at the time of collection of personal information for a specific purpose. They should relate to the particular collection of personal information and outline the practice’s most relevant privacy practices. It may be useful to include some information from the practice’s Privacy Policy on the notice, however, there is no obligation to do so.

APP 5.1, requires that at or before the time of collecting personal information, practices must take reasonable steps to notify an individual about:
  • the practice’s identity and contact details
  • the fact and circumstances of collection
  • whether the collection is required or authorised by law
  • the purposes of collection
  • the consequences if personal information is not collected
  • the practice’s  usual disclosures of personal information of the kind collected by the practice
  • information about the practice’s Privacy Policy
  • whether the practice is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.
A new Privacy Collection Notice needs to be provided on each occasion where personal information is collected for a different matter.

Where personal information is collected on a recurring basis in relation to the same matter, the practice does not need to provide a separate notice on each occasion. However, if a long period has elapsed since the initial notice was provided, the practice may need to take steps to notify to ensure awareness. 

See OAIC guidance on APP 5.
 
 
APP 1.5 requires practices to take reasonable steps to make its Privacy Policy available free of charge, and in an appropriate form. This furthers the objective of APP 1 of ensuring that personal information is managed in an open and transparent way. This may include:
  • online publication
  • displaying the policy at the practice premises
  • distributing a printout of the policy on request, including details about how to access the policy at the bottom of all correspondence to individuals, or
  • informing via telephone how to access the policy if this is a regular means of communication. 
Practices must update their Privacy Policy when their information handling practices change, and these changes should be made known to an individual. 

Practices must publicise their updated Privacy Policy, for example via their website and through email or postal lists, signage on the premises or notifications in-app if applicable.

Similarly, provision of an updated Privacy Collection Notice to new or existing patients may be done through a variety of methods, outlined in the OAIC’s guidance on Collecting health information.These include:
  • prominently displaying a brief notice at the practice premises (for example at reception or in the waiting room) covering key information and giving the individual more detailed notice in a leaflet
  • including a privacy collection notice on a paper or online form used to collect patients’ health information, such as a patient registration form
  • discussing the information during a consultation with a patient where relevant. To ensure all relevant matters are covered, it would be useful to also provide the patient with a written notice in this situation.

 

 

RACGP Privacy policy template

Advertising

Advertising