Information security in general practice

Information security strategy


      1. Governance

Last revised: 21 Apr 2023


Addressing information security at a governance level is crucial. A security governance framework will define the acceptable use of information technology (IT) in your practice and outline responsibilities.

Information security roles and responsibilities should be allocated to members of your practice team. These team members should coordinate security-related activities and determine when it is appropriate to engage external technical service providers.

Information security requires regular attention at a practice level. Your practice team members need to be aware of their responsibilities to protect practice information. Information security processes should be documented and followed.

Your information security governance framework should include the following areas:

When developing your information security governance framework, it is important to consider:

  • What are the legal and professional requirements for protection of the information held in your practice? Under the Australian Privacy Principles (APPs), APP 11 requires that reasonable steps are taken to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. Further information is available in the Office of the Australian Information Commissioner’s (OAIC’s) Guide to securing personal information.
  • what capabilities your practice has in terms of security knowledge and expertise?
  • who makes the decisions about the security protections required?
  • what processes are in place to assist in decision making about the use of information for purposes other than for what it was collected (e.g. providing health information to external organisations for research or population health planning [secondary use of data])
  • how do you know the system and process are working as intended?