Policies and procedures for managing information security

Table of contents

Last revised: 21 Apr 2023

Information security strategy

To ensure effective information security procedures, it is recommended to have clear policies and procedures to support your practice.

Policies and procedures for managing information security

Polices should be created to support information security processes in your general practice. Your practice should document all policies and procedures for managing information security.

A policy and procedures manual provides information and guidance to your practice team on the protocols used in managing your information systems. This manual is used to clarify roles and responsibilities, and to facilitate induction of new practice team members.

To be effective, your policies should be:

communicated and provided to all existing and new members of your practice team
easily accessible (i.e.. made available on your intranet which can be kept current more easily than a paper practice manual)
explained to team members through regular education and training sessions, at team meetings and during induction
discussed regularly to maintain relevance
periodically reviewed to ensure they are current (either six monthly or annually), and updated when changes are made in information security processes in your practice or to relevant legislationre-issued to the practice team when updated.

Policies should include:

a purpose and objectives
scope (i.e. to whom and what the policy applies, and under what circumstances)
definition of information security incidents and their consequences
organisational structure and defined roles, responsibilities and levels of authority
reporting requirements and contact forms
processes for providing access to training for your practice team.

Use the RACGP practice policy template sample to create your practice policies.

Create a policy: How practice information is secured

Your policy:

should reflect the overall strategy of how practice information is secured
can be kept as a manual, folder or suite of documents accessible to your practice team
should be made available to the practice team with training offered on all policies and procedures to ensure compliance and implementation, including education for your practice team
should ensure your practice has a physical layout that means that members of the public cannot view patient health information

Standards indicator

C6.4BOur practice does not store or temporarily leave the personal health information of patients where members of the public could see or access that information.

C6.4FOur practice has a policy about the use of email.

C6.4GOur practice has a policy about the use of social media.

You must maintain a privacy policy, email policy and social media policy.

Useful RACGP resources:

Advertising