The RACGP is undergoing scheduled system maintenance: Wednesday, 17 April 2024 from 8:15PM – 10:15 PM AEST. During the maintenance window, some RACGP services will experience disruptions.
We apologise for any inconvenience caused.

Information security in general practice

Information security strategy

Information security lead

        1. Information security lead

Last revised: 21 Apr 2023

Roles and responsibilities of your practice team

It is vital for practice team members to be aware of their roles in information security. All practice team members require a position description clearly defining and documenting their roles and responsibilities and access to clinical and/or business information.

Information security lead

It is recommended that your practice appoints an information security lead to champion and manage information security.

The information security lead does not need to have advanced technical knowledge, but should be comfortable with your practice’s computer operating systems and other relevant software. They should also possess management skills to develop information security policies and to raise awareness of information security governance, help foster a strong security culture and ensure access to adequate and appropriate training for your practice team.

The information security lead will determine what aspects of information security in the practice are outsourced to external technical service providers.

Standards indicator

C6.4A Our practice has a team member who has primary responsibility for the electronic systems and computer security.

You must have at least one team member who has primary responsibility for the electronic systems and computer security.


Create a policy

Your practice policy should include the specific information security roles and responsibilities of each practice team member.

Your policy should cover:

  • specific information on the roles and responsibilities of each practice team member in relation to information security, including the required levels of access to information systems
  • assignment of an information security lead who has access to ongoing training as required
  • who is responsible for specific information security tasks
  • access to ongoing training for your practice team as required
  • education for your practice team in identifying errors or abnormal software behaviour and who/how to notify promptly of any concerns.

The position description of the information security lead can include:

  • overseeing development of information security policies and procedures
  • testing business continuity and information recovery plans
  •  reviewing and updating policies and procedures as practice and legislative changes occur
  • regular monitoring to ensure practice security policies are followed
  • maintaining an up-to-date risk assessment
  • ensuring technical advice is sought where required
  • ensuring secure transfer of electronic information
  • arranging access to ongoing information security awareness training for the practice team
  • updating the practice management on outstanding security issues
  • regular reporting on information security to the practice team
  • regular monitoring of system logs and audit reports.​