We're aware of a cyber security incident affecting the electronic prescriptions provider MediSecure. The eRX Script Exchange (eRX) and the National Prescription Delivery Service (NPDS) continue to operate as usual and have not been impacted. Find out more and read our statement here.

Information security in general practice

Information security strategy

Internal and external staff roles for managing information security

        1. Internal and external staff roles for managing information security

Last revised: 21 Apr 2023

Internal and external staff roles for managing information security

Practice team agreements

You should document all confidentiality and privacy agreements for practice team members, together with an appropriate internet and email use agreement. Practice team members and relevant external providers should sign these agreements.

These agreements act to protect practice owners in the event of legal action, should a security breach occur.

External service provider agreements

Your practice has a responsibility to ensure anyone who has access to practice clinical and/or business information is aware of their obligations to comply with your information security policies.

Technical service providers are usually granted unrestricted access to practice data.

Third-party access for support and problem solving is an issue requiring careful consideration. This is often undertaken remotely, and trust is placed in software and external support service staff. While technical support personnel will be knowledgeable in information security, they may not fully understand the sensitivity and confidentiality requirements of health information. All external technical support providers with access to any of your practice’s information should sign confidentiality agreements.

Technical service provider contractual agreements can include:

  • what can or cannot be viewed when accessing your practice systems. If ‘everything’, including files saved on workstations can be viewed, all practice team members should be aware of this
  • details of backup procedures and testing that meet the needs of your practice
  • set response times to provide technical support via telephone, remote access to your systems, in person and onsite, and outside of business hours
  • the cost for routine maintenance, additional work in case of system malfunction and the differences in costs for support during business hours and outside of business hours
  • details of maintenance schedules
  • information on system audits and reporting details on how information assets are disposed of safely and securely
  • a signed confidentiality agreement.​

Cloud service provider agreements will require additional details, including:

  • your practice retaining legal ownership of the data
  • appropriate internet connection to support the amount of data transferred and any other online functions required
  • a Service Level Agreement (SLA) to define the level of service and availability expected from the provider
  • storage and management of data in line with Australian Privacy Law
  • processes for redundancy and backup protecting data from loss or corruption
  • the ability to move your cloud services or data either to another cloud service provider or back into your business for local management.

See module on cloud-based information security for more information