Privacy and managing health information in general practice

Information management for patients


Last revised: 24 May 2023


Notification requirements for collecting personal information

APP 5 requires GPs to ensure patients are aware of the collection and potential use and disclosure of their health information.

It is not necessary to notify patients during every consultation, as it is clear information is being collected. Similarly, it is not necessary to notify patients if their health information will need to be disclosed when referring to a specialist.

There will be times when the collection of health information is not obvious to the patient. For example, in some practices with complex corporate structures, the organisation ultimately collecting and holding the information might not be obvious. It is recommended practices ensure their patient privacy forms are updated to reflect this situation.

Where necessary, as appropriate, when there is a significant change to the way the practice works or the needs of the patient change, your practice should obtain renewed consent.

The notification requirements referred to in APP 5  have administrative implications for incorporated practices and practices using cloud computing (refer to module on Information transferred overseas).

Notification obligations

  • When collecting health information, GPs must take steps to notify the patient.
  • Notified information must include the practice’s details, the purpose for which the information was collected, who the health information can be disclosed to, and whether it will be disclosed to an overseas recipient (and if so, where).
  • If your practice is using cloud computing, ensure you have updated your consent forms and notified patients.


Privacy notices

Your practice should consider whether a standard privacy notice addressing APP 5 would be an appropriate method of notifying patients.

A privacy notice might include information about:

  • sharing of information across a multidisciplinary medical team
  • use and disclosure of de-identified data for medical research
  • the use of patient information for GP professional development purposes or for quality improvement activities
  • how information is used for referrals to other specialists.

In some situations, a practice might need to provide additional patient health information to third parties such as insurers and this should be included in your privacy notice. This helps practices meet the requirement to take reasonable steps to notify individuals on how their information is used8  and helps manage patient expectations, promote trust and support further uses of health information for secondary purposes. (refer to section on Use and disclosure of health information).

When used appropriately, privacy notices can support patients to understand how their health information is used and disclosed.

Useful RACGP resource


  1. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles quick reference. 2014 [Accessed 7 November 2022].
  2. National Health and Medical Research Council, Australian Research Council, Australian Vice-Chancellors’ Committee. National statement on ethical conduct in human research (2007) (updated 2018). 2018 [Accessed 16 January 2023].
  3. Commonwealth of Australia. Privacy Act 1988.1988 [Accessed 7 November 2022].
  4. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles guidelines: Privacy Act 1988. 2015 [Accessed 16 January 2023].
  5. Australian Government, Attorney-General. Parliament approves Government’s privacy penalty bill. 2022 [Accessed 16 January 2023].
  6. Medical Board of Australia, AHPRA. Good medical practice: A code of conduct for doctors in Australia. 2020 [Accessed 16 January 2023].
  7. Australian Government, Office of the Australian Information Commissioner. Business resource. Chapter 9: Research. 2019 [Accessed 16 January 2023].
  8. Australian Government, Office of the Australian Information Commissioner. Chapter 5: APP 5 – Notification of the collection of personal information. 2019 [Accessed 8 November 2022].
  9. Australian Medical Association. Frequently asked questions – Fees. [date unknown] [Accessed 8 November 2022].
  10. Australian Government, Office of the Australian Information Commissioner. Privacy for organisations: Trading in personal information. [date unknown] [Accessed 16 January 2023].
  11. National Health and Medical Research Council. Use and disclosure of genetic information to a patient’s genetic relatives under Section 95AA of the Privacy Act 1988 (Cth) – Guidelines for health practitioners in the private sector. 2014 [Accessed 16 January 2023].