We're aware of a cyber security incident affecting the electronic prescriptions provider MediSecure. The eRX Script Exchange (eRX) and the National Prescription Delivery Service (NPDS) continue to operate as usual and have not been impacted. Find out more and read our statement here.

Privacy and managing health information in general practice

Use and disclosure of health information

Privacy policies

Last revised: 24 May 2023

Privacy policies


Create a policy: Patient privacy

  • Your practice must have a current and patient-focused privacy policy outlining how health information is managed in your practice.
  • Your practice’s privacy policy must be available free of charge and easily accessible to your patients in an appropriate form.
  • Privacy policies must reflect your practice’s procedures and address all prescribed requirements.
  • A privacy policy must explain:
    • how personal information is collected, used and disclosed within the practice
    • how a patient may access and correct their information
    • how privacy complaints can be made and how the complaint will be dealt with
    • whether information is likely to be disclosed overseas and, if so, where.


Create a policy: External privacy

  • Your practice should maintain a transparent privacy policy that is freely available both in print and online. For example, display a printed copy at the practice reception desk or in waiting areas, or publish an electronic copy on the practice website.
  • The privacy policy content will vary across practices depending on the processes, structure and the record-keeping system in place.
  • This privacy policy will enable your practice to better manage patient enquiries or complaints concerning their health information.
  • The RACGP has developed a privacy policy template. It is important to adapt this template to ensure its relevance to your practice. The template is available at www.racgp.org.au/running-a-practice/practice-resources/practice-tools/general-practice-policy-and-procedure-templates 


Create a policy: Internal privacy procedures

It is strongly recommended for your practice to have internal privacy procedures in place and documented.

These procedures should include information about:

  • the collection of health information, ensuring it is done in a discreet manner protecting the information from unauthorised access
  • obtaining a patient’s consent to the use or disclosure of health information by practice employees (including doctors, locums, registrars and other authorised healthcare service providers)
  • obtaining a patient’s consent to the use or disclosure of health information for medical research, quality assurance and improvement (where relevant)
  • providing patients with access to their health information
  • de-identifying health information
  • ensuring health information is appropriately disclosed where authorised
  • classifying health information, to ensure disclosure is limited to those who are authorised
  • ensuring protection against unauthorised access across each medium the practice uses (eg hard copy and electronic records)
  • ensuring protection against data loss
  • retention of patient medical records to comply with health record law requirements (refer to the section on Retention and destruction of medical records)
  • information about privacy and confidentiality training. All staff handling health information must be aware of and comply with the practice’s internal procedures
  • details of who will be responsible for overseeing the implementation and operation of the privacy policy and to be the point of contact for privacy concerns.


  1. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles quick reference. 2014 [Accessed 7 November 2022].
  2. National Health and Medical Research Council, Australian Research Council, Australian Vice-Chancellors’ Committee. National statement on ethical conduct in human research (2007) (updated 2018). 2018 [Accessed 16 January 2023].
  3. Commonwealth of Australia. Privacy Act 1988.1988 [Accessed 7 November 2022].
  4. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles guidelines: Privacy Act 1988. 2015 [Accessed 16 January 2023].
  5. Australian Government, Attorney-General. Parliament approves Government’s privacy penalty bill. 2022 [Accessed 16 January 2023].
  6. Medical Board of Australia, AHPRA. Good medical practice: A code of conduct for doctors in Australia. 2020 [Accessed 16 January 2023].
  7. Australian Government, Office of the Australian Information Commissioner. Business resource. Chapter 9: Research. 2019 [Accessed 16 January 2023].
  8. Australian Government, Office of the Australian Information Commissioner. Chapter 5: APP 5 – Notification of the collection of personal information. 2019 [Accessed 8 November 2022].
  9. Australian Medical Association. Frequently asked questions – Fees. [date unknown] [Accessed 8 November 2022].
  10. Australian Government, Office of the Australian Information Commissioner. Privacy for organisations: Trading in personal information. [date unknown] [Accessed 16 January 2023].
  11. National Health and Medical Research Council. Use and disclosure of genetic information to a patient’s genetic relatives under Section 95AA of the Privacy Act 1988 (Cth) – Guidelines for health practitioners in the private sector. 2014 [Accessed 16 January 2023].