Articles and Case Studies

Privacy Law Reforms

03 Dec 2013

by Allyson Alker

On 12 March 2014, changes under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), which amends the Privacy Act 1988 (Cth), come into effect. The existing 10 National Privacy Principles (NPPs) will be replaced by 13 Australian Privacy Principles (APPs), designed to protect the privacy and confidentiality of individuals in a fairer and more transparent manner.

The impact on medical practices

The changes are not expected to add major obligations on medical practices; however, the following issues should be considered:1

  • A medical practice must have a privacy policy clearly specifying what information will be collected, how it will be used, and a process for individuals wishing to complain about privacy breaches. This requirement is more prescriptive than the previous NPP requirements.
  • Where practicable, the privacy policy must be provided in the format requested by the individual, e.g. by email.
  • If a medical practice uses an overseas transcription service, it should ensure that the overseas recipient has the same or similar levels of privacy protection as specified under the APPs. Where the overseas recipient does not have the same level of protection, the practice must obtain the individual’s consent to transfer the information. Prior to this, the practice must inform the individual of what countries the information is going to and how to complain about a privacy breach in that country.
  • In limited circumstances, a medical practitioner is permitted to use or disclose information about a patient to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety (note the word “imminent” has been removed in the APPs).

Who oversees compliance with the changes?

The Office of the Australian Information Commissioner (OAIC) is now responsible for this and the Information Commissioner has significantly greater powers to encourage and enforce compliance. These powers include investigation and audit, making determinations and commencing legal proceedings. The Information Commissioner may also impose a fine on an organisation (up to $1.7 million) or individual (up to $340,000) for a breach of the legislative requirements. However, it is unlikely that a medical practice, doctor or their staff will be fined unless their conduct represents a serious and/or repeated breach.

What actions are recommended before March 2014?

It is recommended that medical practices audit existing policies and procedures to identify any areas of concern. The findings can be used to facilitate a revision of the practice’s privacy policy to ensure compliance with the APPs.

An ideal tool to assess existing policies and processes against the APPs is the OAIC’s Privacy Act reforms – Checklist for APP entities (agencies) available on the OAIC website.

What should a privacy policy cover?2

A privacy policy should cover:

  • the kind of information collected
  • how and for what purpose it is collected, held, and used
  • disclosure to any other persons or agencies, the identity of those agencies, what is disclosed and for what purpose/s
  • the process for an individual to access the information, for what purpose and why
  • where access by the individual is withheld, why, and how the individual is notified
  • consent process for the collection of information and situations where consent is not required
  • complaint process for individuals who wish to complain about a breach of privacy or confidentiality
  • whether information may be disclosed to overseas recipients and to what countries.

Although not required under privacy law, it is also recommended that the practice’s privacy policy addresses:

  • staff training and confidentiality agreements
  • policy review timeframes
  • processes for dealing with unauthorised access to individuals’ health information, including who must be notified in the event of a breach.

Allyson Alker, MDA National Risk Adviser

1. Office of the Australian Information Commissioner website at accessed on 27 Sept 2013.
2. Office of the Australian Information Commissioner. Australian Privacy Principles: Privacy Fact Sheet 17. Canberra: OAIC, 2013.

Anaesthesia, Dermatology, Emergency Medicine, General Practice, Intensive Care Medicine, Obstetrics and Gynaecology, Ophthalmology, Pathology, Practice Manager Or Owner, Psychiatry, Radiology, Sports Medicine, Surgery


Doctors Let's Talk: Get Yourself A Fricking GP

Get yourself a fricking GP stat! is a conversation with Dr Lam, 2019 RACGP National General Practitioner of the Year, rural GP and GP Anesthetics trainee, that explores the importance of finding your own GP as a Junior Doctor.


25 Oct 2022

Systematic efforts to reduce harms due to prescribed opioids – webinar recording

Efforts are underway across the healthcare system to reduce harms caused by pharmaceutical opioids. This 43-min recording of a live webinar, delivered 11 March 2021, is an opportunity for prescribers to check, and potentially improve, their contribution to these endeavours. Hear from an expert panel about recent opioid reforms by the Therapeutic Goods Administration and changes to the Pharmaceutical Benefits Scheme. 

Diplomacy in a hierarchy: tips for approaching a difficult conversation

Have you found yourself wondering how to broach a tough topic of conversation? It can be challenging to effectively navigate a disagreement with a co-worker, especially if they're 'above' you; however, it's vital for positive team dynamics and safe patient care. In this recording of a live webinar you'll have the opportunity to learn from colleagues' experiences around difficult discussions and hear from a diverse panel moderated by Dr Kiely Kim (medico-legal adviser and general practitioner). Recorded live on 2 September 2020.