Advice & Support / Library / Articles & Case Studies / Does Your Privacy Policy Measure Up?
Articles and Case Studies

Does Your Privacy Policy Measure Up?

10 Jan 2015

Karen Stephens

by Karen Stephens

Woman completing paperwork

Privacy law1 requires medical practices to have a privacy policy – now some practices are being put to the test. 
Dear Doctor 
This letter is to advise you of the Office of the Australian Information Commissioner’s (OAIC) intention to undertake an assessment of [your practice’s] privacy policy… 
 
And so started a letter to 40 GP practices, randomly selected in May – June 2015 by the OAIC. The assessments intended to examine whether the GP practices had privacy policies which:
  • are clearly expressed
  • are up to date
  • cover the required topics
  • reflect the use of Personally Controlled Electronic Health Records (PCEHR), where relevant.

Clear expression

An OAIC guide to preparing a privacy policy2 includes the following tips:
  • Think about your audience and word it accordingly.
  • Keep it simple and easy to read.
  • Use the terms “you” and “us/we”, rather than “patient” and “the practice”.
  • Don’t just repeat the words in the Australian Privacy Principles (APPs) – make it specific to your practice.
  • Arrange information in a way that makes sense for your patients.
  • Be as specific as possible.
  • Provide more detail about areas of information handling that patients are most concerned about, are unaware of, won’t reasonably expect or may not understand easily.
  • Seek input from your staff.
  • Contact your medical indemnity insurer.
  • Test it out on readers – it should be able to be easily read and understood by a 14-year-old.

Up to date

Changes to Australian privacy law came into effect on 14 March 2014, with the APPs replacing the National Privacy Principles. Your policy must reflect the current law.
A summary of the APPs is available in the OAIC’s Privacy Fact Sheet 17.3
Your policy must outline how your practice currently deals with personal information – if procedures change, your policy should also change accordingly. Regularly review and update your policy. Include the date and version number on the document.

Required topics

As specified in APP1 a practice privacy policy must cover:
  • the kinds of information collected or held
  • how it is collected
  • for what purposes it is collected, held or used
  • disclosure to any other persons or agencies – identity of agencies, what is disclosed, for what purpose(s)
  • the process for an individual to access the information
  • where access is withheld, why and how the individual is notified
  • the consent process for collection of information
  • situations where consent is not required, e.g. an emergency
  • the process for individuals to complain about a breach of privacy
  • whether information is disclosed to overseas recipients and to what countries.

Use of Personally Controlled Electronic Health Records (PCEHR)

If your practice uses PCEHR, your privacy policy should include:
  • what information you add to and access from patients’ eHealth record and what you do with the information
  • procedures to ensure compliance with the Personally Controlled Electronic Health Records Act 2012
  • how an eHealth record may be used in an emergency situation.

References

  1. The Privacy Act 1988 (Cth).
  2. Office of the Australian Information Commissioner. Guide to Developing an APP Privacy Policy. Canberra: OIC, 2014.
  3. Privacy Fact Sheet 17: Australian Privacy Principles. 2014. Available at: oaic.gov.au/privacy/privacy- resources/privacy-fact-sheets/other/privacy-fact- sheet-17-australian-privacy-principles.
 
Confidentiality and Privacy, Practice Management, Anaesthesia, Dermatology, Emergency Medicine, General Practice, Intensive Care Medicine, Obstetrics and Gynaecology, Ophthalmology, Pathology, Practice Manager Or Owner, Psychiatry, Radiology, Sports Medicine, Surgery, Physician, Geriatric Medicine, Cardiology, Plastic And Reconstructive Surgery, Radiation Oncology, Paediatrics, Independent Medical Assessor - IME
 

Library

Reportable Deaths and Coronial Matters

MDA National's Daniel Spencer (Case Manager - Solicitor) and Karen Lam (Medico-Legal Adviser) discuss when a person's death should be reported to the Coroner and what to do if the Coroner requests a statement or report.

Videos & Webinar recordings

15 May 2025

Death Certificates

When a doctor can write a death certificate (where the death does not need to be reported to the Coroner), considerations when writing the death certificate and how to complete it accurately.

Videos & Webinar recordings

15 May 2025

Communication in healthcare teams

Why good and effective communication is a vital part of delivering quality and safe patient care

Videos & Webinar recordings

15 May 2025

Doctors, Let's Talk: Setting Boundaries At Work

A conversation with Nicola Campbell, Psychiatry Registrar, that explores the necessity of setting professional boundaries as a Junior Doctor.

Podcasts

07 Dec 2022

Top