Learning Outcomes

On completion of this chapter, learners will be able to:

• Understand the fundamental concepts of privacy as a human right, the key privacy terms, the different privacy legislation and privacy principles, and their implications for health information management.
• Describe the principles of informed consent, differentiate between written and verbal consent, and apply these concepts in various healthcare scenarios.
• Be able to identify the ethical dimensions of handling and responsible use of health information.
• Understand how to build a privacy culture within a healthcare organisation.

Introduction

Data breaches have become a frequent occurrence in modern life. From the MediSecure data breach affecting approximately 12.9 million Australians (Department of Home Affairs, 2024), to the highly publicised Optus (2022) and Latitude (2023) data breaches, most Australians’ information has been part of a major data breach. The Office of the Australian Information Commissioner (OAIC) was notified of 595 data breaches from July to December 2024, with the health sector reporting more data breaches than any other sector (OAIC, 2025a). Similarly, in other countries data breaches are of ongoing concern.

Health data breaches have the potential to expose a vast amount of highly sensitive personal information. This includes a wide range of data that individuals may be reluctant to share with others, even those closest to them (Nass et al., 2009). The specific concerns and reasons for this reluctance are varied and complex, reflecting the diversity of individual preferences, cultural norms, and personal experiences.

However, the complexity of privacy within healthcare is more varied than the large-scale events we see in the media when events like the Medibank breach (Taylor, 2022) occur. Every day interactions between practitioners and patients and other stakeholders also require careful consideration with a privacy lens.

This chapter explores the concept of privacy, with particular attention to the Australian context. It also examines state and territory privacy legislations and privacy principles. Patient consent and ethical data usage within an increasingly connected and digital healthcare industry are also considered. In this rapidly evolving context, understanding privacy is essential to safeguarding health information and patient confidentiality.

Part 1 – The Privacy Context in Australia

Privacy is a fundamental human right that enables individuals to “live a dignified, fulfilling, safe and autonomous life” (Australian Law Reform Commission, 2014, pp. Guiding Principles, Principle 1). There are three main ways to look at privacy: physical privacy, surveillance, and information privacy (OAIC, 2024e). This chapter focuses on information privacy; specifically, how individuals’ personal information is handled or “promoting the protection of information that says who we are, what we do and what we believe” (OAIC, 2024e). In Australia, the National Safety and Quality Health Service Standards also require health services to adopt the Australian Charter of Healthcare Rights, which explicitly lists privacy as a fundamental right (Australian Commission on Safety and Quality in Health Care, 2020). The Charter of Aged Care Rights also explicitly lists personal privacy as a right (Aged Care Quality and Safety Commission, 2019).

Privacy Laws in Australia

In Australia, privacy laws vary depending on your workplace, with the federal Privacy Act 1988 (Cth) regulating how personal information is handled, comprising 13 Australian Privacy Principles (APPs). The Privacy Act 1988 (Cth) is regulated by the OAIC (2024c), and is applied to all Australian Government agencies, organisations with an annual turnover of more than $3 million, and other organisations, such as private sector health service providers.

Each state and territory has its own privacy legislation that public health organisations must adhere to. Some states have also enacted legislation specifically for health information. The map and table below offer a detailed overview of legislation by state and territory.

What is Personal Information?

The definition of personal information differs across different legislations, but is defined in the Privacy Act 1988 (Cth) as:

“Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

1. whether the information or opinion is true or not; and

2. whether the information or opinion is recorded in a material form or not.”

It is important to understand the definition of personal information for the jurisdiction in which you work. Examples of personal information include:

• Name, date of birth, home address, email address, phone number
• Sensitive information – including health and genetic information
• Credit information
• Photographs and video recordings
• Internet protocol (IP) addresses
• Facial or voice recognition (OAIC, 2024d).

What is Health Information?

Under the Privacy Act 1988 (Cth), health information is considered sensitive information and  encompasses all personal information collected while delivering a health service (OAIC, 2019i). This encompasses all personal information collected before, during, or after a health service.

Privacy Key Terms

Regardless of which legislation you are following, there are key terms within privacy that all health information managers or those working with health information should understand.

Collection

Healthcare organisations can collect health information about a patient if it relates to the functions or activities of the healthcare service,  such as delivering healthcare services, and whether the patient has given their consent (discussed in greater detail in Part 3 of this chapter). Health information should always be collected directly from the patient unless this is unreasonable or impractical; for example, in an emergency where the patient is unresponsive, where the patient is a child, or the patient is an adult who lacks capacity) (OAIC, 2019i). In this instance the next of kin or family member would provide information. Health information should never be collected “just in case”.

Health information should also be collected in accordance with local laws (e.g., it should not breach any state, territory, or Commonwealth laws) and through fair means (e.g., collecting the information without intimidation or deception). All jurisdictions regulate collection, so it is important to understand the principles of collection for your relevant jurisdiction (OAIC, 2019i).  International laws will differ to those in Australia.

It is also important to recognise the collection of unsolicited health information and establish procedures to manage this information to ensure an individual’s privacy is appropriately protected   (OAIC, 2019i).  For example, if a healthcare organisation receives health information they have not requested, it was not collected in relation to the functions or activities, and the patient did not consent (or an exception applies), the organisation needs to assess whether it should have collected the information. If it is deemed inappropriate and the healthcare organisation should not have collected the health information, it should be destroyed or de-identified (OAIC, 2019i).

It is also crucial to understand how health information is collected, as the collection of health information is expected to increase with the implementation of more digital health systems, tools, and services. Health information can be collected on paper registration and clinical forms, online forms, electronic medical records, clinical photos and videos, over the phone, via telehealth, via email or chats, via mobile health and applications, robotics and artificial intelligence or by remote monitoring through either patient owned wearable technologies or supplied remote monitoring kits.

One of the most crucial safeguards for privacy is understanding what needs to be collected. Simply put, the less information collected, the less the healthcare organisation has to manage (OAIC, 2019b), reducing the risk for the organisation. Health information managers should work across the healthcare organisation to ensure that healthcare workers consider data minimisation when designing new collection processes or changing a process.   Some aspects to consider include:

• What health information is necessary for the delivery of the function or activity?
• Is this information already being collected by the health care organisation and would you be collecting it again?
• Can the process be achieved without collecting the health information or would a smaller amount of health information meet the needs?
• Could the process be achieved using anonymous or de-identified data?

Use and Disclosure

Once health information has been collected, it will then be used or disclosed. The use of health information refers to the management of health information to perform the necessary activities or functions, and it remains within the healthcare organisation’s effective control (OAIC, 2018a).   This includes searching for the patient in the patient master index, a clinician reviewing the electronic medical record before seeing a patient, or billing the patient for their outpatient visit. On the other hand, disclosure refers to health information being made accessible to others outside of the healthcare organisation, as subsequent handling of the health information is then outside the healthcare organisation’s control (OAIC, 2019d). For example, a patient’s medical record is provided to another healthcare provider for ongoing care, providing health information to a health insurer, or providing health information to law enforcement. Disclosure could also include accidentally providing health information to an unintended recipient, leading to a data breach, as discussed later in this chapter.

The use and disclosure of health information are regulated by privacy laws and this information should only be used or disclosed for the primary purpose for which it was collected or for a secondary purpose if an exception applies (OAIC, 2019i). This point emphasises why it is so important to understand what information is being collected and why, as this knowledge guides how health information can be used and shared. It is also essential that the healthcare organisation’s privacy policy is up to date (touched on further later in this chapter).

Within the Privacy Act 1988 (Cth), the following exceptions apply for a secondary purpose. This is referred to in further detail in Chapter 6 of the Act: APP 6 Use or disclosure of personal information (OAIC, 2019d). The information in the box below was adapted from Chapter 6 of the Act for a health context.

If you are working as a health information manager or working with health information in another jurisdiction, it is best to refer to the relevant privacy legislation to understand uses and disclosures within that jurisdiction (defined in the table earlier in the chapter).

Cross-border Disclosure

Health information may need to be disclosed across state or territory border, or even overseas. Jurisdictions have key requirements that healthcare organisations need to meet to ensure that the cross-border disclosures are safe, and that legislation is not breached (OAIC, 2019f). It is essential that checks are implemented before disclosure occurs. This could include undertaking a contract agreement stipulating that the information is handled in accordance with the relevant privacy legislation, that health information is only disclosed to other states/territories or countries with substantially similar privacy legislation, or that the individual has consented    (Information and Privacy Commission, 2019). Once again, the relevant legislation will provide greater insights into cross border disclosures and should be referred to for further detail.

Access and Corrections

From a patient-centred care perspective, it is vital to empower patients to actively participate in their care. If they are aware of the information stored about them, they can verify the accuracy of their records, identify potential errors, and ensure that decisions about their health are based on complete and correct information. Health providers and other entities holding this data must have clear, accessible processes for individuals to request access and, importantly, to seek corrections if inaccuracies are found.

Privacy legislation across Australia (state, territory, and federal) allows patients to access the personal information healthcare organisations hold about them, noting there are some circumstances in which healthcare organisations can refuse. Patients (or their responsible person) may request access to this information for several reasons, including transferring their care to a new healthcare provider or reviewing what health information has been collected about them. Patients (or their responsible person) can also request corrections to the health information held about them if it is inaccurate. Each jurisdiction will include a provision in their laws that allows patients to access and correct information held about them, noting that what a patient can access or correct will be dependent on the request and the legislation. In some situations, a patient may be granted access to the health record in its entirety, while in other situations, it may be a subset.

Health service providers should have procedures for access requests. This process should include a form for patients to complete to request access indicating what health information they require; that is, the entire record or a specific part within the record (e.g., a date range or admission number). Before sharing any information with a patient, it is essential to verify their identity. Information can be provided to patients in a number of ways, including hardcopies, viewing the information on site, or providing a recording to watch onsite. The type of information will dictate this, as described in APP 12 of the Act (OAIC, 2019h).

In certain circumstances, an individual (e.g., parent, guardian, or lawyer) may request information on a patient’s behalf. Health information can be provided to these individuals; however, it is first necessary to understand and verify:

1. Whether the individual has the authority to act on the patient’s behalf and for this type of request (e.g., parent of the child, asking for a power of attorney document, requesting consent from the patient if a lawyer is requesting the information on their behalf).
2. The identity of the individual before providing access to the health information.

Healthcare organisations may want to refuse access. However, if possible, the documentation should be provided, and exempt information should be blacked out. If an access request is refused, the patient or individual requesting access must be notified in writing. Each jurisdiction will have procedures to allow complaints or appeals about a refusal and must provide information about how to escalate concerns.

Patients may also want to correct health information held about them, and healthcare organisations should also have processes to enable this. Health information managers may develop different procedures for updating personal information when a patient contacts the healthcare organisation (e.g., updating their address details within the patient master index or updating inaccuracies in a medical record, which may require additional input from clinicians).

My Health Record

My Health Record, Australia’s national electronic health record, is another way patients can easily access their health information (myGov, 2025).   My Health Record includes various clinical documents, including discharge summaries, pathology reports, diagnostic imaging reports, e-Referrals and event summaries to name a few. See the Electronic Medical and Health Records chapter for more information about My Health Record.

Health Information Security

Healthcare organisations need to protect the health information they manage. All privacy legislation clearly defines that healthcare organisations are responsible for protecting health information against loss or unauthorised access, use, disclosure, or modification (Health Records and Information Privacy Act 2002; OAIC, 2019g; OVIC, 2021). Organisations can protect health information in several ways, including the following security controls ranging from policy to technical countermeasures:

• Organisational wide policies and procedures,
• Providing mandatory in person or e-learning training,
• Building a privacy and security culture,
• Having access controls (e.g., passwords to access systems, two factor authentication),
• IT security controls (e.g. firewalls, encryption),
• Physical controls (e.g. swipe access to medical records), and
• Having clearly defined data breach response plans that have been tested.

These are discussed further in the Cyber Risk Management chapter.

Healthcare organisations must also ensure that health information is either destroyed or de-identified when no longer required for approved purposes, unless an exemption applies.

Retention and Disposal

Health information should not just be kept, as it can pose a risk to the organisation. Health information that has reached its retention period should be assessed to see if it can be destroyed or de-identified. Retention periods for health information vary across states and territories, and the relevant health record retention and disposal schedule should be consulted to determine how long the health information should be retained. Retention periods are relevant to both electronic and paper records. Once an assessment on what records can be destroyed has been completed and approved, health information managers should work with the relevant teams to ensure that electronic records, including metadata, are securely deleted. Health information managers are also responsible for coordinating the safe disposal of paper records and ensuring they are securely disposed of once their minimum retention has been reached and they are no longer required.

Third parties should also be required to abide by the retention and disposal schedule by incorporating retention clauses into the contract. See the Data: the Heart of the Healthcare System chapter for more information about retention and disposal.

De-identification

De-identification is another important tool for enhancing privacy; however, this may not be suitable in all situations. De-identification of health information involves the removal of all identifying details to ensure that the information cannot be re-identified (OAIC, 2018a). When done correctly, this involves a two-step process:

1. The healthcare organisation removes the direct identifiers for patients
2. The healthcare organisation removes or alters other information that could be used to re-identify a patient and/or uses controls or safeguards to prevent re-identification.

Once health information is appropriately and thoroughly de-identified, it can be continuously utilised within the healthcare organisation; for example, for research, benchmarking, data analysis, or service planning. Health information managers should participate in the de-identification process. De-identification is not always the best method for managing health information that has reached its retention period, and in such cases, disposing of the health information may be more effective. The CSIRO has developed a De-identification Decision-Making Framework that provides helpful guidance (O’Keefe, 2017).

Anonymity and Pseudonyms

Healthcare organisations must establish procedures that allow individuals to engage with them anonymously or by using a pseudonym where it is lawful and practicable. To maintain anonymity, they must be able to interact with the healthcare organisation without disclosing any personal information or identifiers (e.g., they might call the healthcare organisation to ask about parking or visiting hours). Anonymity in healthcare is often not practicable, especially if an individual is seeking healthcare. Similarly, using a pseudonym is not always practical. For someone to use a pseudonym, they would need to provide the health service with a name, term, or descriptor instead of using their real name. An example of this would be a username, screen name, a fictitious name, or email address that does not include the individual’s actual name.

When evaluating a new service or modifying a service, it is important to consider whether individuals could engage with the healthcare organisation while remaining anonymous or by using a pseudonym to safeguard their privacy.

Data Quality

Data quality is another key aspect of privacy legislation and protecting individuals’ privacy. This ensures that health information is accurate, complete, up to date, and not misleading. Good data quality practices ensure that the quality of the health information remains high, as decisions are made using this information. Healthcare organisations must embed processes into practice to confirm that health information is correct when it is collected, used, or disclosed. If the information is out of date, inaccurate, incomplete, or misleading, it should be revised accordingly. As discussed in the Access and Correction section, enabling patients to review their health information assists with ensuring data quality. Methods for ensuring data quality practices include asking for a Medicare card at each visit, asking the patient to provide their address and phone number at their visit via open-ended question techniques, providing the patient with a demographics form to complete, and making fields mandatory before their first visit (e.g., through a patient portal).

Privacy Principles

The key terms mentioned above form part of the privacy principles for each jurisdiction. Breaching the privacy principles can result in regulatory action and penalties for healthcare organisations. Below is a summary of the privacy principles for each jurisdiction.

Note: Each link in Table 2 opens in a new tab.

Part 2 – Privacy in Practice

Privacy legislation in each jurisdiction provides a robust framework for protecting health information. However, for privacy to be effective, organisations require more than legislation. Organisations must actively implement measures to translate these legal requirements into practice, which involves embedding privacy considerations into every stage of information handling, from collection and storage to use and disclosure. This involves not only adhering to the jurisdiction’s privacy legislation, but also anticipating and mitigating potential privacy risks. Two key concepts that can assist organisations in achieving this are “privacy by design” and “privacy impact assessments”. These frameworks provide practical guidance for embedding privacy into the design and implementation of projects and systems, ensuring that the protection of personal information is prioritised from the outset.

Privacy by Design and the Five Safes

Privacy by design is a concept that embeds privacy considerations into the design and development of systems, products, and services. Rather than treating privacy as an afterthought, this proactive approach integrates privacy into the initial design and development phases.

Proposed by Ann Cavoukian (2011), privacy by design is based on seven foundational principles:

1. Proactive not Reactive: Anticipate and prevent privacy invasive events before they occur.
2. Privacy as the Default: Ensure personal data is automatically protected in any system or process.
3. Privacy Embedded Into Design: Incorporate privacy protections into the core functionality of systems and technologies.
4. Full Functionality: Avoid unnecessary trade-offs between privacy and other system functionalities.
5. End-to-end Security: Maintain secure handling of personal data throughout the entire lifecycle of a product or service.
6. Visibility and Transparency: Ensure that systems and practices are open and accountable to users.
7. Respect for User Privacy: Keep the interests and needs of individuals paramount in the design and operation of systems.

These principles emphasise a user-centric approach (7), aiming to proactively address privacy concerns (1, 2, 3), and throughout the entire lifecycle of a product or service (5). This framework seeks to balance functionality (4) with robust privacy protections, while ensuring accountability and transparency (6).  Such principles can be implemented broadly within healthcare in relation to how data are handled, from both a technical perspective and in provider-consumer human interactions. Examples of considering (1, 2, 3, 7) can be seen in practical measures where data collected from a patient are minimised, duplicate collection of health information is avoided, or de-identification of data is implemented to ensure individuals cannot be readily identified.

A widely used practical framework that can enable privacy by design principles is the Five Safes Framework (Australian Institute of Health and Welfare, 2023), which has been used in Australia and the UK across the last two decades. It provides a structured approach to assess and mitigate the risk of disclosing identifiable patient data, ensuring privacy is embedded throughout the data access lifecycle, while enabling crucial health research and analysis.

The framework requires considering five interdependent elements:

• Safe People: Ensuring only authorised, trained researchers or health analysts, bound by strict confidentiality agreements and ethical standards, can access patient data.
• Safe Projects: Confirming data use is restricted to specific, ethically approved health research or healthcare improvement projects with clear public benefit.
• Safe Settings: Guaranteeing access occurs within secure physical or digital environments with robust technical controls preventing unauthorised access or data leakage.
• Safe Data: Applying statistical disclosure controls, such as de-identification or aggregation, to patient records to minimise the risk of individuals being re-identified.
• Safe Outputs: Vetting all released statistics or research findings to prevent the disclosure of information attributable to individual patients (e.g., suppressing small cell counts) (Australian Institute of Health and Welfare, 2023).

By addressing these five areas, the framework enables privacy by design, balancing the use of valuable health data with the fundamental obligation to protect patient privacy (Australian Institute of Health and Welfare, 2023). Another key tool in achieving these goals in a verifiable way is through the completion of a privacy impact assessment.

Privacy Impact Assessment

In contrast to the overarching principles of privacy by design, which guide the entire development lifecycle, a privacy impact assessment (PIA) offers a more focused and granular approach to privacy. This is a structured process used to identify and evaluate the specific risks to personal information within a particular project or activity, which is particularly important when dealing with new technologies or sensitive data, including health information or data sharing initiatives. A privacy threshold assessment (PTA) is a helpful tool to ascertain whether a PIA is required. The PTA will assist organisations to determine whether the project or activity has a potential privacy impact and provide health information managers with an understanding of the privacy risk. A PTA is necessary if a project involves a new or changed method for handling personal information. If the project or activity is deemed high risk, then a PIA will be required.

A PIA is a detailed privacy risk assessment. It systematically examines how a project may impact an individual’s privacy by analysing the types of personal information involved, how it will be used, and where vulnerabilities might exist. This process helps organisations pinpoint potential privacy issues before they arise, allowing them to proactively implement safeguards.

The OAIC (2021) provides detailed guidance on conducting PIAs (including PTAs), emphasising the importance of stakeholder consultation and thorough documentation. This ensures that diverse perspectives are considered and that the PIA process is transparent and accountable. By undertaking this rigorous assessment, organisations can confidently demonstrate their commitment to privacy and build trust with individuals. Most jurisdictions have their own templates for completing a PIA that can be adapted for your organisation.

Privacy Policy

A privacy policy outlines how an organisation handles personal information (OAIC, 2024c). These are required for any organisation or agency subject to the Privacy Act 1988 (Cth). Most state and territory agencies also require one, as per their applicable privacy legislation. A privacy policy includes details about:

• What kinds of personal information is collected and stored.
• How personal information is collected and stored.
• Why personal information needs to be collected.
• How the organisation will use and disclose personal information.
• If personal information will be disclosed outside Australia, including to which countries, if practical.
• How an individual can access their own personal information and correct it if required.
• How an individual can make a complaint, how it will be handled, and the organisation’s name and contact details (OAIC, 2024c).

Privacy policies should be available to healthcare consumers and the public free of charge. It is generally expected that this information is available on an organisation or agency’s website.

When creating or updating a privacy policy, it is important to understand how the healthcare organisation manages personal information, including its collection, use, and disclosure. It should also be written in plain English and avoid legal jargon.

Privacy Collection Notices

Privacy collection notices are different to privacy policies and cover the information handling practices for a specific purpose or activity (OAIC, 2019c; OVIC, 2019). These should be given to an individual either prior to or at the time of collection. A privacy collection notice could be included on the bottom of a medical history form handed to a patient to complete, appear on an e-form, be a recording played to patients before information is collected, or be on a website where personal information is being collected. There may be times when a privacy collection notice is not reasonable or practical to provide to a patient at the time. If this occurs, the healthcare service should provide this notice as soon as possible. Healthcare organisations can also have privacy brochures that discuss the organisation’s health information handling practices and display these in waiting areas, on the website, on a patient portal, or provide them to patients as part of their pre-admission documentation.

In accordance with Australian Privacy Principle 5   (OAIC, 2019c), collection notices inform individuals about the information being collected, who is collecting it, the purpose of collection, and any potential disclosures or access by others. They also include contact details for the collecting organisation. Collection notices provide transparency and help individuals understand what data they are providing and with whom it may be shared. Other jurisdictions may also require privacy collection notices and the relevant privacy principles should be referred to.

Third Parties

The complexity of where and how information is stored and accessed has increased due to the involvement of third-party providers in health information management. Entities such as cloud storage services, analytics platforms, and app developers often collect, process, or store health information. Ethical practice dictates that individuals are fully informed about the involvement of any third parties, as outlined in collection notices and privacy policies. This includes understanding what data these parties will access, how they will use it, where it will be stored (especially if overseas), and what security measures are in place. Organisations engaging third parties must ensure that those parties adhere to the same high standards of privacy and security required under the relevant privacy legislation.

Data Breach Notification

The Notifiable Data Breaches scheme, established under the Privacy Act 1988 (Cth), mandates that organisations, including those in the health sector, must notify affected individuals and the OAIC about eligible data breaches. Individuals have a right to know whether their health information has been compromised, the nature of the breach, the potential risks, and the steps being taken to mitigate harm. Healthcare organisations consistently report the highest number of data breaches to the OAIC due to a number of factors. Between January to July 2024, 102 health service providers reported data breaches (OAIC, 2024b). The causes of these data breaches included malicious attacks, human error, or system faults.

Mandatory Data Breach Reporting

An eligible data breach occurs when there is unauthorised access to, or disclosure of, personal information that is likely to result in serious harm to the individuals involved (OAIC, 2025c). Examples include when a device containing personal data is lost, a database is hacked, or information is mistakenly provided to the wrong person.

Organisations are required to conduct a reasonable and prompt assessment to determine whether a data breach is eligible for notification (with a maximum timeframe of 30 days). If so, they must notify the OAIC as soon as practicable, providing details about the breach and the steps taken to mitigate harm. Affected individuals must also be notified, with recommendations on how to protect themselves (OAIC, 2025b).

In addition to the Notifiable Data Breach scheme as part of the Privacy Act 1988,    notifiable data breach schemes exist at some state levels, such as the Mandatory Notification of Data Breach Scheme under the Privacy and Personal Information Protections Act 1998 (NSW) in New South Wales, the Mandatory Information Breach Notifiable Scheme as part of the Privacy and Responsible Information Sharing Bill 2024 in Western Australia and the Mandatory Notification of Data Breach Scheme under the Information Privacy Act 2009 (QLD) in Queensland.

Part 3 – Informed Patient Consent and Legal Obligations

Informed consent is a cornerstone of ethical health information management in Australia, ensuring individuals retain autonomy over their personal health information. It signifies a voluntary agreement by an individual to participate in the collection, use, or disclosure of their information based on a comprehensive understanding of the proposed activity. This principle is embedded in the Privacy Act 1988 (Cth), particularly within the APPs. It also is addressed in other jurisdictions’ privacy principles as mentioned above.

The APPs state that an organisation or entity must obtain consent before collecting sensitive information, including health information. The OAIC (2022) provides guidance on achieving valid consent, emphasising that it must be:

• Voluntary: Freely given without coercion or undue pressure.
• Informed: Based on a clear understanding of the purpose, methods, risks, and benefits.
• Specific: Related to a clearly defined purpose and scope of data handling.
• Current: Obtained at the time of collection or prior to a new use or disclosure.
• Provided by a person with capacity: The individual must have the legal capacity to consent (pp. B37-B61).

The traditional model of consent, often characterised by static, one-time agreements, is increasingly being challenged by the concept of dynamic consent (Goncharov et al., 2022). Dynamic consent recognises that individuals should have ongoing control over their personal information and how it is used. This approach empowers individuals to decide how their information is used. Instead of a single, irreversible decision, dynamic consent (a growing method of obtaining consent in healthcare) allows for continuous adjustments over time. As individuals’ circumstances and priorities evolve, they can readily modify their agreed upon consent. This flexibility ensures that people retain authority over their information, fostering trust and transparency in how their information is utilised.

Additionally, consent can also be conveyed in different ways. Explicit consent (also termed express consent) occurs when a patient clearly articulates their agreement, either verbally or through written confirmation (more on this shortly) (OAIC, 2022). However, consent may be implied through a patient’s conduct or actions. For example, if a patient wishes to make an appointment, they will provide their contact details, which reasonably implies permission for that information to be used for the purpose of arranging and managing that appointment.

Written Consent vs Verbal Consent

While both written and verbal consent can be legally valid, their suitability varies depending on the context of health information management.

Written consent, typically documented through a signed form, offers a clear and enduring record of the individual’s agreement (OAIC, 2022). This is particularly important for research projects involving large datasets or the long-term storage of health information.   The National Statement on Ethical Conduct in Human Research highlights the importance of written consent for higher-risk research, ensuring transparency and accountability (National Health and Medical Research Council, 2023).

Verbal consent can be suitable for lower-risk activities, such as routine clinical information collection during a consultation. However, it relies heavily on accurate documentation of the discussion and the individual’s understanding. The OAIC (2022) recommends that, even with verbal consent, a record of the conversation and the key elements discussed should be maintained to establish that the consent obtained was truly informed.

Regardless of the method, entities managing health information must provide individuals with clear, accessible information about how their information will be handled, including details on collection, storage, use, disclosure, and security measures (OAIC, 2022).  Failure to adhere to the requirements of informed consent can lead to breaches of the Privacy Act 1988 (Cth) and potential penalties. Privacy collection notices should be provided to patients to assist with this and can be provided for both written and verbal consent (OAIC, 2019c).

Ultimately, informed consent empowers individuals to make informed decisions about their health information and fosters trust in the responsible management of sensitive data within the Australian healthcare system (OAIC, 2022). From a health information management perspective, it is vital that consent is granted and recorded in an appropriate manner, and able to be modified in the future to facilitate dynamic consent and changing patient needs.

Legal Obligations

Healthcare organisations also have a legal obligation to maintain accurate and complete health information. Health information managers have a duty to assist in meeting these obligations by creating, monitoring, and evaluating policies and procedures supported by legislation, accreditation standards, and other governing documents. This could be done in collaboration with other stakeholders (e.g., clinical governance, health informatics).

Documentation is a critical element in ensuring obligations are met (Australian Commission on Safety and Quality in Health Care, 2021). Clinical documentation needs to be documented in the endorsed health record, as undocumented information or informal documentation processes rely on memory, create silos of information, and can lead to misdiagnosis and harm.

Health information managers should consider the following when maintaining accurate health information:

• Policies and procedures for clinicians on what is expected for clinical documentation at the healthcare organisation (e.g., how addendums should be created, rules around when documentation should occur).
• Procedures for editing or changing health information once it has been documented in the health record.
• Processes or systems to authenticate which clinician made the entry, and the time and date.
• Review of security processes (e.g., the ability to interrogate an audit log).

As health records can also be used as evidence within court, other legal proceedings, or independent public inquiries (e.g., Royal Commissions), it is essential to ensure the health information is accurate, complete, and unaltered.

Confidentiality

Within healthcare, discussions frequently focus on the confidentiality and privacy of health information. It is important to note that these terms are not interchangeable. As discussed, privacy is governed by the Privacy Act 1988 (Cth) or the relevant state and territory privacy legislation mentioned above. While confidentiality is “a broader obligation that limits the access to information provided by a patient to their healthcare provider during treatment” and arises from various sources, including common law, ethical codes and legislation (Confidentiality and Privacy of Medical Records – Queensland Law Handbook Online [opens in new tab]) (Caxton Legal Centre, 2023). Codes of conduct will often stipulate that healthcare providers treat information as confidential. The Medical Board of Australia (2024) released “Good medical practice: A code of conduct for doctors in Australia” [opens in new tab] in October 2020, which outlines a section for confidentiality and privacy for doctors. In addition, when confidentiality is spoken of within a cybersecurity context, it has a slightly different, but overlapping interpretation, as discussed in the next chapter.

Part 4 – Ethical Considerations When Using Health Data

Building upon a foundation of informed consent for collecting health information within the context of the privacy principles, ethical data use demands ongoing attention and a commitment to transparency. The sensitive nature of health information necessitates a higher standard of care, enabling individuals to know where their data is being stored, and how it is being used. It is important to consider this in a broad range of contexts, including how data are stored and used, in addition to any possible secondary uses (e.g. research and quality assurance).

Healthcare organisations should be committed to ethical use of data by following the National Statement on Ethical Conduct in Human Research (National Health and Medical Research Council, 2023) within Australia and follow external advice; for example, the Organisation for Economic Co-operation and Development’s (OECD) “10 Good Practice Principles for Data Ethics in the Public Sector” (OECD, 2021) (Table 1). The National Statement’s emphasis on respect for persons, beneficence, and justice provides a clear focus to enable the safeguarding of individuals’ rights while promoting responsible data use for public benefit (National Health and Medical Research Council, 2023). Weaving these principles into data governance structures can foster trust, facilitate ethical research, and maximise the potential of health data to improve healthcare outcomes.

Figure 1: 10 Good Practice Principles for Data Ethics in the Public Sector as Published by the OECD (2021).

Health information managers can provide guidance when using health information and weighing up the ethical considerations.

Research Data

Health information holds immense potential for research that can lead to improved treatments, disease prevention, and better health outcomes for all Australians. Ethical considerations in research data use are guided by the National Statement on Ethical Conduct in Human Research (National Health and Medical Research Council, 2023). This includes obtaining specific informed consent for research participation, ensuring data are de-identified or anonymised where possible, and establishing clear data governance frameworks. The FAIR principles [opens in new tab] can guide use of research data, and research data should be Findable, Accessible, Interoperable and Reusable.

Marketing

In some situations, healthcare organisations may want to market products or services to patients. It is critical that patients are asked to consent to marketing before any communication occurs, and if the patient opts out, they are not sent any further direct marketing correspondence. APP 7 of the Act is a direct response to how patients can be vulnerable people and the ethical considerations of marketing to individuals should be reviewed before something is launched (OAIC, 2019e).

Other Secondary Uses

Secondary use refers to the use of health information for purposes beyond the original reason for collection, as discussed in Part 1. For example, data collected during routine clinical care could be used for quality improvement activities. Although research activities must undergo an ethical review, quality improvement or quality audits are exempt from such reviews. In these cases, it is important to evaluate and approve these activities to ensure they are ethical, and that the benefits of the activity justify the risks or burdens to patients (Wade, 2007). This could include mandatory reporting obligations in relation to collected data , even if this was not the original purpose for gathering the data.

In consultation with other stakeholders (e.g., legal, clinical governance), health information managers must carefully consider whether secondary use is compatible with the original purpose and whether additional consent is required. De-identification and aggregation techniques can help mitigate privacy risks, as discussed earlier in this chapter; however, a cautious approach is essential. Transparency with individuals about the uses of their health information, as outlined in privacy policies and collection notices, is fundamental to maintaining trust and ethical data practices.

Part 5: Building a Privacy Culture

To fulfil privacy goals and comply with regulatory requirements, healthcare organisations must have a robust privacy culture. Privacy culture refers to the collective attitudes, behaviours, and practices within a healthcare organisation regarding the handling of health information. A strong privacy culture is characterised by:

1. Awareness: Health information managers must be aware of privacy risks and best practice. The importance of protecting health information and maintaining secure digital environments must be understood (OAIC, 2024d).
2. Responsibility: There should be a shared sense of responsibility for privacy across all levels of the organisation. Healthcare employees take ownership of their role in maintaining privacy and actively contribute to risk mitigation efforts (OAIC, 2019a).
3. Training and Education: Continuous training and education programs should be provided to enhance privacy knowledge and skills (NIST, 2024).
4. Communication: Open and transparent communication channels must be established for reporting privacy incidents, sharing updates on data breaches, and promoting collaboration among teams (OAIC, 2025b).
5. Compliance: Privacy policies, procedures, and regulatory requirements must be adhered to. The consequences of non-compliance must be understood, and privacy practices prioritised (OAIC, 2024a).
6. Innovation: A privacy culture should encourage a proactive approach to data protection rather than a reactive one, adopting a privacy by design approach (OAIC, 2021).

To establish this culture, and the components outlined above, it is essential for health information managers to gain support from employees across the healthcare organisation. This means that it is important to celebrate successes and reflect on failures. The industry currently has numerous examples of privacy breaches that can be examined thoroughly within an organisation without needing to focus on any particular incidents at your own organisation; however, it is important to engage in such examinations and reflection at times.

As a health information manager, various methods can be used to foster a privacy culture, such as:

1. Privacy training and awareness: This can take the form of a training day or an online module, posters in break rooms to raise awareness, and email reminders. The goal of training and awareness initiatives is to encourage culture in a positive way, to enable employees to value privacy in relation to their day-to-day work activities. A Privacy Awareness Week is also a great opportunity to focus on privacy within the organisation and cover different topics each day.
2. Privacy and confidentiality clauses: Adding privacy and confidentiality clauses to systems when an individual logs in is another way to reinforce privacy messaging.
3. Orientations: Employee orientations can be used to provide information to new starters regarding the organisation’s privacy expectations. It also enables employees to ask any questions they may have.
4. Auditing: Privacy audits provide valuable insights into activities occurring at the organisation. If good privacy practices are in place, then this should be recognised and celebrated; however, if processes require improvement, they should be addressed.
5. Discussing privacy impact assessments during committee meetings: New projects or initiatives can be reviewed during these meetings, enabling the PIA process to be explained and highlighting the importance of completing one for new projects or initiatives involving the handling of personal information, especially health information.
6. Utilising data breaches to enhance privacy awareness within an organisation: Data breaches provide valuable opportunities to discuss privacy processes. Where teams who are making human errors are identified (e.g., sending emails to the wrong recipients, not using BCC when emailing patients if emailing a group of patients), this provides a valuable opportunity to discuss privacy procedures. If the organisation suffers a notifiable data breach, processes should be re-examined to determine how they can be improved, including retention and disposal practices.
7. Maturity assessments: Allow healthcare organisations to evaluate how mature their privacy practices are and provide some guidance on additional steps the organisation may require to reach the next maturity level. For example, OAIC  (2018b) has a Privacy Management Plan that organisations can use, and NSW Information and Privacy Commissioner offers a privacy self-assessment tool (Information and Privacy Commission, 2023).

Conclusion

This chapter explored the critical aspects of health information law, privacy, and ethics in the Australian healthcare context. It began by explaining the different privacy legislation across Australia through the key privacy terms health information managers need to be aware of and the different privacy principles across the different legislation. Privacy in practice and the various tools that support privacy in healthcare organisations were then examined.

The chapter then explored the concept of informed consent, highlighting the requirements for valid consent, including written and verbal methods, and underscoring the need for dynamic consent models to empower patients to gain greater control over their health information.

Finally, the chapter examined the ethical dimensions of managing health information and the responsibilities associated with handling data. This was followed by suggestions for cultivating a privacy culture and the essential knowledge that health information managers require.

References

Aged Care Quality and Safety Commission. (2019). Charter of Aged Care Rights Poster. Commonwealth of Australia. https://www.agedcarequality.gov.au/resource-library/charter-aged-care-rights-poster

Australian Commission on Safety and Quality in Health Care. (2020). Australian Charter of Healthcare Rights. https://www.safetyandquality.gov.au/our-work/partnering-consumers/australian-charter-healthcare-rights

Australian Commission on Safety and Quality in Health Care. (2021). Documentation of information. National Safety and Quality Health Service (NSQHS) Standards. https://www.safetyandquality.gov.au/standards/nsqhs-standards/communicating-safety-standard/documentation-information

Australian Institute of Health and Welfare. (2023). The Five Safes framework. Commonwealth Government of Australia. https://www.aihw.gov.au/about-our-data/data-governance/the-five-safes-framework

Australian Law Reform Commission. (2014). Serious invasions of privacy in the digital era. https://www.alrc.gov.au/publication/serious-invasions-of-privacy-in-the-digital-era-dp-80/2-guiding-principles/principle-1-privacy-is-a-fundamental-value-worthy-of-legal-protection/

Cavoukian, A. (2011). Privacy by Design – The 7 Foundational Principles, 2011. Ontario: Information and Privacy Commissioner of Ontario. https://privacy.ucsc.edu/resources/privacy-by-design—foundational-principles.pdf

Caxton Legal Centre. (2023). Confidentiality and Privacy of Medical Records. https://queenslandlawhandbook.org.au/the-queensland-law-handbook/health-and-wellbeing/medical-law/confidentiality-and-privacy-of-medical-records/

Department of Home Affairs. (2024). MediSecure cyber security incident. Australian Government. https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/cyber-coordinator/medisecure-cyber-security-incident

Goncharov, L., Suominen, H., & Cook, M. (2022). Dynamic consent and personalised medicine. The Medical Journal of Australia, 216(11), 547. https://doi.org/10.5694/mja2.51555

Health Records and Information Privacy Act 2002. New South Wales. https://legislation.nsw.gov.au/view/html/inforce/current/act-2002-071#sch.1-sec.5

Information and Privacy Commission. (2019). Guidance: Transborder Disclosure Principle – section 19(2). Information and Privacy Commission (New South Wales). https://www.ipc.nsw.gov.au/guidance-transborder-disclosure-principle-section-192

Information and Privacy Commission. (2023). Information Governance Agency Self-assessment Tools. Information and Privacy Commission (New South Wales). https://www.ipc.nsw.gov.au/information-governance-agency-self-assessment-tools-information

Latitude. (2023). Latitude Cyber Response https://www.latitudefinancial.com.au/latitude-cyber-incident/

myGov. (2025). Your My Health Record. Australian Government. https://my.gov.au/en/services/health-and-disability/seeking-medical-help/accessing-your-medical-information/your-my-health-record

Nass, S. J., Levit, L. A., & Gostin, L. O. (2009). The value and importance of health information privacy. In Beyond the HIPAA privacy rule: enhancing privacy, improving health through research. National Academies Press (US). https://www.ncbi.nlm.nih.gov/books/NBK9579/

National Health and Medical Research Council, A. R. C. a. U. A. (2023). National Statement on Ethical Conduct in Human Research. C. N. H. a. M. R. Council. https://nla.gov.au/nla.obj-3260080025/view

Privacy and Personal Information Protections Act 1998 (NSW), (1998). https://legislation.nsw.gov.au/view/whole/html/inforce/current/act-1998-133

NIST. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST Cybersecurity White Papers (CSWP) – NIST CSWP 29, Issue. N. I. o. S. a. Technology. https://www.nist.gov/cyberframework

O’Keefe, C. O., Stephanie; Elliot, Mark; Mackey, Elaine; O’Hara, Kieron. (2017). A framework for data de-identification. CSIRO website: CSIRO Data61. https://doi.org/10.4225/08/59c169433efd4

OAIC. (2018a). De-identification and the Privacy Act. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/de-identification-and-the-privacy-act

OAIC. (2018b). Interactive PMP Explained. Office of the Australian Information Commissioner. https://www.oaic.gov.au/__data/assets/pdf_file/0005/1301/interactive-pmp-explained.pdf

OAIC. (2019a). Chapter 1: APP 1 Open and transparent management of personal information. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-1-app-1-open-and-transparent-management-of-personal-information

OAIC. (2019b). Chapter 3: APP 3 Collection of solicited personal information. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-3-app-3-collection-of-solicited-personal-information

OAIC. (2019c). Chapter 5: APP 5 Notification of the collection of personal information. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-5-app-5-notification-of-the-collection-of-personal-information

OAIC. (2019d). Chapter 6: APP 6 Use or disclosure of personal information. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-6-app-6-use-or-disclosure-of-personal-information

OAIC. (2019e). Chapter 7: APP 7 Direct marketing. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-7-app-7-direct-marketing

OAIC. (2019f). Chapter 8: APP 8 Cross-border disclosure of personal information. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information

OAIC. (2019g). Chapter 11: APP 11 Security of personal information. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information

OAIC. (2019h). Chapter 12: APP 12 Access to personal information. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-12-app-12-access-to-personal-information

OAIC. (2019i). Guide to Health Privacy. Office of the Australian Information Commissioner. https://www.oaic.gov.au/__data/assets/pdf_file/0011/2090/guide-to-health-privacy.pdf

OAIC. (2021). Privacy by design. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/privacy-by-design

OAIC. (2022). Australian Privacy Principles guidelines, Chapter B: Key concepts. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-b-key-concepts

OAIC. (2024a). Australian Privacy Principles quick reference. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-quick-reference

OAIC. (2024b). Notifiable Data Breaches Report: January to June 2024. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2024

OAIC. (2024c). What is a privacy policy? Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/what-is-a-privacy-policy

OAIC. (2024d). What is personal information? Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/what-is-personal-information

OAIC. (2024e). What is privacy? https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/what-is-privacy

OAIC. (2025a). Notifiable Data Breaches Report: July to December 2024. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-july-to-december-2024

OAIC. (2025b). Part 2: Preparing a data breach response plan. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response/part-2-preparing-a-data-breach-response-plan

OAIC. (2025c). When to report a data breach. Office of the Australian Information Commissioner. https://www.oaic.gov.au/privacy/notifiable-data-breaches/when-to-report-a-data-breach

OECD. (2021). OECD Good Practice Principles for Data Ethics in the Public Sector. OECD Public Governance Policy Papers, 57. https://doi.org/https://doi.org/10.1787/caa35b76-en

Optus. (2022). Optus notifies customers of cyberattack compromising customer information https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack

OVIC. (2019). Collection Notices. Office of the Victorian Information Commissioner. https://ovic.vic.gov.au/privacy/resources-for-organisations/collection-notices/

OVIC. (2021). Information Privacy Principles. Office of the Victorian Information Commissioner. https://ovic.vic.gov.au/privacy/resources-for-organisations/information-privacy-principles-full-text/#principle-4data-security

Privacy Act 1988 (Cth). https://www.legislation.gov.au/C2004A03712/latest/text

Information Privacy Act 2009 (QLD), (2009). https://www.legislation.qld.gov.au/view/html/inforce/current/act-2009-014

Taylor, J. (2022). Medibank hackers announce ‘case closed’ and dump huge data file on dark web. The Guardian. https://www.theguardian.com/australia-news/2022/dec/01/medibank-hackers-announce-case-closed-and-dump-huge-data-file-on-dark-web

Wade, D. (2007). Ethics of collecting and using healthcare data. In (Vol. 334, pp. 1330-1331): British Medical Journal Publishing Group.

Privacy and Responsible Information Sharing Bill 2024 (WA), (2024). https://www.legislation.wa.gov.au/legislation/statutes.nsf/law_a147470.html&view=consolidated