Australian Privacy Act and Health Data
Australian Privacy Act and Health Data
Australia’s health data privacy framework is layered: the Commonwealth Privacy Act 1988 sets the national baseline through the Australian Privacy Principles; state and territory health records laws overlay it in some jurisdictions; and the My Health Record Act 2012 adds a specific regime for the national shared health record. For health IT builders, all three may apply simultaneously depending on where the system operates and what data it handles.
This page is a technical reference, not legal advice.
For the technical standards layer — ADHA, AU Base FHIR profiles, healthcare identifiers, and My Health Record API access — see Australian Digital Health Standards.
Privacy Act 1988 and the APPs
The Privacy Act 1988 (Cth) governs how personal information — including health information — is collected, used, disclosed, and stored. The Australian Privacy Principles (APPs) are the operational rules. There are 13 APPs; the ones that drive most engineering decisions:
APP 3 — Collection of solicited personal information
Only collect personal information that is reasonably necessary for the organisation’s functions or activities. For health service providers, this means collecting only the health information needed to provide the specific service. Systems should not collect a patient’s full medical history when only appointment scheduling information is required.
Engineering implication: Design data collection at the point of ingestion to enforce scope. FHIR search queries should be scoped to the minimum necessary data elements; avoid $everything calls when a targeted query will do.
APP 6 — Use or disclosure of personal information
Health information collected for one purpose cannot generally be used for a secondary purpose unless the patient consents, the secondary use is directly related to the primary purpose, or a legal exception applies. Research uses require de-identification or specific consent.
Engineering implication: Log the purpose of access at the point of query. Systems that re-use health data for analytics, product improvement, or AI training without a lawful basis violate APP 6. Purpose limitation must be enforced technically, not just by policy.
APP 11 — Security of personal information
Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. “Reasonable steps” for health data means encryption at rest and in transit, role-based access control, audit logging, and documented incident response.
Engineering implication: There is no prescribed standard equivalent to HIPAA’s Security Rule, but “reasonable” in the health data context means encryption is expected, not optional. OAIC enforcement decisions have found organisations in breach for transmitting health data unencrypted.
APP 12 — Access to personal information
Individuals have the right to access their health information held by an organisation. Health service providers must respond to access requests; systemic obstacles to access (technical or administrative) can constitute a breach. The My Health Record system provides one mechanism for this; individual provider systems must independently support access requests.
Who is covered
The Privacy Act applies to:
- Australian Government agencies
- Organisations with annual turnover > $3M
- All health service providers, regardless of turnover
The last category is the critical one. The small business exemption (turnover < $3M) does not apply to health service providers. A small GP practice or allied health provider is fully subject to the Privacy Act and APPs. Any vendor providing software to those organisations needs to understand that its customers are covered entities.
State and territory health records laws
Several states and territories have their own health records legislation that overlaps with the Commonwealth Privacy Act:
| Jurisdiction | Act |
|---|---|
| New South Wales | Health Records and Information Privacy Act 2002 (HRIPA) |
| Victoria | Health Records Act 2001 (HRA) |
| Australian Capital Territory | Health Records (Privacy and Access) Act 1997 |
These state laws impose their own Health Privacy Principles (HPPs) which are broadly similar to the APPs but with differences in scope, individual rights, and enforcement. When a state law applies alongside the Privacy Act, organisations must comply with both. Generally, the stricter obligation prevails.
Practical implication: A system deployed across multiple Australian jurisdictions may be subject to up to three overlapping legal frameworks for health data. State laws tend to apply to private sector health service providers in those states; the Commonwealth Act applies to all covered organisations nationally. This is not unusual for Australian health IT — large healthcare organisations routinely maintain compliance under multiple regimes.
My Health Record Act 2012
The My Health Record (MHR) system is Australia’s national opt-out shared electronic health record. The My Health Records Act 2012 (Cth) is the specific legislation governing it, sitting alongside the Privacy Act.
The opt-out model
All Australians are registered in MHR by default unless they opt out. As of 2023, the opt-out rate is low (around 3%). This means the vast majority of adult Australians have a My Health Record, and health systems exchanging clinical information nationally are expected to use it where clinically appropriate.
What MHR contains
MHR is a document store, not a clinical record. Documents are uploaded by providers and can be retrieved by other authorised providers. Typical document types:
- Shared Health Summary (allergies, medications, conditions, immunisations)
- Event Summaries (significant clinical events)
- Discharge Summaries
- Specialist Letters
- Pathology Reports and Diagnostic Imaging Reports
- Prescription and Dispense Records (from electronic prescribing)
- Consumer-uploaded documents
The system is moving from CDA-based document exchange toward FHIR, but CDA document formats remain dominant in production.
Permitted purposes for access
Only authorised healthcare provider organisations may access MHR for treatment purposes. Access for research or secondary use requires specific authorisation. The Act defines criminal penalties for unauthorised access — this is a more punitive regime than the general Privacy Act.
ADHA as System Operator
The Australian Digital Health Agency (ADHA) is the System Operator of MHR under the Act, responsible for the national infrastructure and for overseeing access and governance.
Notifiable Data Breaches (NDB) scheme
The NDB scheme (Part IIIC of the Privacy Act, in force since February 2018) requires notification when a data breach is likely to result in serious harm to affected individuals.
Eligible data breach
An eligible data breach is: unauthorised access, disclosure, or loss of personal information, where a reasonable person would conclude that the affected individuals are likely to experience serious harm.
For health data, the bar for “likely to result in serious harm” is interpreted broadly. A breach exposing identifiable health information typically meets the threshold because of the potential for discrimination, insurance consequences, or reputational harm.
Notification obligations
When an eligible data breach occurs:
- Assess the breach within 30 days of becoming aware
- Notify the OAIC if the breach is eligible
- Notify affected individuals (or publish a statement on your website if direct notification is not practical)
Notification must include: the identity and contact details of the organisation, a description of the breach, the kinds of information involved, and what steps individuals should take in response.
Penalties under the Privacy Act
The Privacy and Other Legislation Amendment Act 2024 significantly increased penalties. Serious or repeated interferences with privacy:
| Penalty tier | Amount |
|---|---|
| Individuals | Up to $2.5M |
| Bodies corporate | Up to $50M, or 3× the benefit obtained, or 30% of adjusted turnover in the period |
Health data breaches that are not notified, or that result from inadequate security without reasonable justification, are the most common basis for serious penalty proceedings.
Privacy Act reform
The Privacy and Other Legislation Amendment Act 2024 introduced reforms following the 2022–2023 Privacy Act Review. Key changes relevant to health IT:
- New civil penalty provisions for serious interference with privacy (effective when proclaimed)
- Statutory tort for serious invasions of privacy (phased implementation)
- Automated decision-making transparency — organisations must disclose use of personal information in automated decisions with significant effects
- Children’s Online Privacy Code — binding code for online services likely accessed by children
Further reforms are expected in subsequent legislation. The direction is toward higher penalties, stronger individual rights, and more prescriptive obligations — broadly aligning with GDPR-style requirements.
Comparison with HIPAA and UK GDPR
| Dimension | Privacy Act 1988 (AU) | UK GDPR | HIPAA (US) |
|---|---|---|---|
| Who is covered | APP entities; all health service providers | Any org processing UK residents’ health data | Covered entities + business associates |
| Legal model | APP entity obligations | Controller / processor | Covered entity / BA |
| Individual rights | Access, correction | Access, erasure, portability, objection | Access, amendment |
| Breach notification | 30-day assessment, then notify OAIC + individuals | 72h to ICO | 60 days to HHS |
| Penalties | Up to $50M per serious breach | Up to £17.5m / 4% global turnover | Up to $1.9m per category per year |
| Secondary use | Purpose limitation (APP 6) | Purpose limitation (UK GDPR principle) | Permitted purpose categories |
See also
- Australian Digital Health Standards — ADHA, AU Base FHIR, My Health Record API, healthcare identifiers
- UK GDPR and Health Data — UK equivalent framework
- HIPAA — US equivalent framework