back to news

Privacy Policies in General Practice Clinics

NewsFlash 10 May 2016

In the lead up to the Office of the Australian Information Commissioner’s (OAIC) Privacy Awareness Week the actions of Australia’s peak medical groups to improve the privacy practices of Australia’s General Practice (GP) clinics have been recognised by the Acting Australian Information Commissioner, Mr Timothy Pilgrim.

In April 2016, the OAIC published a report titled ‘General Practice Clinics – APP 1 Privacy Policy Assessment’ outlining the findings of OAIC’s assessment of the privacy policies of 40 GP clinics against Australian Privacy Principle (APP) 1. APP 1 relates to the requirement that entities subject to the Privacy Act 1988, including health service providers, must have a clearly expressed and current privacy policy outlining how they manage personal information.  

The purpose of the OAIC’s assessment, which was conducted from May 2015 to June 2015, was to assist GP clinics to improve and / or enhance their existing privacy policy and develop GP clinics’ understanding of their obligations under various privacy legislation including the Privacy Act 1988, My Health Records Act 2012 and Healthcare Identifiers Act 2010.

The OAIC’s assessment examined the content, layout and availability of GP clinics’ privacy policies. It did not consider how the procedures in the privacy policies were implemented in practice. 

Notable recommendations from the OAIC’s assessment included ensuring that privacy policies are:

  • Made readily available to patients at the GP clinic;
  • Available on the GP clinic’s website if the GP clinic has a web presence;
  • Reviewed to ensure they are clearly expressed and easy to understand;
  • Drafted to include sufficient detail of the personal information that is collected and held by the GP clinic;
  • Drafted to adequately cover the use of the My Health Record system (if the GP clinic utilises the My Health Record system) and inform the patient that the GP clinic may collect, use and disclose their health information for the purposes of the My Health Record system; and
  • Drafted to contain adequate detail regarding the complaint resolution process.

The OAIC’s assessment found that many GP clinics could benefit from greater practical support to improve or establish privacy policies. It was assessed that practical, industry-related support is an effective means of improving privacy outcomes for practices and patients. 

As a consequence of the need for industry-related support, the OAIC approached Australia’s peak medical groups including the Australian Medical Association (AMA), the Royal Australian College of General Practitioners (RACGP), the Australian College of Rural and Remote Medicine (ACRRM) and the Australian Association of Practice Management (AAPM) to help deliver training and practical solutions to assist GP clinics.

The resources made available by these peak medical groups include online handbooks, online training modules and privacy policy templates for general practices. 

In relation to the utilisation of privacy policy templates, the OAIC noted that numerous professional bodies had provided APP 1 privacy policy templates to their members. Following the OAIC’s assessment, the OAIC contacted these bodies to provide feedback with the aim of improving privacy policy templates used by general practitioners.

On 28 April 2016, Mr Pilgrim commended the efforts of the peak medical groups and acknowledged the importance of the collaborative approach taken between them and the OAIC. Mr Pilgrim anticipated that the collaborative approach would improve privacy management for GP clinics and their patients.

The release of the OAIC’s report in the lead up to Privacy Awareness Week, which commenced on 15 May 2016, provides a timely reminder to all general practitioners of the importance of maintaining privacy policies and understanding their obligations under the privacy legislation.

Dominique Egan, Partner

Patricia Marinovic, Solicitor



NewsFlash 10 May 2016
back to news