Security/storage of health information

PRINT AS PDF

In Australia, all private health service providers and Commonwealth government entities are subject to the Privacy Act 1988. Under Australian Privacy Principle 11.1 these entities are required to take “such steps as are reasonable in the circumstances to protect the information from misuse, interreference, loss and from unauthorized access, modification or disclosure.”  State and territory government health service providers are subject to applicable privacy legislation of each state or territory. 

Health services should have in place:

  • Procedures to give access to the information only to those people who are authorised to have access;
  • Security measures to prevent unauthorised access to the records;
  • Where practicable, procedures for storing the information in a way that the identity of the person is not readily apparent from the face of the record, for example by the use of identification codes; and
  • Where the record is not to be retained, secure procedures for destroying the records.

Electronic records pose particular challenges. Electronic record systems pose increased risks for access by unauthorised staff and 'browsing' and data leakage. Medical practices must address the security of data storage/transfer systems, including the risks posed by staff who may intentionally or inadvertently access electronic records for reasons unrelated to the provision of health care.

Legislation

National

Privacy Act 1988 – APP11

State-based

ACT

Health Records (Privacy and Access) Act 1997 – Principle 4.1

NSW

Health Records and Information Privacy Act 2002 – HPP 5

NT

Information Act 2002 – Principle 4 (Public Sector Only)

QLD

Information Privacy Act – IPP 4 (Public Sector Only)

SA

Cabinet Administrative Instruction (IPPS) – Part II (4)

TAS

Personal Information Protection Act 2004 - PIPP 4 (Public Sector only)

VIC

Health Records Act 2001 – HPP 4

WA

No comprehensive legislation to deal with storage of personal information by agencies

 

 

 

 

Page last updated October 2022