Why this matters for your practice
Personal information is the trigger concept for the entire privacy regime. The Australian Privacy Principles, the Notifiable Data Breaches scheme, and your obligations to have a privacy policy and collection notices all switch on the moment you hold personal information. For a medical practice, that is from the first appointment booking, because almost everything you record about a patient is personal information, and almost everything clinical is the more sensitive category of health information.
Getting the definition right matters because practices routinely underestimate how much of what they hold is regulated.
What counts as personal information
Personal information is broad. It includes a patient's name, address, phone number, email, date of birth, and Medicare number, but also appointment records, billing records, and even an opinion recorded about a person. Three points catch practices out:
- It does not have to be true to be personal information.
- It does not have to be written down. A recorded view counts.
- The test is whether the individual is reasonably identifiable, not whether they are named. A record with no name can still identify someone in context.
Genuinely de-identified information, where re-identification is not reasonably possible, falls outside the definition. De-identification is harder than it looks, especially with clinical data.
Health information: the sensitive subset
Health information is a type of sensitive information, the most protected category under the Privacy Act. It generally cannot be collected without consent, and it attracts the strongest handling and security obligations. Critically, the small-business exemption that releases many businesses with under $3 million turnover from the Privacy Act does not apply to organisations that provide a health service and hold health records. Every Australian medical and allied health practice is covered.
What this means for your obligations
Because you hold personal and health information, the Australian Privacy Principles apply, the Notifiable Data Breaches scheme applies, and you must have a compliant privacy policy, collection notices, secure storage, and access and correction processes.
Common mistakes
- Assuming only clinical notes are regulated. Contact and billing details are personal information too.
- Relying on weak de-identification. Stripping a name rarely makes clinical data anonymous.
- Forgetting opinions and metadata count. A recorded view about a patient is personal information.
Frequently Asked Questions
What is personal information under the Privacy Act?
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. It covers names, contact details, Medicare numbers, appointment and billing records, and recorded opinions, whether or not the information is true or written down.
Is health information personal information?
Yes. Health information is a subset of personal information and is also classed as sensitive information, the most protected category. It generally cannot be collected without consent and attracts the strongest security and handling obligations under the Privacy Act.
Does the Privacy Act apply to small medical practices?
Yes. The small-business exemption does not apply to organisations that provide a health service and hold health information, so every Australian medical and allied health practice is bound by the Privacy Act and the Australian Privacy Principles regardless of turnover.
Go deeper
Last reviewed