What privacy and cyber security compliance covers
A medical practice holds some of the most sensitive information there is. That makes it both a high-value target and a heavily regulated custodian. Privacy compliance governs how you handle that information lawfully; cyber security is how you keep it from being stolen or held to ransom. They are two halves of the same duty, because a privacy breach is usually a security failure, and the law increasingly treats them together.
The obligations come from several places at once: the Privacy Act and its Australian Privacy Principles, the Notifiable Data Breach scheme, the My Health Records Act, the Cyber Security Act 2024, and state health-records laws. This pillar pulls them into one map.
The framework at a glance
| Element | What it governs |
|---|---|
| Privacy Act and APPs | How personal and health information is collected, used, disclosed, and secured. |
| Health information | The sensitive subset of personal information that practices mostly hold. |
| NDB scheme | When a data breach must be notified to the OAIC and affected individuals. |
| My Health Record | Access controls and the sharing-by-default upload duties. |
| Essential Eight | The baseline technical controls that prevent most breaches. |
| Cyber Security Act 2024 | New duties including ransomware-payment reporting. |
| Privacy tort | The new right for individuals to sue for serious invasions of privacy. |
The Privacy Act and the Australian Privacy Principles
The Australian Privacy Principles are the thirteen rules in the Privacy Act that govern the whole life cycle of personal information, from collection through to disposal. For a practice, the information at stake is mostly health information, which is a sensitive category attracting the strongest protections: you generally need consent to collect it, you can only use it for the purpose it was collected for, and you must take reasonable steps to keep it secure.
Most everyday privacy compliance is about getting four things right: a clear privacy policy and collection notice, consent that is genuine, use and disclosure that stays within purpose, and security that matches the sensitivity of the data.
The Notifiable Data Breach scheme
When personal information is lost, accessed, or disclosed without authorisation, the Notifiable Data Breach scheme decides whether you must tell anyone. The test is serious harm: if a breach is likely to result in serious harm to an individual and you cannot prevent that harm through remedial action, you must notify the OAIC and the affected individuals. There is a strict assessment timeframe, so the decision cannot wait.
A written data breach response plan is what makes the difference on the day, because the clock starts the moment you become aware.
In-depth guideHealthcare Data Breach Obligations Australia (2026 NDB Guide)
My Health Record obligations
My Health Record carries its own duties on top of the Privacy Act: access controls so only authorised staff view records, staff training, and emergency-access procedures. From 1 July 2026, sharing by default extends the upload mandate to pathology and imaging, with a defined set of exceptions and a penalty regime.
In-depth guideMy Health Record Sharing by Default: What Changes on 1 July 2026
Cyber security: the Essential Eight
Most breaches are preventable with a small set of controls. The Essential Eight is the Australian Signals Directorate baseline: application control, patching applications and operating systems, configuring macros, hardening user applications, restricting administrative privileges, multi-factor authentication, and regular backups. The RACGP information security guidance maps onto the same controls, and accreditation expects to see them.
In-depth guideCybersecurity Compliance Checklist for Australian GP Practices
Ransomware and the 72-hour report
Ransomware is the threat the Essential Eight is largely designed to stop. If prevention fails, the Cyber Security Act 2024 adds a reporting duty: certain entities that make a ransomware or cyber-extortion payment must report it to the government within 72 hours. This is a ransomware payment reporting obligation that sits alongside, not instead of, the NDB scheme.
In-depth guideRansomware Reporting: 72-Hour Cyber Security Act Deadline for Healthcare
AI, automated decisions, and privacy
AI tools raise live privacy questions: ambient AI scribes record consultations, diagnostic tools process health data, and general tools like ChatGPT can leak information offshore under APP 8 cross-border rules. From 10 December 2026, a separate duty requires disclosing the use of automated decision-making in your privacy policy. Treat any new AI tool as a privacy decision, not just an IT one.
In-depth guideAI Privacy for Healthcare: 2026 OAIC Compliance Guide
When patients can sue: the privacy tort
Compliance is no longer only about the regulator. A statutory tort for serious invasions of privacy now lets individuals sue directly, which means a privacy failure can become litigation rather than just an OAIC matter.
In-depth guideAustralia's New Privacy Tort: What Healthcare Practices Need to Know
Common mistakes
- Collecting health information without a clear collection notice or genuine consent.
- Using or disclosing information beyond the purpose it was collected for.
- Having no written breach response plan, so the assessment clock is lost in the panic.
- Skipping the Essential Eight basics, especially multi-factor authentication and tested backups.
- Adopting an AI tool without a privacy assessment, particularly where data goes offshore.
Frequently asked questions
What counts as health information under the Privacy Act?
Health information is information or an opinion about a person's health, disability, or the health services they have received, including the clinical records a practice holds. It is a subset of sensitive information and attracts the strongest protections under the Australian Privacy Principles.
When do we have to report a data breach?
You must notify the OAIC and affected individuals when a data breach is likely to result in serious harm to an individual and you cannot prevent that harm through remedial action. You must assess a suspected eligible breach within the scheme's strict timeframe, so the response plan should start the moment you become aware.
Is the Essential Eight mandatory for GP practices?
The Essential Eight is a baseline framework rather than a single legal mandate, but the controls map onto RACGP information security expectations and onto the Privacy Act duty to secure data. In practice, an accredited practice is expected to implement the core controls, especially multi-factor authentication and backups.
Do we have to report a ransomware payment?
Under the Cyber Security Act 2024, certain entities that make a ransomware or cyber-extortion payment must report it to the government within 72 hours. This is separate from the Notifiable Data Breach scheme, which deals with notifying the OAIC and affected individuals about the breach itself.
Can patients sue our practice for a privacy breach?
Yes. A statutory tort for serious invasions of privacy now allows individuals to bring a claim directly, in addition to any action by the OAIC. That makes a privacy failure a potential litigation risk, not only a regulatory one.
Step-by-step guides
Key terms
Tools & templates
All guides in this cluster
Last reviewed