All templates
RACGP 5th Edition · Criterion C6.4

Computer & Information Security Policy Template for Australian General Practices

Information security policy covering access control, password management, backup procedures, malware protection, mobile device security, and incident response. Based on the RACGP CISS framework.

RACGP CISS StandardsPrivacy Act 1988Notifiable Data Breaches scheme

This template is available on a paid plan

Subscribe to ClinicComply to download the Computer & Information Security Policy template and access all 15 RACGP-aligned policy templates.

View plans

What's in this template?

This computer and information security policy is designed for Australian general practices seeking accreditation under the RACGP Standards for General Practices (5th Edition). It maps directly to Criterion C6.4 — Information security and is aligned with the RACGP Computer and Information Security Standards (CISS) framework.

The template covers 18 sections addressing the full scope of information security in a healthcare setting:

  1. Purpose — establishes the security framework and regulatory context (Privacy Act, NDB scheme, RACGP CISS)
  2. Scope — all IT systems, devices, staff, contractors, and third-party providers
  3. IT Security Governance — IT Security Officer role, IT support provider responsibilities
  4. Access Control — individual user accounts, least privilege principle, admin account restrictions, physical access controls, workstation locking
  5. Password Management — 12-character minimum, complexity requirements, no reuse, multi-factor authentication (MFA) requirements for clinical software, email, cloud, and remote access
  6. Email and Internet Security — phishing awareness, encrypted clinical communication, acceptable use
  7. Malware and Ransomware Protection — endpoint protection, real-time scanning, firewall, USB scanning
  8. Data Backup and Recovery — daily backup schedule, 30-day retention, offsite copy, quarterly test restores
  9. Software Updates and Patching — 14-day patch cycle (48 hours for critical), end-of-life software replacement
  10. Mobile Device and Remote Access — device security requirements, VPN/secure access, lost device protocols, BYOD policy
  11. Network Security — firewall, WPA3 Wi-Fi, guest network isolation, firmware updates
  12. Disposal and Decommissioning of IT Equipment — NIST 800-88 compliant data destruction, certificates of destruction
  13. Information Security Incident Response — contain, report, assess, notify (NDB), remediate, review
  14. Third-Party and Cloud Service Providers — security certification verification, Australian data residency, contractual obligations
  15. Staff Information Security Training — induction orientation, annual refresher, emerging threat alerts
  16. Audit, Monitoring, and Review — annual risk assessment, access reviews, backup test restores, software audits
  17. Related Policies — cross-references to Privacy, Data Breach, Business Continuity, Health Records, Training
  18. Review History — version control and approval record

Editable placeholder fields

The template includes yellow-highlighted {{placeholder}} fields:

  • {{practice_name}}, {{abn}}, {{practice_address}}, {{phone}}, {{email}}
  • {{it_security_officer_name}} — designated IT Security Officer
  • {{it_provider_name}} and {{it_provider_phone}} — IT support provider
  • {{secure_messaging_platform}} — your clinical messaging system (e.g. HealthLink, Argus, Medical Objects)
  • {{antivirus_product_name}} — endpoint protection product
  • {{backup_method}} — your backup approach (e.g. automated cloud, local NAS + offsite)
  • {{backup_provider_name}} — backup service provider
  • {{wifi_password_change_frequency}} — how often you rotate Wi-Fi passwords
  • {{practice_principal_name}} — for approval sign-off
  • {{review_date}} and {{next_review_date}}

RACGP accreditation requirement

Criterion C6.4 of the RACGP Standards for General Practices (5th Edition) requires that:

"The practice has a system for information security"

The RACGP's Computer and Information Security Standards (CISS) provide detailed guidance on what this means in practice. Key requirements include:

  • Access control — individual user accounts with role-appropriate access levels
  • Password management — strong, unique passwords and MFA where supported
  • Data backup — regular, tested backups with offsite storage
  • Malware protection — current antivirus/endpoint protection on all devices
  • Software patching — timely application of security updates
  • Physical security — secured server/equipment areas, screen positioning
  • Incident response — procedures for handling security breaches
  • Staff training — awareness of security obligations and threats
  • Third-party management — security requirements for IT providers and cloud services

This template addresses each CISS domain with practical, implementable controls appropriate for a general practice environment.

Legislation and standards referenced

  • RACGP Standards for General Practices (5th Edition) — Criterion C6.4
  • RACGP Computer and Information Security Standards (CISS) — the primary framework for GP IT security
  • Privacy Act 1988 (Cth) — APP 11 (security of personal information)
  • Notifiable Data Breaches scheme — Part IIIC of the Privacy Act
  • NIST 800-88 — Guidelines for media sanitisation (data destruction)

How to customise this template

  1. Download the Word document and open it in Microsoft Word or Google Docs
  2. Find and replace each yellow-highlighted {{placeholder}} with your practice-specific details
  3. Involve your IT provider — share the template with your IT support provider and have them confirm the technical controls are in place or schedule implementation
  4. Complete Section 14 (Third-Party Providers) — list all IT systems and cloud services your practice uses, along with where data is stored
  5. Decide on your BYOD policy (Section 10) — either specify the conditions under which personal devices may access practice systems, or state that BYOD is not permitted
  6. Set up your monitoring schedule (Section 16) — assign responsibility for access reviews, backup test restores, and software audits
  7. Have the Practice Principal and IT Security Officer review and sign off
  8. Distribute to all staff and include in induction packs

Frequently asked questions

What is the RACGP CISS?

The RACGP Computer and Information Security Standards (CISS) is a framework published by the RACGP that provides practical guidance on information security for general practices. It covers areas including access control, passwords, backup, malware protection, email security, mobile devices, and incident response. CISS compliance supports meeting RACGP Criterion C6.4.

Do I need a dedicated IT Security Officer?

The RACGP recommends designating someone within the practice to be responsible for IT security. This doesn't need to be a full-time IT role — it is typically the Practice Manager, Practice Principal, or a senior staff member who liaises with the IT support provider on security matters.

How often should we test our backups?

This template recommends quarterly test restores — recovering a backup to verify that data can actually be restored. Many practices only discover their backup is corrupted when they need it. Regular test restores give you confidence that your backup is working.

What about telehealth platform security?

Telehealth security is covered in our separate Privacy Policy template (Section 14). For the IT security policy, ensure your telehealth platform is listed in Section 14 (Third-Party Providers) with appropriate security verification.

Can I use this for AGPAL or QPA accreditation?

Yes. Both AGPAL and QPA assess against the RACGP Standards for General Practices (5th Edition). This template is aligned to Criterion C6.4 and the CISS framework, and is suitable for use as accreditation evidence with either accrediting body.

What if we use an outsourced IT provider for everything?

Many general practices outsource IT management. This policy still applies — it defines the practice's expectations and requirements, which the IT provider then implements. Share this policy with your IT provider so they understand what the practice requires. The IT provider should also have their own security standards and can help you complete the technical sections.

Related templates

C6.3

Privacy Policy

A comprehensive privacy policy covering the 13 Australian Privacy Principles (APPs), patient data collection, use, disclosure, and storage. Includes state-specific Health Records Act references.

View template
GP4.1

Infection Prevention & Control Policy

Practice-specific infection prevention and control policy covering hand hygiene, PPE, environmental cleaning, sterilisation, outbreak management, and staff immunisation requirements.

View template
C5.3

Clinical Handover Policy

Structured clinical handover policy using the ISBAR framework for safe transfer of patient information between practitioners, including shift changes, referrals, and after-hours handover.

View template
Ready to get started?

Your next accreditation visit starts today.

Join Australian GP clinics and medical practices that have replaced spreadsheets and email threads with a single healthcare compliance platform. Your free trial starts the moment you sign up.

Start your 30-day free trialView all features
No credit card required
Australian data residency
Cancel anytime