What's in this template?
This Patient Data Collection Notice template gives Australian healthcare practices the short, plain-English notice required by Australian Privacy Principle 5 at the point of collection. It is built directly from the structure of the OAIC's APP Guidelines (Chapter 5) and the OAIC Guide to Health Privacy, then tailored for medical and allied health settings.
The template includes:
- Patient-facing notice (one page) — the version you place on registration forms, online intake, telehealth booking and the patient portal
- Acknowledgement section — patient signature block
- APP 5 compliance map — internal reference showing how the notice covers every APP 5 matter
- Where to display the notice — registration forms (paper and electronic), online booking, patient portal, telehealth intake, reception poster, welcome email
- Updating the notice — triggers and review cadence
- Approval and review — formal sign-off
Editable placeholder fields
{{practice_name}},{{abn}},{{practice_address}},{{phone}},{{email}}{{privacy_officer}}and{{privacy_officer_email}}— your nominated Privacy Officer{{data_storage_locations}}— where your clinical software stores data{{overseas_countries}}— any countries to which information may flow{{website_url}}— link to your full Privacy Policy{{review_date}},{{next_review_date}}
What is an APP 5 collection notice?
APP 5 requires APP entities to take reasonable steps, at or before the time personal information is collected (or as soon as practicable afterwards), to make individuals aware of:
- Who is collecting the information and how to contact them
- The fact and circumstances of collection (especially where the individual may not be aware)
- Whether collection is required or authorised by law
- The purposes of collection
- The main consequences if information is not provided
- The types of organisations to which information is usually disclosed
- That the Privacy Policy contains information about access, correction and complaints
- Whether information is likely to be disclosed overseas, and if so, to which countries
The collection notice is a separate document from the patient-facing Privacy Policy. The Privacy Policy is the comprehensive statement (APP 1.3); the collection notice is the short, point-of-collection notification (APP 5).
Who needs a collection notice?
Every Australian healthcare practice that collects personal information from patients. That includes:
- General practices at registration, online booking and telehealth intake
- Specialist medical practices at first consultation
- Allied health practices (physiotherapy, podiatry, psychology, optometry, dental)
- NDIS providers at participant onboarding
- Pharmacies when collecting patient details for prescriptions
- Pathology and diagnostic imaging at referral
- Hospitals and day surgeries at admission
Practices using online intake, kiosks or QR-code registration forms have an additional obligation to ensure the notice is visible before the patient submits their information — the OAIC has flagged this in its recent enforcement focus.
APP 5 at a glance
The OAIC says "reasonable steps" depends on the sensitivity of the information, the practical implications, and the possible adverse consequences. For health information collected from patients, the OAIC's expectation is high — the notice should be:
- Clear — plain English, readable in 2 minutes
- Visible — at the point of collection, not buried in a lengthy Privacy Policy
- Specific — naming actual third parties and overseas countries, not generic categories
- Complete — covering every APP 5 matter, even where briefly
Privacy Act requirement
Failure to provide an APP 5 notice is a breach of the Privacy Act and a common subject of OAIC complaints. Penalties for serious or repeated breaches can reach $50 million after the 2022 amendments. Accreditors also look for the collection notice as evidence of APP 5 compliance — RACGP Criterion C6.3 explicitly references collection statements.
How to customise this template
- Download the Word document and replace every
{{placeholder}}with your details - Confirm your data storage locations — your clinical software vendor will tell you which Australian or overseas data centres host your data
- List specific overseas countries if any of your processors operate offshore (US, EU, NZ are common)
- Place the notice on:
- Paper registration forms (print on the back or as page 1)
- Online booking flow (confirmation step)
- Patient portal sign-up screen
- Telehealth intake (pre-consultation acknowledgement)
- Reception poster (summary version with QR code to the full notice)
- New-patient welcome email or SMS, with link to the full Privacy Policy
- Train reception to point patients to the notice when handing over the registration form
- Update whenever a new third-party processor is added or storage locations change
- Review at least annually with the Privacy Policy and Privacy Management Plan
Related templates and tools
The collection notice is the patient's first touchpoint with your privacy practices. It should be consistent with:
- Privacy Policy (full document referenced in the notice)
- Privacy Management Plan — APP 1.2 governance backbone
- Patient Access and Correction Procedure — APP 12 and APP 13 process referenced in the notice
- Data Breach Response Plan — what happens if information collected under this notice is later breached
- Third-Party Data Sharing Agreement — for any new processors named in the notice
Frequently asked questions
Is an APP 5 collection notice mandatory?
Yes. APP 5 requires all APP entities, including all healthcare providers that hold health information, to take reasonable steps to notify individuals at or before the time of collection of the matters listed in APP 5.2. Failure to provide the notice is a breach of the Privacy Act and one of the most common subjects of OAIC complaints.
How is a collection notice different from a Privacy Policy?
The Privacy Policy is the comprehensive statement required by APP 1.3 — it sets out everything about how the practice handles information. The collection notice is the short, point-of-collection notification required by APP 5 — it is given when information is being collected and links to the Privacy Policy for detail. Most practices need both.
Where do we have to display the notice?
At every point of collection. For most general practices that means the registration form (paper and electronic), the online booking flow, the patient portal sign-up, telehealth intake, and a poster at reception. Practices using QR-code or kiosk registration must ensure the notice is visible before submission.
Do we have to list overseas countries by name?
Yes if you can identify them. APP 5.2(j) requires notification of overseas disclosure including, if practicable, the countries. For most practices the relevant countries are the host countries of cloud services used by the clinical software, billing service, or AI tools — your software vendor can tell you. The OAIC's view is that "various overseas countries" is not specific enough.
How short should the notice be?
The OAIC says it should be readable in roughly 2 minutes. The template above is around 1 page. Anything longer should be in the Privacy Policy, with the notice linking to it.
Does the patient have to sign the notice?
A signed acknowledgement is best practice but not strictly required by APP 5 — the obligation is on the practice to take reasonable steps to make the patient aware. A signed acknowledgement is the cleanest way to evidence that you did, which is why the template includes one.
Do we need to update the notice when we change software?
Yes. A new clinical software vendor often means new data storage locations, new sub-processors and (sometimes) new overseas disclosures. The collection notice and the Privacy Policy both need to be reviewed before the change goes live. A Privacy Impact Assessment is the usual trigger for both updates.