All templates
Privacy Act / APPs · APP 6 & APP 8

Third-Party Data Sharing Agreement Template — APP 6 & APP 8

Contract clauses for sharing personal information with a service provider in compliance with APP 6 (use and disclosure) and APP 8 (cross-border disclosure). Covers permitted purpose, AI training prohibition, security, sub-processors, breach notification, audit, retention and destruction on termination, and indemnity. Suitable for clinical software vendors, MSPs, AI scribes, billing services and telehealth platforms.

Privacy Act 1988Australian Privacy Principles6 pages, Word format

This template is available on a paid plan

Subscribe to ClinicComply to download the Third-Party Data Sharing Agreement Template template and access all policy templates.

View plans

What's in this template?

This Third-Party Data Sharing Agreement template gives Australian healthcare practices the contract clauses needed to share personal information with a service provider in compliance with Australian Privacy Principles 6 and 8. It is built directly from the OAIC's APP Guidelines (Chapters 6 and 8) and the Guide to Health Privacy, then tailored for medical and allied health vendor arrangements.

The template covers 16 sections plus execution blocks:

  1. Parties — Practice and Service Provider details
  2. Background — context for the data sharing
  3. Definitions — APPs, personal information, health information, eligible breach, sub-processor
  4. Information shared — categories, volume, sensitivity, frequency
  5. Permitted purpose (APP 6) — purpose limitation with prohibition on AI training and secondary use
  6. Compliance obligations — Privacy Act, MHR Act, state legislation, Practice's policies
  7. Security (APP 11) — encryption, MFA, logging, certifications, background checks
  8. Cross-border disclosure (APP 8) — country list, sub-processor controls, indemnity
  9. Sub-processors — written consent and flow-down obligations
  10. Data breach notification — 24-hour notification, assistance with NDB notification
  11. Access, correction and complaints — assistance with APP 12, APP 13 and complaints
  12. Retention and destruction — return and certified destruction within 60 days of termination
  13. Audit — annual audit rights, certifications, breach-triggered audit
  14. Term and termination — material breach, surviving clauses
  15. Indemnity — Service Provider indemnifies for Privacy Act breaches
  16. Governing law — state of jurisdiction
  17. Notices — Privacy Officer contacts on both sides
  18. Execution — signature blocks

Editable placeholder fields

  • {{practice_name}}, {{practice_abn}}, {{practice_address}}
  • {{provider_name}}, {{provider_abn}}, {{provider_address}}
  • {{service_description}} — what the provider does for you
  • {{primary_data_location}}, {{backup_data_location}}, {{support_location}} — for APP 8
  • {{certifications_held}} — ISO 27001, IRAP, SOC 2 etc.
  • {{governing_state}} — usually the practice's state
  • Practice and Provider signatory details

When to use this agreement

Use this agreement whenever your practice shares personal or health information with a third party. Common triggers in general practice and allied health include:

  • Clinical software vendors (Best Practice, Medical Director, Genie, Cliniko, Halaxy, etc.)
  • Managed Service Providers (MSPs) providing IT support
  • Billing services processing Medicare and DVA claims
  • AI scribes and transcription services that ingest consultation audio
  • Telehealth platforms carrying clinical data
  • Patient communication tools (SMS reminders, recall systems, patient portals)
  • Research partners receiving de-identified or identified data
  • Cloud backup providers
  • External pathology and imaging providers in non-standard arrangements

The OAIC's view is that a data sharing arrangement without a written agreement is generally not "reasonable steps" under APP 11 and may breach the cross-border disclosure rules under APP 8 if any data flows offshore.

APP 6 and APP 8 at a glance

APP 6 governs the use and disclosure of personal information. The practice may only disclose information for the primary purpose of collection, or for a directly related secondary purpose the patient would reasonably expect. Disclosing to a vendor for an unrelated purpose (e.g., AI training, marketing analytics) requires consent. The agreement's permitted-purpose clause locks the vendor into the agreed scope.

APP 8 governs cross-border disclosure. Where a practice discloses personal information to an overseas recipient (or to a vendor that holds data offshore), it must take reasonable steps to ensure the overseas recipient does not breach the APPs. Under section 16C of the Privacy Act, the practice can be held responsible for the overseas recipient's breaches — making contractual assurances and indemnities essential.

Privacy Act and AI risk

The 2022 Privacy Act amendments increased penalties for serious or repeated breaches to $50 million. The OAIC has also been explicit about AI risks: vendors that train models on practice data without consent are a growing source of complaints and breaches. This agreement's permitted-purpose clause expressly prohibits use of practice data for AI model training without written consent — which is increasingly a baseline expectation for healthcare vendor contracts.

How to customise this template

  1. Download the Word document and replace every {{placeholder}} with the relevant details
  2. Be specific in the permitted purpose — "to provide and support the [X] clinical software" not "for any business purpose"
  3. Confirm data locations with the vendor — most cloud-based vendors will provide an APP 8 / GDPR data residency statement
  4. List sub-processors the vendor uses (often visible on the vendor's trust page)
  5. Confirm certifications — ISO 27001, IRAP, SOC 2 Type II are the common standards
  6. Have it reviewed by a lawyer for any high-value or unusual arrangement — this template covers the standard privacy clauses, not commercial terms
  7. Sign two originals, retain one in the contracts file, and reference the agreement in the privacy register

Related templates and tools

This agreement is the contractual layer for any vendor arrangement involving personal information. Use it together with:

  • Privacy Impact Assessment Template — completed before signing for any material new arrangement
  • Privacy Management Plan — APP 1.2 governance backbone, references all third-party agreements
  • Data Breach Response Plan — vendor notifies under section 9 of this agreement
  • Patient Access and Correction Procedure — vendor assists under section 11 of this agreement
  • Data Retention and Destruction Policy — vendor returns / destroys under section 11

Frequently asked questions

Is a written data sharing agreement mandatory?

The Privacy Act does not in terms require a written agreement, but the OAIC's APP Guidelines treat a written agreement as a "reasonable step" under APP 11 and APP 8. In practice, the OAIC will look for one when investigating a vendor breach, and absence of an agreement is regularly cited as a failure of reasonable steps. After the 2022 amendments, penalties make this a high-risk omission.

What does APP 8 require for overseas data?

APP 8.1 requires the practice to take reasonable steps to ensure that an overseas recipient does not breach the APPs in relation to the information. Section 16C deems the practice responsible for the overseas recipient's breaches. Reasonable steps generally include a written agreement that imposes APP-equivalent obligations and an indemnity — both included in this template.

Does this agreement cover AI scribes?

Yes. AI scribes are a common use case — the agreement's permitted-purpose clause expressly prohibits use of practice data for AI model training without written consent, which is the OAIC's expected baseline for AI vendor contracts. The agreement also imposes APP 11 security, APP 8 cross-border, and breach notification obligations relevant to AI vendors.

Do we need this for our clinical software vendor?

Yes. Clinical software vendors are processors of large volumes of sensitive health information. Most established vendors will already have their own data processing terms, but the practice should compare them to this template and either sign the vendor's terms (if equivalent) or negotiate. The OAIC expects practices to do this comparison and document it.

Who signs the agreement?

The Practice's authorised signatory (typically the practice owner or director) and the Service Provider's authorised signatory. The Privacy Officer should review before signing. Two originals should be signed — one held by each party.

What if our vendor refuses to sign?

If a critical vendor refuses to provide APP-equivalent assurances, the practice should reconsider the arrangement. Options include: switching vendors, escalating to the vendor's privacy team, asking the OAIC's view, or accepting the residual risk and documenting it in the privacy register. The 2022 penalties make the residual-risk option progressively less attractive.

How does this affect our patients?

The agreement is between the practice and the vendor — patients are not parties. The practice's obligations to patients (Privacy Policy, collection notice, access and correction) sit on top of the vendor agreement. Where the vendor causes a breach, the practice typically remains the entity that notifies patients under the NDB scheme, with the vendor providing assistance and (where the agreement is in place) the indemnity.

Related templates

APP 5

Patient Data Collection Notice

Short, plain-English notice given to patients at the point of collection in line with APP 5. Covers identity, purpose, consequences of not providing information, recipients of disclosure, overseas storage, access and correction rights, and complaints. Designed for registration forms, online booking, patient portal sign-up and telehealth intake.

View template
APP 11.2

Data Retention and Destruction Policy

APP 11.2 retention and destruction policy with state-specific schedules (NSW HRIPA, Vic HRA, ACT HRPPA). Covers minimum retention for adult and minor records, deceased patients, billing records, sterilisation logs and CCTV. Includes destruction methods (paper, electronic, mobile), Certificate of Destruction handling, de-identification, and a destruction register.

View template
APP 1.2

Privacy Management Plan

The internal governance plan required by APP 1.2. Sets out the Privacy Officer's role, the practices, procedures and systems implemented to comply with the APPs, training, risk management, and the privacy register that tracks complaints, requests and breaches.

View template
30-day free trial, no credit card

Your next accreditation visit starts today.

Join Australian GP clinics and medical practices that have replaced spreadsheets and email threads with a single healthcare compliance platform. Your free trial starts the moment you sign up.

Start your 30-day free trialView all features
No credit card required
Australian data residency (Sydney)
Cancel anytime