Security/storage of health information


In Australia, all private health service providers and Commonwealth government entities are subject to the Privacy Act 1988. Under Australian Privacy Principle 11.1 these entities are required to take “such steps as are reasonable in the circumstances to protect the information from misuse, interreference, loss and from unauthorized access, modification or disclosure.”  State and territory government health service providers are subject to applicable privacy legislation of each state or territory. 

Health services should have in place:

  • Procedures to give access to the information only to those people who are authorised to have access;
  • Security measures to prevent unauthorised access to the records;
  • Where practicable, procedures for storing the information in a way that the identity of the person is not readily apparent from the face of the record, for example by the use of identification codes; and
  • Where the record is not to be retained, secure procedures for destroying the records.

Electronic records pose particular challenges. Electronic record systems pose increased risks for access by unauthorised staff and 'browsing' and data leakage. Medical practices must address the security of data storage/transfer systems, including the risks posed by staff who may intentionally or inadvertently access electronic records for reasons unrelated to the provision of health care.



Privacy Act 1988 – APP11



Health Records (Privacy and Access) Act 1997 – Principle 4.1


Health Records and Information Privacy Act 2002 – HPP 5


Information Act 2002 – Principle 4 (Public Sector Only)


Information Privacy Act – IPP 4 (Public Sector Only)


Cabinet Administrative Instruction (IPPS) – Part II (4)


Personal Information Protection Act 2004 - PIPP 4 (Public Sector only)


Health Records Act 2001 – HPP 4


No comprehensive legislation to deal with storage of personal information by agencies





Page last updated October 2022