
When patients' families make contact: managing unsolicited information
The scenario
An email arrives from your patient's mother. She tells you her son has been sharing his prescribed ADHD medication with his partner and urges you to stop prescribing because she thinks it’s doing harm. She is adamant that you can’t tell your patient about the email because he has a tendency for violence and "he would never speak to me again”.
How should you proceed?
Why this situation is harder than it looks
At some point in your career, you will receive information about a patient that you didn't ask for. This is referred to as ‘unsolicited information’ under the Privacy Act 1988 (Cth). It might come from a family member, a friend, or another party with a vested interest.
You can receive it verbally or in writing, and it may or may not be relevant to the healthcare you are providing.
Sometimes patients consent to others providing information about them to their healthcare team. This article focuses on a different situation: where information has been provided without the patient’s knowledge or consent, and the party sharing the information asks that it be kept confidential from the patient.
Unsolicited information needs to be handled carefully. The wrong response could damage your relationship with your patient, expose you to a privacy complaint, or create problems when your patient or a third-party requests access to the patient’s medical record.
Your legal obligations
Australian Privacy Principle 4 (APP 4) sets out how unsolicited information must be managed. In simple terms, you need to consider whether this is information you would ordinarily be entitled to collect.
If yes — store it in accordance with the Australian Privacy Principles.
If no — return or destroy it.
In most cases, you will not be entitled to collect unsolicited information without your patient's consent, and without a clear connection to the healthcare you are providing. In this case, APP 4 requires you to return or destroy it.
There are however exceptions. The most relevant being where:
- it is required or authorised by or under an Australian law e.g. mandatory reporting obligations. For example, a child protection concern or mandatory notification to Ahpra.
- it creates a reasonable belief that there is a serious threat to the life, health or safety of your patient or another person
- it relates to a missing person
- it relates to serious misconduct or unlawful activity that may be investigated in future
- it may form a necessary part of a legal claim.
If you are unsure whether you are entitled to keep unsolicited information, contact Avant for advice.
A word of caution about the information itself
You have no way of knowing if the information shared with you is accurate. Also, be alert to the possibility of vexatious intent. For these reasons, storing the information can be problematic. Redacting inaccurate or vexatious information at a later date may prove difficult if those records have already been accessed by or shared with other providers.
How to respond
The flowchart below provides guidance on how to respond when you or your practice receives unsolicited information.

In addition, a workplace policy on unsolicited information will allow your staff to respond promptly, consistently and appropriately.
If you are not entitled to retain the information
Returning to the example: after seeking medico-legal advice from Avant, you conclude that because the email contains unsolicited information about the patient and his partner and his mother does not consent to this information being disclosed to the patient, you do not have patient consent to collect it and no exception applies deleting the email is the right course of action.
Your response to the mother might look like this:
Dear Ms Vancroft, Thank you for your email of [date] about your son and his partner. I do not have consent from my patient or his partner to collect the information you have provided. As such, I am obliged to delete your email to comply with my obligations under the Privacy Act 1988 (Cth). I have not retained a copy. I would be happy to address your concerns in a consultation with James and his partner, if they are agreeable to this. Kind regards [Doctor] |
Although you haven’t retained a copy of the email, you understandably cannot 'unhear' this information so you may still decide to discuss appropriate use of prescription medicine with your patient as part of your clinical management.
If you are required, or decide, to keep the information
Act on the information as appropriate, then store the information and document the steps taken in the medical records (if it is relevant to patient care and appropriate to do so) noting which exception was relied upon.
In Victoria and the ACT, certain information can legally be stored but withheld from the patient upon request. However, this protection is not absolute. For example, a subpoena could still force disclosure.
Before retaining any unsolicited information, also consider the risks:
Impact on the therapeutic relationship
- How will the patient react if they discover you collected information about them without their knowledge or consent? Even if you don’t tell them, the third party might — which could damage trust and lead to complaints.
Privacy risks
- The patient may deduce who provided the information, even if the third party is de-identified. This could create conflict between the patient and third party, and potentially expose you to privacy complaints from either, or both.
When should retained information not be stored?
If retention is necessary, in some circumstances it may not be appropriate to store the information in the patient’s medical records and it will need to be stored separately in accordance with Privacy Act obligations. For example, information retained in connection to a mandatory notification to Ahrpa concerning another health practitioner should be stored separately, not in the patient's medical record.
Keep in mind that even separately held material may still be subject to disclosure under subpoena.
Key messages
Remember your duty of care is to the patient. Unsolicited information may be shared with health practitioners in response to genuine concern or for an ulterior motive. How you respond can affect your relationship with your patient, the third party, or both.
Knowing whether to retain or return/destroy unsolicited third‑party information is difficult if the discloser does not consent to it being shared with the patient. Each situation requires careful judgment, and awareness of the potential impact on trust, privacy, and professional accountability.
- Unless an exception applies you should return or delete unsolicited information, with a brief explanation to the third party
- Telling your patient about the contact if you are permitted to do so, is often the best way to protect the therapeutic relationship
- If the information creates a legal obligation to act, for example to prevent serious harm, you must do so
Dealing with unsolicited information is a very complex area and as such, we recommend you contact Avant for advice about your specific scenario, particularly if you feel you need to keep a record of how you handled the contact, in case you need to explain your decision later.
Further reading
Office of the Australian Information Commissioner - Chapter 4: APP 4 - Dealing with unsolicited personal information
For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.
The information in this publication does not constitute legal, financial, medical or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement and seek appropriate professional advice relevant to their own particular circumstances. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant and its related entities are not responsible to any person for any loss suffered in connection with the use of this information. Information is only current at the date initially published.