Why every practice needs a strong privacy policy

It’s likely you’ve got a privacy policy somewhere, on your website, in a drawer, or tucked into your new patient forms. But is it up to date and does it reflect how your practice actually manages patient information today? And, just as importantly, does your team know what’s in it?

As a practice manager, you must ensure your practice not only has a privacy policy but also understands it. You need a document that meets legal obligations, explains things clearly to patients, and supports your staff respond consistently and confidently.

All private health service providers - individual or group practices, GPs or non-GP specialists - must comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). APP 1 requires you to have a clearly expressed and readily available privacy policy that outlines how your practice manages personal information.

This isn’t just “nice to have”, it’s a legal requirement. If you haven't reviewed your policy in the last year, or if your team can’t confidently explain how to correct a patient’s contact details or respond to a privacy complaint, you need to take a closer look.

Your privacy policy should tell patients:

• What personal and health information your practice collects.
• How and why you collect, use and disclose it.
• How you store and protect it.
• How patients can access or correct their information.
• How they can raise a complaint if they think you have breached their privacy.
• Who to contact in the practice about privacy concerns.

You should also include clear statements about your current use of technologies, including artificial intelligence. From December 2026, it will be compulsory to include information in your privacy policy about types of personal information used in the operation of computer programs, and decisions made solely or partly by computer programs.  If your privacy policy doesn’t reflect how your practice operates today, you risk breaching your obligations, even if the policy was compliant when you wrote it.

Legal jargon doesn’t make your policy more compliant. It often makes it harder for patients and staff to understand. Write your privacy policy in plain language. Make it available free of charge, and easy to find either on your website, at reception, or as part of your new patient welcome materials.

Patients are increasingly aware of their rights, and a clearly written privacy policy helps set expectations and build trust from the outset.

A good policy is only part of the picture. It’s equally important to make sure your team knows how to follow it. Patients often get frustrated when different staff give inconsistent answers. For example, one staff member might be happy to change a patient’s phone number over the phone, while another insists on a written request. This inconsistency damages your practice’s credibility and leads to avoidable patient complaints.

You should create clear procedures for:

• updating patient demographic details (e.g. verifying identity, documenting changes)
• responding to requests to access or correct medical records
• managing privacy complaints or concerns
• knowing when to escalate issues to the Privacy Officer or practice principal.

Regular training sessions and an onboarding checklist can prevent confusion and ensure staff understand their role in maintaining privacy compliance.

Incorrect patient information commonly contributes to privacy breaches in healthcare. It also undermines patient safety.

Imagine the following:

• A patient updates their phone number at reception, but the change isn’t saved in the system. The practice sends a message about results to their old number.
• Staff add a new patient to the system with a slightly different date of birth or spelling, creating a duplicate record. They enter clinical information across both records, leading to confusion or a missed diagnosis.
• The practice sends a patient’s email address on file but without their express permission.

You can easily prevent these issues. Build processes into your daily workflows to confirm and update patient details. For example, train your team to double-check before creating a new record. Regularly audit your database for duplicates or missing information. And document all changes clearly and securely in line with your privacy policy.

APP 13 specifically requires that patients can request access to or correction of their personal information. Your privacy policy should explain:

• how patients can make this request
• Whether they need to submit it in writing
• what the process involves
• how long it will take to respond.
• whether any fees apply (noting that fees must be reasonable and only cover the cost of access, not processing the request).

 See Avant’s factsheet Responding to a request to access medical records for further information.

When you document and communicate this information clearly and consistently, you protect your practice from privacy complaints and encourage clear communication with patients.

Designating a Privacy Officer within your practice gives patients and staff a clear point of contact for all privacy-related issues. It also improves consistency, especially when dealing with complex matters like responding to a breach, reviewing third-party requests for information, or navigating new technologies like AI or digital health platforms.

The Privacy Officer doesn’t need to be a full-time role, but you should clarify who has primary responsibility for privacy matters. That person should:

• understand the practice’s privacy obligations
• know the contents of the privacy policy
• be confident managing internal and external privacy questions
• ensure the practice reviews the policy annually or sooner if legislation, workflows or technology changes.

If you're reviewing or updating your practice’s privacy policy, the Office of the Australian Information Commissioner (OAIC) provides practical guidance on what to include and how to comply with the Privacy Act. The Royal Australian College of General Practitioners (RACGP) also offers privacy and security resources tailored to general practice.

We have a Privacy policy development guide to help you develop your privacy policy or review and strengthen your existing policy. The guide includes example wording, explanatory notes and practical guidance to help you align your policy with your privacy obligations and the needs of your practice.

If you require more tailored support, Avant Practice Solutions offers a fee-for-service option for both members and non-members. Services include policy and procedure reviews. For more information visit the website Practice management consulting.

Avant collection: Cyber what you need to know

Avant factsheet: Privacy policy development guide

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.