Skip to content

How do you draft a Privacy Policy for a medical business?

The Australian Privacy Principles (APPs) were introduced in March 2014, to supplement the Privacy Act. The APPs apply to all health service providers. If you run a medical business, you need to make sure your Privacy Policy complies with the APPs, to comply with the law, as there are considerable fines for breach.

A thorough and up-to-date privacy policy will also help show your clients that you respect their personal information and take steps to keep it safe.

A Privacy Policy for a medical business needs to address the items set out below.

Collection of Personal Information

First, set out what type of information your business collects. Personal information includes:

  • name;
  • contact details;
  • date of birth;
  • demographics; and
  • preferences.

If your business receives personal information from third parties, you should indicate that you do so, and explain that you will protect this third party information in the same way you protect information collected directly.

Medical businesses also collect sensitive information, which is a subset of personal information. This is given higher protection under the APPs.

Sensitive information includes:

  • information or an opinion about an individual’s race, political opinions, religions and beliefs, memberships of a particular association, sexual orientation, or criminal records, which are also personal information;
  • health information;
  • genetic information (that is not otherwise health information); and
  • biometric information.

Use and Disclosure of Personal Information

Your Privacy Policy needs to set out how personal information will be used and disclosed. Personal information should not be used without consent.

Uses may include contacting and communicating with clients, for internal record keeping, marketing, and providing information to third parties.

You are allowed to disclose personal information to credit reporting agencies and courts where your clients fail to pay for any goods or services you provided, to law enforcement agencies as required by law, and to third parties who may assist in providing information, products or services to the client.

In relation to sensitive information, use and disclosure is stricter.

For a medical business, generally, sensitive information may only be used or disclosed under the following circumstances:

  • if the client would reasonably expect the business to use or disclose the information for a secondary purpose, and only if that secondary purpose is directly related to the primary purpose for which the sensitive information was collected;
  • if it is required or authorised by law;
  • if you reasonably believe that the disclosure is necessary for law enforcement purposes; or
  • if a permitted health situation exists.

A permitted health situation only exists where the information is necessary to provide a health service to the individual and the collection is either:

  • required or authorised by or under an Australian law; or
  • in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.
Continue reading this article below the form
Loading form

 Storage and Security

You need to show your client that you are committed to keeping personal and sensitive information secure. You should outline what procedures you have in place to protect information such as physical, electronic or managerial procedures.

However, to limit your liability, it is wise to explain that whilst measures are taken, no information transmitted over the internet can be guaranteed to be secure.

Contact Details

You must provide details of how people can contact you in regards to the personal information that is held with your business and how they can correct this information.

Conclusion

When you operate a medical business, you collect, use and disclose personal and sensitive information on a regular basis. It is important that this information is protected. You need a good quality Privacy Policy in place and you need to follow it. To ensure that your Privacy Policy complies with the APPs, and covers your business, you should check the Privacy Act or have assistance from a lawyer.

Register for our free webinars

Franchisor Compliance Update: Code Obligations from November 2025

Online
Stay compliant with the new franchising updates from November 2025. Register for our free webinar.
Register Now

Avoiding NDIS Pitfalls: Key Breaches and How to Prevent Them

Online
Understand NDIS pitfalls and reduce the risk of breaches affecting your business. Register for our free webinar.
Register Now

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now
See more webinars >
Ursula Crowley

Ursula Crowley

Read all articles by Ursula

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards