For GPs who don’t want to run afoul of the Privacy Act, shared inboxes are out and formal practice policies are in.
With the federal government getting serious on reforms to the Privacy Act, now is a good time for general practices to take stock of their obligations, according to commercial lawyer Mark Lazarus and paediatric physician-come-entrepreneur Associate Professor Vikram Palit.
The pair presented at the 2025 RACGP Practice Owners Conference on Sunday.
“The Office of the Australian Information Commissioner … can basically come in and investigate your practice,” Mr Lazarus said.
“They handle patient complaints as well, and … what’s happening with the reforms is they can issue fines of up to $50 million for serious breaches of the Privacy Act.
“Not to scare anyone, but obviously going forward it’s very, very important to take privacy seriously.”
Under the reforms, all businesses regardless of size will have to comply with the 13 Australian privacy principles.
These cover:
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use or disclosure of government related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information
According to Professor Palit, one area in which GP practices may need to shore up their privacy protections is in relation to fax machines and unsecured email inboxes.
“You don’t always have control over [how you’re sent correspondence and patient information], but certainly you can lead the way in terms of directing how that information comes to you,” he told delegates.
“If you do continue to use systems like fax machines and email, you can certainly put policies around it and role-based access and ensure that the way that that communication comes to you has processes around it.”
Related
The big issue with shared inboxes, he said, was that often there was no way to determine which user had accessed documents or potentially sensitive information.
“[Most GP software] vendors that … you use will have these types of audit trails in place, but often it’s the systems that sit around the practice management software that it’s worth stopping and thinking about,” Professor Palit said.
“[It’s worth] thinking about who has access to those systems and who [actually] needs access.”
Professor Palit also cautioned against using out-of-date onboarding forms for patients which may not capture consent for all of the new technology and telehealth that the practice is using.
“It [should] capture all the new systems that you have or that you’re thinking of using – [such as] AI tools and scribes – so that it’s captured right at the start, particularly for your new patient registrations, but also for your existing ones as well, in terms of updating that consent,” he said.
“And I think a key [aspect to consider] is … you’re collecting patient information, and they’re disclosing sensitive information, which is part and parcel of the work that you do, but [you also need] consent to share that sensitive data.”
Professor Palit also recommended writing formal systems and policies for events like a data breach.
“It doesn’t need to be particularly complex,” he said.
“It just needs to be procedural – if there was a data breach identified, these are the steps within the organisation, this is how it gets escalated and these are the people that are responsible … then how you notify and when you notify [patients].”
For practices using AI tools, Mr Lazarus recommended looking carefully at their data retention policies to determine whether the tool would be a good fit for the practice.
The 2025 RACGP Practice Owners Conference was held at the Melbourne Convention and Exhibition Centre on 24 and 25 May.
