Skip to main content

Privacy policy

On this page: Agency Privacy Policy | My Health Record Privacy Policy

Summary

This summary sets out the key points about how the Australian Digital Health Agency (the Agency) handles personal information.

We collect, hold, use, and disclose personal information to carry out our functions or activities under the the Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016.

This summary also explains how the Agency, as the System Operator under the My Health Records Act 2012 (Cth), collects, uses, and discloses personal information to operate and manage the My Health Record system. This information is handled subject to the My Health Records Act, Healthcare Identifiers Act 2010 (Cth), and Privacy Act 1988 (Cth).

More information can be found in our Agency Privacy Policy (below) and our My Health Record Privacy Policy (below).

If you would like to access these policies in an alternative format or language, for example if you have a disability or are from a non-English speaking background, please contact us using the contact details at the end of this page. We will take reasonable steps to provide you with alternative access.

Collection of personal information

Personal information may include your:

  • name,
  • contact details, and
  • enquiry, complaint, or FOI request details.

Sensitive information may include information about your:

  • health,
  • racial or ethnic origin,
  • political opinions,
  • association memberships, religious beliefs,
  • sexual orientation,
  • criminal history,
  • genetic or,
  • biometric information.

CALD information is also considered sensitive information and includes information or opinion about an individual’s race or ethnicity. This includes the individual’s preferred language and country of birth.

We usually collect personal information (including sensitive information) from you or your authorised representative when:

  • we are handling privacy enquiries and complaints, freedom of information (FOI) requests,
  • you use our websites,
  • you deal with us as part of a consultation,
  • when you register to use our training modules
  • we deal with you as part our managing the day-to-day business of the Agency, or if you supply goods and services to us.

We will also collect your personal information when you apply for a job at the Agency. We also collect your personal information, including health information or culturally and linguistically diverse (CALD) information, when you register and create a My Health Record for yourself or another person.

We collect personal information when a registered healthcare provider organisation uploads this information to a My Health Record. Personal information may be contained in Record such as a shared health summary, a discharge summary, diagnostic imaging, or pathology results, or prescribing and dispensing information. These Record may also contain personal or health-related information about third parties.

We collect your personal information from healthcare provider organisation, Services Australia, the National Repository Service (NRS), and other registered repository operators.

We also collect personal information through our websites and social networking services such as Facebook, Twitter, and YouTube. We use this information to improve our website and receive feedback from the community.

Agency information technology security practices

All personal information collected is held on our cloud storage, on servers located in Australia. We retain effective control over any personal information held on our cloud, and the information is handled in accordance with the Australian Privacy Principles.

Disclosure

We may, as the Agency or System Operator, disclose your personal information held by the Agency, and in a My Health Record, with your consent or where disclosure is required or authorised by law. We may use or disclose the personal information we collect in order to:

  • respond to enquiries and complaints and otherwise engage with stakeholders
  • communicate information to you about any initiative offered by or associated with us, including invitations to consultation or engagement events
  • provide marketing information about goods, services, events, or initiatives which may be of interest
  • improve products and services by using information you have provided us
  • conduct business with our business associates and contractors
  • manage our employment relationships and responsibilities
  • promote our activities through communications material
  • engage and manage our workforce
  • deliver on our functions and meet our legal obligations. This may include for example, disclosing employee personal information to the Australian Government Security Vetting Service.

It is important to note that your My Health Record information may only be used as prescribed by the My Health Records Act and not for our day-to-day purposes.

We may also disclose your personal information to:

  • you or your authorised representatives or nominated representatives for the purposes of managing your My Health Record
  • authorised individuals from registered healthcare provider organisations to provide you with healthcare
  • registered healthcare provider organisations and individuals who work for them if we reasonably believe it is necessary to lessen or prevent a serious threat to your life, health, or safety. We may also collect, use, and disclose personal information where we reasonably believe it is necessary to lessen or prevent a serious threat to public health or public safety
  • registered contracted service providers who provide information technology or health information management services to registered healthcare provider organisations in relation to the My Health Record system
  • our contractors and delegates who assist in operating the My Health Record system and carrying out the System Operator functions
  • registered repository operators for the purpose of storing, indexing, and calling for documents about you which form part of your My Health Record
  • other participants in the My Health Record system for the purposes of the My Health Record system, including if we need to investigate or resolve technical or other issues that may have an impact on the accuracy, security, or privacy of information in your My Health Record
  • other persons for the management and operation of the My Health Record system where you, as a healthcare recipient, would reasonably expect us to do so
  • other persons, in other situations where you have provided consent and in accordance with all relevant laws.

More detailed information about how the Agency and the System Operator use and disclose personal information is available in the Agency privacy policy and our My Health Record privacy policy.

Accessing and correcting your personal information

If you ask, in most cases we must give you access to the personal information that we hold about you and take reasonable steps to correct it if we consider it is incorrect. We will try to make the process as simple as possible.

How to make a complaint

You can complain to us in writing about how we have handled your personal information. We will respond to the complaint within 30 days.

More information can be found in our Agency Privacy Policy and our My Health Record Privacy Policy about how to contact us to make a complaint.

Agency Privacy Policy

Overview

In this policy, when we use 'we', 'us' or 'our', we are referring to the Australian Digital Health Agency (the Agency).

When we use 'you' or 'your' we are referring to the reader as an individual.

As a Commonwealth entity, we must have a Privacy Policy outlining how we handle personal information in accordance with the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth).

This policy sets out how we collect, use, and disclose personal information to carry out our functions under the Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016. This includes our functions as the System Operator for the My Health Record system.

When we use third party services with their own policies, those policies apply in addition to the applicable Agency Privacy Policy.

What is 'personal information'?

Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable from that information.

Collection of your personal information

At all times we try to only collect the information we need for the particular function or activity we are carrying out.

The main way we collect personal information about you is when you give it to us. For example, we collect personal information such as contact details and complaint, review, request, data breach notification or report details when you:

  • contact us to ask for information (but only if we need it)
  • make a complaint about how we have handled your personal information
  • ask for access to information the Agency holds about you or other information about the Agency’s operation
  • apply for a job vacancy at the Agency.

We may also collect information from you when we investigate or review a privacy complaint or FOI review referred to us by the Office of the Australian Information Commissioner (OAIC). If we open a file about your matter, it will often include our opinion on your matter and our responses to the OAIC’s inquiries.

We may also collect contact details and some other personal information if you are on our committees or participating in a meeting or in consultation with us.

Collecting sensitive information

Sometimes we may need to collect sensitive information about you, for example, to handle a complaint. This might include information about your health, racial or ethnic origin, political opinions, association memberships, religious beliefs, sexual orientation, criminal history, genetic or biometric information.

We may collect sensitive information from you only where the collection of the information is reasonably necessary for, and directly related to, our functions and activities and with your consent. However, there are exceptions to this principle. We may collect sensitive information about you without your consent if we reasonably believe it is necessary. These exceptions are:

  • Collecting sensitive information as required or authorised by an Australian law or to comply with a court or tribunal order
  • Collecting sensitive information where a permitted general situation exists. This includes:
    • Lessening or preventing a serious threat to life, health, or safety
    • Taking appropriate action in relation to suspected unlawful activity or serious misconduct
    • Locating a person reported as missing
    • Reasonably necessary for establishing, exercising, or defending a legal or equitable claim
    • Reasonably necessary for a confidential alternative dispute resolution process

If we do collect, use, or disclose your personal information in this way we will explain why we have done so.

Indirect collection

In the course of handling and resolving a complaint, enquiry, or Freedom of Information (FOI) request, we may collect personal information (including sensitive information) about you indirectly from publicly available sources or from third parties such as your authorised representative if you have one.

We also collect personal information from publicly available sources to enable us to contact stakeholders who may be interested in our work or in participating in our consultations.

Anonymity/Pseudonymity

Where possible, we will allow you to interact with us anonymously or using a pseudonym. For example, if you contact our Help Line with a general question, we will not ask for your name unless we need it to adequately handle your question.

However, for most of our functions and activities we usually need your name and contact information and enough information about the particular matter to enable us to handle your inquiry, request, complaint, or employment application fairly and efficiently.

Collecting through our website

The Agency’s public website, www.digitalhealth.gov.au, is hosted in Australia. There are a number of ways in which we collect information though our website.

Web analytics

Our website uses Google Analytics to help us to continually improve the user experience.

Google Analytics is hosted by a third party. We use Google Analytics to collect data about your interaction with our website. The type of information we may collect includes:

  • your device’s IP address,
  • type of device and browser used to visit the websites,
  • geographic location,
  • search terms and pages visited,
  • date and time when website pages were accessed.

The main purpose of collecting your information in this way is to improve your experience when using our site. We also use this data to understand and report on which content pages and downloads are accessed by visitors.

Cookies

Cookies are small data files transferred onto computers or devices by websites for record-keeping purposes and to enhance functionality on the website. Most browsers allow you to choose whether to accept cookies or not. If you do not wish to have cookies placed on your computer, please set your browser preferences to reject all cookies before accessing our website.

Third-party applications

We sometimes use third party applications to collect personal information from you. This includes the following:

  • Microsoft Teams to collaborate with our stakeholders. We may collect the name you provide Microsoft if you attend a meeting through Microsoft Teams. This information helps us to know who is attending and how long they attended. You can view Microsoft’s privacy policy here.
  • JobAdder to store and manage your personal information to assist with our recruitment activities for potential employees. You can access JobAdder’s privacy policy here.
  • Recruiting platforms including Seek and the APS Gazette for job advertisements and applications. You can access Seek’s privacy policy here and the APS Gazette’s privacy policy here.
  • We may use Xref to conduct reference checks with referees whose details you provide to us. Xref will collect personal information about you from your nominated referee(s) and disclose this to us to consider and facilitate your application for employment. You can access Xref’s privacy policy here.
  • Survey Manager to collect feedback about us or the services that we provide. These surveys may collect personal information if provided in an individual’s response. You can view Survey Manager’s privacy policy here.

Social Networking

We use social networking services such as Twitter, Facebook, LinkedIn, and YouTube to communicate with the public about our work. When you communicate with us using these services we may collect your personal information, but we only use it to help us to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies for Twitter, Facebook, LinkedIn and YouTube (a Google company) on their websites.

Disclosure

Common situations in which we disclose information are detailed below.

We may use or disclose the personal information we collect to:

  • respond to enquiries and complaints and otherwise engage with stakeholders
  • communicate information to you about any initiative offered by or associated with us, including invitations to consultation or engagement events
  • provide marketing information about goods, services, events, or initiatives which may be of interest
  • improve products and services by using information you have provided us
  • conduct business with our business associates and contractors
  • manage our employment relationships and responsibilities
  • promote our activities through communications material
  • engage and manage our workforce
  • deliver on our functions and meet our legal obligations. This may include for example, disclosing employee personal information to the Australian Government Security Vetting Service.

If you receive marketing materials from us, you may opt out of further communications of this nature by contacting us.

We may disclose information that relates to complaints or investigations referred to us by the OAIC to other Australian regulators, or to external dispute resolution (EDR) schemes. We will generally only disclose your personal information to other regulators or EDR schemes if you agree and where the information will assist the OAIC to investigate matter or will assist the other regulator or EDR scheme to investigate a matter where we are authorised or required to do so by or under law.

Web traffic information is disclosed to Google Analytics when you visit our websites. Google stores information across multiple countries.

When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.

Quality of personal information

To ensure that the personal information we collect is accurate, up-to-date, and complete we:

  • record information in a consistent format
  • where necessary, confirm the accuracy of information we collect from a third party or a public source
  • promptly add updated or new personal information to existing Record
  • regularly audit our contact lists to check their accuracy.

We also review the quality of personal information before we use or disclose it.

Storage and security of personal information

All personal information collected is held on our cloud storage, on servers located in Australia. We retain effective control over any personal information held on our cloud, and the information is handled in accordance with the Australian Privacy Principles.

We take steps to protect the security of the personal information we hold from both internal and external threats by:

  • regularly assessing the risk of misuse, interference, loss, and unauthorised access, modification, or disclosure of that information
  • taking measures to address those risks, for example, we keep a record (audit trail) of when someone has added, changed, or deleted personal information held in our electronic databases and regularly check that staff only access those records when they need to
  • conducting regular internal and external audits to assess whether we have adequately complied with or implemented these measures.

For further information on the way we manage security risks in relation to personal information we hold see our supplementary material on information technology security practices, below.

We destroy personal information in a secure manner when we no longer need it. For example, we generally destroy complaint Record after three years, in accordance with the Agency’s Record Disposal Authority.

Accessing and correcting your personal information

Under the Privacy Act (APPs 12 and 13) you have the right to ask for access to personal information that we hold about you and ask that we correct that personal information. You can ask for access or correction by contacting us and we must respond within 30 days. If you ask, we must give you access to your personal information, and take reasonable steps to correct it if we consider it is incorrect, unless there is a law that allows or requires us not to.

We will ask you to verify your identity before we give you access to your information or correct it, and we will try to make the process as simple as possible. If we refuse to give you access to, or correct, your personal information, we must notify you in writing setting out the reasons.

The steps appropriate to verify an individual’s identity will depend on the circumstances. We will seek the minimum amount of personal information needed to establish an individual’s identity. For example, during a telephone contact it may be adequate for us to request information that can be checked against our records.

If we make a correction and we have disclosed the incorrect information to others, you can ask us to tell them about the correction. We must do so unless there is a valid reason not to.

If we refuse to correct your personal information, you can ask us to associate with it (for example, attach or link) a statement that you believe the information is incorrect and why.

You also have the right under the FOI Act to request access to documents that we hold and ask for information that we hold about you to be changed or annotated if it is incomplete, incorrect, out-of-date, or misleading. For further information see the Freedom of Information page on our website or see our contact details below.

How to make a complaint

If you wish to complain to us about how we have handled your personal information you should first complain to us in writing by sending your enquiry or complaint to our postal address (see below) or by email to [email protected]. Please address your correspondence to ‘The Privacy Officer’. If you need help lodging a complaint, you can contact us - see ‘How to contact us’ below.

If we receive a complaint from you about how we have handled your personal information we will determine what, if any, action we should take to resolve the complaint.

If we decide that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about.

We will assess and handle complaints about the conduct of Agency staff using the APS Values and Code of Conduct and the guidelines issued by the Australian Public Service Commission.

We will tell you promptly that we have received your complaint and then respond to the complaint within 30 days.

If you are dissatisfied with the outcome of the complaint or the way in which the complaint was handled, you may contact the Office of the Australian Information Commissioner for advice about your complaint.

Contact us

You can contact us by:

Website: Our online contact form

Telephone: 1300 901 001, 8am - 5pm (AEST/AEDT), Monday - Friday

Email: [email protected]

Assisted contact:

  • If you need an interpreter, call TIS National on 131 450
  • For hearing or speech assistance, contact the National Relay Service or call 1300 555 727.
  • myGov Helpdesk: 132 307 (option 1), available 7am - 10pm, Monday - Friday and 10am - 5pm, Saturday - Sunday in local Australian time zones.
  • Medicare: 132 011, available 24 hours a day, 7 days a week.

Date of last review

We may review and update this policy to take account of new laws and technology and changes to our operations. Please visit this page periodically to check for updates.

This policy was last reviewed on 17 June 2022.

My Health Record Privacy Policy

Overview

This policy explains how the Australian Digital Health Agency (the Agency), as System Operator under the My Health Records Act 2012 (Cth), collects, uses, and discloses personal information to operate and manage the My Health Record system.

This information is handled subject to the My Health Records Act, Healthcare Identifiers Act 2010 (Cth), and Privacy Act 1988 (Cth). This policy is published in accordance with Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act.

When we refer to 'System Operator', 'our', 'we' or, 'us' in this policy, this may include our delegates in the Department of Health or the Chief Executive Medicare and contractors who assist us to carry out our functions.

When we refer to 'you' or 'your' in this policy, we may be referring to you as a healthcare recipient with a My Health Record, or to another person who is a representative authorised to manage your My Health Record under the My Health Records Act. We may also be referring to a healthcare provider or other authorised staff of a registered healthcare provider organisation.

References to personal information in this policy may also include health information or culturally and linguistically diverse (CALD) information. Health information is a type of personal information that is about your health or disability. Health information is considered sensitive information and generally has a higher level of privacy protection than other types of personal information.

CALD information is also considered sensitive information and includes information or opinion about an individual’s race or ethnicity. This includes the individual’s preferred language and country of birth.

Technical terms, such as 'System Operator', are explained in our glossary. If you have any questions about the terms used in this policy, please contact us using the contact details at the end of this policy.

If you would like to access this policy in an alternative format or language, for example if you have a disability or are from a non-English speaking background, please contact us using the contact details at the end of this page. We will take reasonable steps to provide you with alternative access.

We only collect, use, and disclose personal information where this is permitted by the My Health Records Act, Healthcare Identifiers Act, and the Privacy Act to fulfil our functions as the System Operator.

Specific information about the personal information we collect, use, and disclose to carry out specific activities is outlined below.

What is 'personal information'?

Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable from that information.

Collection of your personal information

To register and create a My Health Record for yourself or someone else, we need to collect your personal information. This includes:

  • your and/or the other person’s name,
  • sex,
  • Medicare number,
  • Department of Veterans’ Affairs (DVA) number, and
  • date of birth.

We also collect evidence of identity information or documentation from you as part of this process.

We collect this personal information directly from you. We may also collect this information from:

  • a registered healthcare provider organisation
  • the National Repositories Service (NRS)
  • a participating registered repository operator
  • your authorised or nominated representative

If you are registering for a My Health Record on behalf of someone else as their authorised representative, we also need to collect evidence of your authority to act on their behalf.

We also collect health information or culturally and linguistically diverse (CALD) information when you register and create a My Health Record for yourself or another person.

Collecting sensitive information

We may need to collect sensitive information about you. This might include information about your health, racial or ethnic origin, political opinions, association memberships, religious beliefs, sexual orientation, criminal history, genetic or biometric information.

We may collect sensitive information from you only where the collection of the information is reasonably necessary for, and directly related to, our functions and activities and with your consent. However, there are exceptions to this principle. We may collect sensitive information about you without your consent if we reasonably believe it is necessary. These exceptions are:

  • Collecting sensitive information as required or authorised by an Australian law or to comply with a court or tribunal order
  • Collecting sensitive information where a permitted general situation exists. This includes:
    • Lessening or preventing a serious threat to life, health, or safety
    • Taking appropriate action in relation to suspected unlawful activity or serious misconduct
    • Locating a person reported as missing
    • Reasonably necessary for establishing, exercising, or defending a legal or equitable claim
    • Reasonably necessary for a confidential alternative dispute resolution process

If we do collect, use, or disclose your personal information in this way we will explain why we have done so.

Anonymity/Pseudonymity

You may be eligible to have a My Health Record under a pseudonym. For information, including to see if you are eligible, please contact us.

If you contact us with a general question, we will not ask for your name unless we need it to adequately handle your question.

In other limited circumstances, we will allow you to interact with us anonymously or using a pseudonym. However, we usually need your name, contact information and enough information about your matter to enable us to handle your enquiry, request or complaint fairly and efficiently.

Collecting through our website

We will collect your personal information if you provide it when using the Agency website. We will use and disclose this information for the purpose for which you provided it. Your first name and the content of your email, and any additional information you choose to provide, may also be used for reporting and feedback purposes.

Website analytics and cookies

The Agency website primarily uses Google Analytics to help us continually improve the user experience.

Google Analytics is hosted by a third party. We use Google Analytics to collect data about your interaction with our website. The type of data that we may collect includes:

  • your device’s IP address,
  • type of device,
  • browser used to visit the website,
  • geographic location,
  • search terms
  • pages visited, and
  • date and time when website pages were accessed.

Google Analytics collects information using cookies. Cookies are small data files transferred onto computers or devices by websites. We use cookies on our website for record-keeping purposes and to enhance the website’s functionalities. The Agency collects other information about user interaction through cookies associated with:

  • Google Fonts,
  • New Relic and
  • SolarWinds Pingdom.

We use cookie data to improve your experience when using our website.

Most browsers allow you to choose whether or not to accept cookies. You can find further information on how to manage or disable cookies in common browsers below:

If you disable all cookies in your browser, you may find that certain sections of our website may not work.

Disclosure of personal information overseas

Web traffic information is disclosed to Google Analytics when you visit our websites. Google stores information across multiple countries.

When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.

Social Networking

We use social networking services such as Twitter, Facebook, LinkedIn, and YouTube to communicate with the public about our work. When you communicate with us using these services we may collect your personal information, but we only use it to help us to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies for Twitter, Facebook, LinkedIn, and YouTube (a Google company) on their websites.

Disclosure

We may disclose personal information included in a My Health Record if it is required or authorised under the My Health Records Act. This does not include your personal health notes. The limited circumstances where your personal information may be required or authorised to be disclosed include when it is:

  • to you (including your authorised representatives and nominated representatives)
  • to provide healthcare, in accordance with any access controls set by you
  • with your consent
  • for the management or operation of the My Health Record system – if you would reasonably expect this to occur. For example, it may be to resolve any technical or other issues that may have an impact upon the accuracy, security, or privacy of information in your My Health Record
  • for emergency access purposes. For example, if you are injured or unable to communicate to those caring for you or providing a health service to you
  • authorised by the Auditor-General Act 1997 (Cth) or the Ombudsman Act 1976 (Cth)
  • under any other law to the extent where it requires the handling of the health information so that the Australian Information Commissioner can perform its functions
  • for a purpose relating to the provision of indemnity cover for a healthcare provider, or
  • if we suspect unlawful activity relating to our functions has occurred or may be occurring.

Should this occur, we will handle health information if we reasonably believe that it is necessary to investigate the matter or report our concerns to the relevant person or authority. However, we are only authorised to disclose the minimal amount of personal information necessary for the relevant person or authority to identify the matter sufficiently, to consider it and to apply a judicial order in relation to the matter.

  • to courts and tribunals under an order or direction (and only where the order or direction relates to a limited type of proceedings)
  • under a coroner’s direction or order, or
  • to limited Commonwealth, state or territory authorities who are not courts, tribunals, or coroners, who have particular powers specified in the My Health Records Act, and only where they have obtained an order from a judicial officer.

Some authorisations listed above do not include handling your personal health notes.

My Health Record data used for research and other purposes

Part 7 of the My Health Records Act established the role of the Data Governance Board (the Board). The Board oversees the operation of the secondary use governance framework as outlined in the Framework to guide the Secondary Use of My Health Record system data.

The Board’s role also includes guiding and directing us to prepare and provide de-identified data for research or public health purposes and, with the consent of the healthcare recipient, health information for the same purposes.

We may also use and disclose de-identified aggregated My Health Record information to educate healthcare provider organisations and the public about the use and performance of the My Health Record system.

Quality of personal information

To ensure that the personal information we collect is accurate, up-to-date, and complete we:

  • record information in a consistent format
  • where necessary, confirm the accuracy of information we collect from a third party or a public source
  • promptly add updated or new personal information to existing Record
  • regularly audit our contact lists to check their accuracy.

We also review the quality of personal information before we use or disclose it.

Storage and security of personal information

The protection of your personal information is something we take very seriously, and we are committed to keeping it secure. We take significant precautions to protect personal information from misuse and loss, and from unauthorised access, modification, or disclosure.

A range of measures are in place to protect information in the My Health Record system, including:

  • robust multi-tiered technical security controls, which protect the integrity, confidentiality, and availability of health information
  • comprehensive monitoring of access to the My Health Record system, to identify and investigate suspicious or inappropriate behaviour
  • strong authentication processes to provide access to authorised users only
  • use of encryption protocols and algorithms that comply with standards set by the Australian Signals Directorate, to ensure that all data is encrypted in transit and at rest
  • certification and accreditation of the My Health Record system to the Protected level, under the Australian Government Information Security Manual
  • regular detailed security assessments, undertaken under the Australian Government InfoSec Registered Assessors Program (IRAP), to maintain accreditation of the system
  • rigorous security assurance processes, including penetration testing, regular threat and risk assessments, and pre-release testing prior to implementation of new system functionality
  • educating our employees, contractors and delegates on their obligations when handling personal information, including compliance with security clearance and authentication requirements
  • a requirement that participants in the My Health Record system such as registered healthcare providers, registered contracted service providers, registered portal operators and registered repository operators must comply with security obligations outlined in the My Health Records Act and the My Health Record Rule 2016 to maintain eligibility for registration
  • provision of an access history in each individual My Health Record, to enable you to monitor access to your record
  • in cases where we are satisfied that an individual or participant may compromise the security or integrity of the My Health Record system, we may refuse to register that individual or participant in the My Health Record system or suspend or cancel their registration.

A mandatory data breach reporting framework under s 75 of the My Health Records Act which:

  • requires participants in the My Health Record system to report actual or potential contraventions of the My Health Records Act that have or may have involved them. It also includes occurrences or circumstances that may compromise the security or integrity of the My Health Record system. This includes any unauthorised collection, use or disclosure of health information in a My Health Record, and
  • requires participants in the My Health Record system with these reporting obligations to contain the actual or potential contravention, event, or circumstances. This includes evaluating the risks arising from them as soon as practicable after becoming aware of the relevant contravention, event, or circumstance.

Accessing and correcting your personal information

Under the Privacy Act, you have a right to access the personal information we hold about you. If you cannot find the personal information you are looking for directly through your My Health Record, please contact us for assistance.

You can also view which healthcare provider organisations and nominated, or authorised, representatives have accessed or updated your My Health Record at any time through your access history. If you are concerned about something in your access history, or a notification that you have received, please contact us. We investigate all issues reported to us.

If you consider the personal information we hold that is about you is not accurate, complete, or up to date, please contact us as soon as possible for assistance.

How to make a complaint

If you wish to complain to us about how we have handled your personal information you should first complain to us in writing by sending your enquiry or complaint to our postal address (see below) or by email to [email protected]. Please address your correspondence to ‘The Privacy Officer’. If you need help lodging a complaint, you can contact us - see ‘How to contact us’ below.

If we receive a complaint from you about how we have handled your personal information we will determine what, if any, action we should take to resolve the complaint.

If we decide that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about.

We will assess and handle complaints about the conduct of Agency staff using the APS Values and Code of Conduct and the guidelines issued by the Australian Public Service Commission.

We will tell you promptly that we have received your complaint and then respond to the complaint within 30 days.

If you are dissatisfied with the outcome of the complaint or the way in which the complaint was handled, you may contact the Office of the Australian Information Commissioner for advice about your complaint.

Contact us

You can contact us by:

Website: See our online contact form

Telephone: 1300 901 001, 8am - 5pm (AEST/AEDT), Monday - Friday

Email: [email protected]

Assisted contact: 

  • If you need an interpreter, call TIS National on 131 450
  • For hearing or speech assistance, contact the National Relay Service or call 1300 555 727.
  • myGov Helpdesk: 132 307 (option 1), available 7am - 10pm, Monday - Friday and 10am - 5pm, Saturday - Sunday in local Australian time zones.
  • Medicare: 132 011, available 24 hours a day, 7 days a week.

Date of last review

We may review and update this policy to take account of new laws and technology and changes to our operations. Please visit this page periodically to check for updates.

This policy was last reviewed on 17 June 2022.