The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) cover how your practice collects, stores, uses, and discloses personal information. For an allied health practice, that means almost everything you record about a client. The framework is less complicated than it looks; most of it is common sense applied carefully.
This is general orientation. For specifics, consult the OAIC guidance, the relevant State health-records legislation that applies in addition to the Privacy Act in some States, and a privacy specialist if you handle sensitive arrangements.
Health information is sensitive information
The Privacy Act treats health information as a special category requiring extra care. Collecting it requires consent. Disclosing it requires either consent or one of a small list of permitted purposes (clinical treatment, urgent safeguarding, etc).
Consent should be informed and revocable
Telling a client what information you are collecting, why, and who you might share it with at the start of the relationship is the cleanest path. Make it part of the service agreement. Make sure clients can withdraw consent and that withdrawal triggers a clear process on your side.
Collect what you need, and no more
If a piece of personal information would not change your clinical practice, do not collect it. The minimisation principle is one of the simplest privacy disciplines, and one of the most reliably ignored in practice intake forms that ask for everything because the template did.
Storage and access
- Encrypt at rest and in transit — modern hosted platforms (including Carelyt) handle this for you.
- Limit access to the people who need it. Role-based permissions matter.
- Audit who actually accessed what, periodically. Most breaches are internal.
Notifiable Data Breaches
If a breach occurs and is likely to cause serious harm, the Notifiable Data Breaches scheme requires you to notify the OAIC and affected individuals. Have a plan written down for how you would do this — you do not want to be drafting from scratch in the 72 hours after a breach.
How Carelyt handles this
Sydney-region hosted (no offshore data flow), encrypted at rest, role-based access (super-admin, admin, therapist), per-team data isolation enforced at the database layer. We are not a substitute for your own privacy compliance — you remain the data controller — but we are not the weak link in the chain.