All templates
RACGP 5th Edition · Criterion C6.3

Privacy Policy Template for Australian General Practices

A comprehensive privacy policy covering the 13 Australian Privacy Principles (APPs), patient data collection, use, disclosure, and storage. Includes state-specific Health Records Act references.

Privacy Act 1988Australian Privacy PrinciplesMy Health Records Act 2012

Download this free template

Enter your email to download the Privacy Policy template in Word format.

No spam. We'll only send you compliance tips relevant to your practice. Unsubscribe any time.

What's in this template?

This privacy policy template is purpose-built for Australian general practices seeking accreditation under the RACGP Standards for General Practices (5th Edition). It maps directly to Criterion C6.3 — Confidentiality and privacy of health and other information.

The template covers 18 sections addressing every aspect of privacy management in a healthcare setting:

  1. About This Policy — scope, applicable legislation (Privacy Act 1988, APPs, My Health Records Act, NDB scheme, Healthcare Identifiers Act), and state-specific notes for NSW, Victoria, and ACT
  2. What Personal Information We Collect — categories of personal and health information collected in general practice
  3. How We Collect Your Information — direct collection, third-party sources, unsolicited information handling (APP 3–5)
  4. Why We Collect Your Information — primary purpose (healthcare), directly related secondary purposes, and lawful disclosures
  5. How We Store and Protect Your Information — physical security, electronic security, staff obligations, and retention/destruction requirements (APP 11)
  6. Who We May Disclose Your Information To — treating providers, pathology, pharmacies, insurers, government authorities, IT service providers
  7. Cross-Border Disclosure — overseas data storage obligations under APP 8, with space to list your cloud services
  8. My Health Record — participation statement, patient rights, and contact information
  9. Direct Marketing — confirmation that clinical recalls are not direct marketing (APP 7)
  10. Anonymity and Pseudonymity — patient rights under APP 2 with healthcare-specific qualifications
  11. Government-Related Identifiers — Medicare/IHI identifier handling under APP 9
  12. Accessing Your Health Information — access request process, timeframes, and refusal grounds (APP 12)
  13. Correcting Your Information — correction request process and statement-of-correction rights (APP 13)
  14. Telehealth and Digital Services — privacy protections for video consultations, SMS, and patient portals
  15. Data Breach Management — NDB scheme obligations, breach response steps
  16. Complaints — internal complaint process and escalation to OAIC, with state-specific complaint bodies
  17. Changes to This Policy — update and notification process
  18. Contact Us — privacy officer details

Editable placeholder fields

The template includes yellow-highlighted {{placeholder}} fields that you replace with your practice details:

  • {{practice_name}} — your practice's legal name
  • {{abn}} — Australian Business Number
  • {{practice_address}} — physical address
  • {{phone}} — practice phone number
  • {{email}} — general practice email
  • {{privacy_officer_name}} — name of your designated privacy officer
  • {{privacy_officer_email}} — privacy officer's email address
  • {{review_date}} — date of last policy review
  • {{next_review_date}} — scheduled next review date

RACGP accreditation requirement

Criterion C6.3 of the RACGP Standards for General Practices (5th Edition) requires that:

"The practice protects the confidentiality and privacy of health and other information"

To meet this criterion, your practice must demonstrate:

  • A written privacy policy that is available to patients, staff, and other relevant parties
  • Compliance with the Privacy Act 1988 and the Australian Privacy Principles
  • Staff awareness of their privacy obligations
  • Processes for handling access requests and complaints
  • Appropriate physical and electronic security measures

This template addresses each of these requirements with dedicated sections and practical guidance.

Legislation covered

  • Privacy Act 1988 (Cth) — the primary federal privacy legislation, including the 13 Australian Privacy Principles
  • My Health Records Act 2012 (Cth) — requirements for participating in the national digital health record system
  • Notifiable Data Breaches scheme — Part IIIC of the Privacy Act, mandatory breach notification obligations
  • Healthcare Identifiers Act 2010 (Cth) — use and disclosure of Individual Healthcare Identifiers and Healthcare Provider Identifiers
  • Health Records and Information Privacy Act 2002 (NSW) — state-specific privacy obligations for NSW practices
  • Health Records Act 2001 (Vic) — state-specific privacy obligations for Victorian practices
  • Health Records (Privacy and Access) Act 1997 (ACT) — state-specific privacy obligations for ACT practices

How to customise this template

  1. Download the Word document and open it in Microsoft Word or Google Docs
  2. Find and replace each yellow-highlighted {{placeholder}} with your practice's details — use Edit → Find & Replace for efficiency
  3. Review the state-specific notes (shown in grey italics) — add the relevant state legislation paragraph if your practice is in NSW, Victoria, or the ACT. Delete notes that don't apply
  4. Customise Section 7 (Cross-Border Disclosure) — list any cloud services or IT providers that store data overseas (e.g., Microsoft 365, clinical software providers)
  5. Customise Section 14 (Telehealth) — add details about your specific telehealth platform and patient portal if applicable
  6. Have your privacy officer and practice principal review the completed policy before adopting it
  7. Make it available — display at reception, include in new patient registration packs, and publish on your practice website
  8. Set a review date — the RACGP recommends reviewing policies at least annually or when legislation changes

Frequently asked questions

Is this template legally compliant?

This template is based on the requirements of the Privacy Act 1988, the Australian Privacy Principles, the My Health Records Act 2012, and the RACGP Standards for General Practices (5th Edition). It is designed as a comprehensive starting point. We recommend having your completed policy reviewed by your medical defence organisation or legal adviser to ensure it meets your specific practice circumstances.

Do I need a different policy for each state?

No. The Privacy Act 1988 and the APPs apply nationally. However, practices in NSW, Victoria, and the ACT are also subject to state-specific health records legislation. This template includes notes indicating where you should add state-specific references. Practices in Queensland, South Australia, Western Australia, Tasmania, and the Northern Territory are covered by the federal legislation alone.

How often should I review my privacy policy?

The RACGP recommends reviewing all practice policies at least annually or whenever there is a significant change in legislation, practice operations, or technology. Record the review date and next review date on the policy itself.

Can I use this for AGPAL or QPA accreditation?

Yes. Both AGPAL and QPA assess against the RACGP Standards for General Practices (5th Edition). This template is aligned to Criterion C6.3 and is suitable for use as accreditation evidence with either accrediting body.

What about the new Privacy Act reforms?

The Australian Government has been progressing reforms to the Privacy Act, including the introduction of a statutory tort for serious invasions of privacy (effective from December 2025) and a Children's Online Privacy Code. This template will be updated as reforms are finalised. In the meantime, the current APPs remain the foundation of healthcare privacy compliance.

Do I need a separate data breach response plan?

Yes. While Section 15 of this privacy policy describes your NDB scheme obligations at a high level, the RACGP recommends having a separate, detailed data breach response plan that includes specific roles, escalation procedures, and notification templates. We offer a separate template for this — see our full template library.

Related templates

GP4.1

Infection Prevention & Control Policy

Practice-specific infection prevention and control policy covering hand hygiene, PPE, environmental cleaning, sterilisation, outbreak management, and staff immunisation requirements.

View template
C6.4

Computer & Information Security Policy

Information security policy covering access control, password management, backup procedures, malware protection, mobile device security, and incident response. Based on the RACGP CISS framework.

View template
C5.3

Clinical Handover Policy

Structured clinical handover policy using the ISBAR framework for safe transfer of patient information between practitioners, including shift changes, referrals, and after-hours handover.

View template
Ready to get started?

Your next accreditation visit starts today.

Join Australian GP clinics and medical practices that have replaced spreadsheets and email threads with a single healthcare compliance platform. Your free trial starts the moment you sign up.

Start your 30-day free trialView all features
No credit card required
Australian data residency
Cancel anytime