Privacy, security and data sovereignty

What this is: a practical guide to protecting health information in virtual care, and to data sovereignty in community-controlled settings.

Who it's for: clinic and practice managers, ACCHO leaders, IT staff, and anyone who handles patient information.

Two layers that work together

Protecting information in virtual care has two layers. The first is the law that applies to everyone who handles health information: the Privacy Act and the Australian Privacy Principles. The second is data sovereignty, which matters most in Aboriginal and Torres Strait Islander community-controlled settings. Data sovereignty sits alongside the law and goes further than it.

The legal baseline: the Privacy Act

Health information is sensitive information

The Privacy Act 1988 treats health information as sensitive information, which means it gets a higher level of protection than ordinary personal information. The small-business exemption in the Act does not apply to health service providers, so it applies to you whatever your size.

Consent, collection, use and disclosure

Collect only the health information you need for the patient's care, and be clear with the patient about why you are collecting it (Australian Privacy Principle 3). Use and share that information only for the purpose you collected it for, or for a directly related purpose the patient would expect (Principle 6). In virtual care this means sharing with the consulting clinician what they need to deliver the consultation, and no more.

Storing data and offshore platforms

Know where your virtual care platform stores its data. If a platform stores or processes data overseas, Principle 8 puts obligations on you about that offshore disclosure. Ask your platform supplier where data is held, who can access it, and how it is protected. Build the answer into your decision about which platform to use.

Security and breaches

Take reasonable steps to protect the information you hold (Principle 11). Recent reforms made clear that reasonable steps include both technical measures, such as multi-factor authentication and encryption, and organisational measures, such as access controls and removing access when staff leave.

If a data breach is likely to cause serious harm, the Notifiable Data Breaches scheme requires you to notify the affected people and the Office of the Australian Information Commissioner. The health sector reports more data breaches than any other sector, so this is a real risk, not a theoretical one.

What has changed recently

The first tranche of Privacy Act reforms is now in force. The regulator has stronger enforcement powers and can issue fines for breaches that are not serious, and a new right lets individuals take court action over a serious misuse of their personal information. The direction is clear: you need to show that your privacy controls work in practice, not just that you have a policy. Treat your privacy obligations as live, and confirm the current detail when you set up or review a service.

Indigenous data sovereignty: beyond the Privacy Act

What it means

Meeting the Privacy Act is the floor, not the ceiling. Indigenous data sovereignty is the right of Aboriginal and Torres Strait Islander peoples and communities to own, control and govern the data about them. In a community-controlled service, this is not an add-on. It is part of how the service works.

The practical question moves from "are we allowed to hold this data" to "who owns it, who governs it, and who benefits from it". The answer, in community-controlled care, is the community.

Maiam nayri Wingara and the CARE principles

Two sets of principles guide this. The Maiam nayri Wingara principles set out Indigenous data sovereignty and the right of communities to control the data ecosystem, including how data is collected, used and shared. The CARE Principles for Indigenous Data Governance add four ideas: Collective benefit, Authority to control, Responsibility, and Ethics. Together they shift the focus from what an organisation may do with data to what serves the community.

What it looks like in practice for an ACCHO

For a community-controlled service running virtual care, data sovereignty shows up in everyday decisions:

• The community owns and governs the data the service creates, and that ownership is written into agreements, not just assumed.
• Reporting is disaggregated and useful to the community, so the data serves local priorities, not only a funder's template.
• Platform and vendor arrangements are accountable to the community, including clarity on where data is stored and who can reach it.
• The community has a real say in what is collected and how it is used, and can say no.

A short checklist

• Confirm your platform meets the Privacy Act and you know where it stores data.
• Use secure, approved accounts and devices, never personal messaging or email.
• Turn on multi-factor authentication and limit access to those who need it.
• Have a breach response plan that names who does what.
• In community-controlled settings, write data ownership and governance into your agreements, and report in ways that serve the community.

Need help?

• Visionflex support: visionflex.com/support | support@visionflex.com | +61 2 8914 4000 (9am to 5pm AEST)
• See also: Standards and regulatory alignment, Virtual care policy template, Email to your IT department, Consent for virtual care: individual and community

Visionflex acknowledges the Traditional Custodians of Country throughout Australia and pays respect to Elders past, present and emerging.