Department of Health

Key messages

  • Personal information may only be collected, disclosed and retained for performance of functions.
  • Reasonable steps must be taken to ensure information is up to date and protected.

These rights and privacy principles come from two Victorian Acts: the Health Records Act 2001 and the Privacy and Data Protection Act 2014.

This material is intended for quick reference only. The full principles are set out in the Acts.


Collect only personal information that is necessary for performance of functions. Advise individuals that they can gain access to their personal information.

Use and disclosure

Only use or disclose health information for the primary purpose for which it was collected or a directly related secondary purpose the person would reasonably expect.

Otherwise, you generally need consent.

Data quality

Make sure personal information is accurate, complete and up to date.

Data security and retention

Take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure.


Document clearly expressed policies on management of personal information and provide the policies to anyone who asks.

Access and correction

Individuals have a right to access their personal information and make corrections. Access and correction will be handled mostly under the Victorian Freedom of Information Act.


Only assign a number to identify a person if this is reasonably necessary to carry out your functions efficiently. Sharing of unique identifiers must be limited, as they can facilitate data matching and diminish privacy.


Give individuals the option of not identifying themselves when entering transactions with organisations if it is lawful and feasible.

Transborder data flows

Only transfer health information outside Victoria if the organisation receiving it is subject to laws substantially similar to Victoria’s. If a person’s personal information travels, their privacy protection should travel with it.

Transfer/closure of a health service practice

If you are a health service provider, and your business or practice is being sold, transferred or closed down, without you continuing to provide services, you must give notice of the transfer or closure to past service users.

Sensitive information

The law restricts collection of sensitive information like an individual's racial or ethnic origin, political views, religious beliefs, sexual preferences, membership of groups or criminal record.

Making information available to another health service provider

If you are a health service provider you must make health information relating to an individual available to another health service provider if requested by the individual.

Reviewed 01 December 2023


Was this page helpful?