The obligation to destroy or deidentify patient data, and mitigating the risk of privacy breaches

16 December 2022

In brief

Healthcare service providers such as medical centres and hospitals are required by law to store personal information about patients (patient data) under both state-based and federal privacy legislation. However, following the recent and highly publicised Optus and Medibank data breaches, many patients have become more concerned with the ways in which patient data is being stored and how their data may be vulnerable to unauthorised access including through cybersecurity attacks.

Healthcare service providers should destroy patient data if it is no longer required for it to be used or retained for a primary purpose or secondary purpose, provided that the relevant limitation periods have lapsed. For identity documents used in the onboarding process, rather than keeping them on file, it may be safer simply to record that they have been sighted.

The destruction of this information will help prevent breaches of APP 11.2 and hopefully minimise the both legal and non-legal risks of unauthorised access to patient data.

Applicable law

The Australian Privacy Principles (APPs), contained in Schedule 1 to the Privacy Act 1988 (Cth) (Act), provide a framework for the management and disclosure of patient data by healthcare service providers.

In a healthcare context, patient data may include details such as a person’s name, date of birth, Medicare or private health insurance number along with information about their health condition and medical treatment/medications.

The key provision is APP 11.2 which states:


    1. an APP entity holds personal information about an individual; 
    2. the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule;
    3. the information is not contained in a Commonwealth record; and
    4. the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information;

the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.

What this provision essentially says is that healthcare service providers must take reasonable steps to destroy or de-identify patient data once it is no longer required for the purpose for which it was collected or some other legitimate purpose (for example, an authorised secondary purpose).

Under APP 6, healthcare service providers may use or disclose patient data for the same purpose for which it was collected (primary purpose) or for a purpose directly related to the primary purpose (secondary purpose) for which the healthcare service provider collected the data, if the patient would reasonably expect it to so use or retain it (APP 6.1, and 6.2(a)).

Obligation to stop holding patient data after expiry of limitation periods

Unless there is something “special” about a patient’s data, such as that the patient has made a complaint about their care and the healthcare provider needs to retain their data to respond to the complaint, the usual reason a healthcare provider will wish to retain a patient’s data is for the purpose of providing then with healthcare.

Patient data usually does not need to be retained for the purpose of providing the patient with healthcare once the limitation period has expired from the date of the last contact with the patient. In the case of records relating to patients that are over the age of 18, the applicable limitation periods expire six years after the personal information was acquired, so it is customary to retain the data for an extra year, that is, seven years since the date of last contact with the patient. The limitation period for patients under 18 does not start until they turn 18. So, they have six years after they turn 18 to bring an action. Their records are customarily kept until they are 25 years old, that is, six years after turning 18 plus an extra year to be safe.

Rationale for obligation to stop holding patient data, and penalties

Of course, when information is no longer required for a primary or secondary purpose, APP 11.2 requires a healthcare service provider to destroy or de-identify the personal information. One of the reasons this rule is in place is because, whilst patient data may no longer be necessary for use by the healthcare service provider, the information is likely to still be capable of identifying the patient and useful to hackers or fraudsters for use against that patient (e.g. names, dates of birth, addresses and medical conditions).

If a healthcare service provider fails to do this, it may be liable for civil penalties for “serious or repeated interferences with privacy” in breach of APP 11.2 and APP 6. The maximum penalty that may be imposed is currently $2,220,000. However draft legislation proposes to increase this penalty even further to the greater of $50,000,000, three times the value of any benefit obtained through the misuse of the information and 30% of the organisation’s annual Australian turnover.

Telechoice case: retaining personal information too long breaches Privacy Act

Indeed, the obligation under APP 11.2 has come to the attention of the regulator, the Office of the Information Privacy Commissioner (OAIC) in a few cases where there has been an unauthorised loss or disclosure of information (e.g. by hacking) and, it has been revealed that this information had been retained for too long. For example, Business Service Brokers T/AS TeleChoice (TeleChoice) operated a business selling mobile phone plans and collected personal information from customers for this purpose. In 2015, documents containing personal information about TeleChoice’s former customers (from prior to 2013) were found abandoned in an open shipping container in Victoria. The personal information was found to be no longer required for a permitted purpose. The shipping container was bound for destruction with a contractor but the documents were awaiting destruction for almost two years. TeleChoice’s failure to ensure prompt destroyed was found to be a breach of its obligation to destroy or de-identify personal information under APP 11.2.

TeleChoice was required to give an Enforceable Undertaking to the Commissioner that it would:

  • offer to reimburse the cost of a 12-month credit monitoring service for any individuals who were customers prior to 2013, and were concerned about the possibility of credit fraud as a consequence of the incident;
  • make organisational changes (e.g. implement policies and procedures and review its records) to ensure the suitable destruction of personal information;
  • in consultation with the Commissioner, engage a qualified third party to review certain aspects of its handling of customer personal information and implement any subsequent recommendations; and
  • develop and conduct regular privacy training for staff.

TeleChoice has also had to deal with legal action taken by individual customers and provide additional compensation to them for its failure to destroy or de-identify that information. For example, TeleChoice was ordered to apologise and pay damages in the amount of $3,500 each for stress and anxiety caused to customers.

Other downsides to retaining data too long

Healthcare service providers may also incur substantial legal and other costs to rectify any such loss or unauthorised access to patient information. As seen in the Medibank hack, cybercriminals will often request the payment of a ransom in exchange for not releasing patient data. Where such a data breach constitutes a notifiable data breach for the purposes of the Act, the healthcare service provider will also have to expend its resources in notifying the OAIC and affected individuals, and in rectifying the issue in accordance with OAIC’s directions.

Healthcare service providers may also face reputational damage and potentially lose patients if patient data becomes subject to unauthorised access especially if these patients become aware that this information should have been deleted or destroyed some time ago. This seems to be the fate of Medibank and Optus who both faced a huge backlash from customers but also plummeting share values during the wake of their data breaches.

On a practical level, the longer patient data is retained, the greater the risk of unauthorised access through cybersecurity attacks by a hacker, theft or ransom because that information is arguably ‘there for the taking’. Destruction of information that no longer needs to be retained will therefore serve to not only prevent breaches of APP 11.2, but also hopefully reduce the breadth of data that might be affected if a data breach occurs. This would in turn reduce the liability of and expenses that would need to be incurred by a healthcare service provider to rectify the breach.

These high-profile breaches have focussed attention on ways to mitigate loss due to hacking. One key risk is retaining records of documents that can be used for identity theft, such as passports, birth certificates, Medicare cards and the like. If the only use which a business makes of those documents is to identify a patient (or customer) as part of the onboarding process, then it may be better to record simply that the relevant identification document was sighted, rather than keeping a record of that document on file.

This article was written by Geoff Bloom, Partner, Elham Bolbol, Solicitor and Kathryn McCormack, Graduate-at-Law. 


Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us