Navigating the 2024 Privacy Act changes

 

Navigating the 2024 Privacy Act changes: a guide for physiotherapists

The below is not legal advice. It is general advice only and if you have legal queries you should check those with a lawyer. Maurice Blackburn, an APA Corporate Partner, can provide legal advice to APA members. Learn more about Maurice Blackburn and their APA member offers for you and your family. 

As physiotherapists, you handle sensitive personal and health information daily, making compliance with privacy laws critical to your practice. 

In 2024, Australia’s Privacy and Other Legislation Amendment Bill 2024 introduced significant reforms to the Privacy Act 1988, marking the first phase of updates aimed at strengthening data protection. These changes, effective from December 10 2024, have direct implications for how you manage patient information. 

This article outlines the key amendments and provides practical steps to ensure your practice remains compliant while maintaining trust with your patients. 

Key changes to the Privacy Act in 2024

The 2024 amendments introduce several measures that affect physiotherapists as health service providers under the Australian Privacy Principles (APPs). Below are the most relevant updates:

  1. Statutory tort for serious invasions of privacy
    A new legal avenue allows individuals to seek redress for serious privacy breaches, even without proving tangible harm. This tort applies to intentional or reckless invasions, such as unauthorised disclosure of patient records. For physiotherapists, this means a patient could pursue legal action if their personal information is mishandled, potentially leading to compensation or injunctions. Courts will assess factors like the degree of distress caused and whether there was a reasonable expectation of privacy.
     
  2. Enhanced enforcement powers for the OAIC
    The Office of the Australian Information Commissioner (OAIC) now has expanded authority, including the ability to issue compliance notices and impose penalties for breaches. New mid-tier and low-level civil penalties have been introduced, making it easier for the OAIC to address non-compliance without court proceedings. This underscores the need for robust privacy practices to avoid investigations or fines.
     
  3. Criminal offence for doxxing
    The amendments criminalise ‘doxxing’—the malicious release of personal information online in a harassing or menacing way. While less common in physiotherapy, this serves as a reminder to safeguard patient data against unauthorised sharing, especially on digital platforms or social media.
     
  4. Clarified security obligations
    A new Australian Privacy Principle (APP 11.3) specifies that ‘reasonable steps’ to protect personal information include technical and organisational measures. This aligns with global standards like the European Unions’ General Data Protection Regulation, emphasising proactive data security. For physiotherapists, this could involve encrypting patient records, securing telehealth platforms, or training staff on data protection.
     
  5. Children’s Online Privacy Code
    The OAIC is tasked with developing a Children’s Online Privacy Code to enhance protections for minors. If your practice engages with paediatric patients online (eg through telehealth or booking systems), you’ll need to monitor updates to ensure compliance with age-specific privacy requirements.
     
  6. Data breach response powers
    The Minister can now issue declarations to facilitate information sharing during data breaches to reduce harm. This could affect how you respond to incidents, requiring swift communication with authorities and affected patients.

Implications for physiotherapists

As health professionals, physiotherapists are already bound by strict privacy obligations under the APPs and state-based health records laws. However, the 2024 changes heighten accountability. A privacy breach—such as leaving patient files unsecured, failing to encrypt digital records, or inadvertently sharing information—could now lead to legal action from patients, OAIC penalties, or reputational damage. The emphasis on technical measures also means outdated systems or lax cybersecurity could expose your practice to risks.

Practical steps to address the changes

To align your practice with the 2024 Privacy Act amendments, consider the following actions:

  1. Review and update privacy policies
    Ensure your privacy policy reflects the new obligations, including APP 11.3’s focus on technical and organisational measures. Clearly outline how you collect, store and protect patient information. Make this policy accessible to patients, both in your clinic and online.
     
  2. Strengthen data security 
    - encrypt records: use encryption for digital patient files and communications, especially for telehealth sessions. 
    - secure systems: update software and ensure practice management systems comply with cybersecurity standards. 
    - physical security: lock paper records in secure cabinets and restrict access to authorised staff only. 
    - vendor checks: if using third-party platforms (eg, for bookings or billing), verify their compliance with the Privacy Act.
     
  3. Train your team
    Educate staff on the updated Privacy Act, emphasising the risks of serious invasions of privacy and doxxing. Regular training should cover secure handling of patient data, recognising phishing attempts and reporting potential breaches promptly. Document training sessions to demonstrate compliance.
     
  4. Conduct a privacy audit
    Perform a comprehensive review of your data practices: 
    - map how patient information is collected, stored, used and shared
    - identify gaps, such as unencrypted email communications or weak passwords
    - assess telehealth platforms for compliance with APP 11.3
    - consider engaging a privacy consultant for complex practices.
     
  5. Prepare for data breaches
    Develop or update your data breach response plan. The OAIC expects notification within 30 days of a suspected breach, but proposed reforms may shorten this to 72 hours. Your plan should include: 
    - steps to contain and assess the breach 
    - protocols for notifying the OAIC and affected patients 
    - measures to prevent recurrence, like system upgrades or staff retraining.
     
  6. Communicate with patients
    Transparency builds trust. Inform patients about how their data is protected and their rights under the new laws. For example, explain that they can seek redress for privacy breaches without proving harm. If treating children, ensure parents understand any online data collection practices.
     
  7. Stay informed
    The 2024 amendments are the ‘first tranche’ of reforms, with more expected. Monitor updates from the OAIC.  Subscribe to privacy law newsletters or join webinars to stay ahead of changes, especially regarding the Children’s Online Privacy Code. 

Balancing compliance and patient care

Compliance with the Privacy Act doesn’t have to hinder your practice—it should enhance it. Strong privacy measures reassure patients that their sensitive health information is safe, fostering loyalty and trust. For example, adopting secure telehealth platforms not only meets APP 11.3 but also improves access for patients with mobility issues. Similarly, clear communication about data practices can strengthen your professional reputation.

Looking ahead

The 2024 changes signal a broader shift toward stricter privacy protections in Australia. Future reforms may introduce a ‘fair and reasonable’ test for data handling, expand the definition of personal information, or remove exemptions for small businesses. Physiotherapists should view compliance as an ongoing process, integrating privacy into every aspect of their practice.

By acting now—updating systems, training staff and auditing processes—you can mitigate risks and position your practice as a leader in patient-centered care. If you’re unsure where to start, consult with a privacy law expert to tailor solutions to your needs. 

Resources