AI in Clinical Practice: What the Australian Privacy Act Means for Your Notes Software

The Privacy Act at a Glance

The Privacy Act 1988 (Cth) is the primary legislation governing the collection, use, storage, and disclosure of personal information in Australia. For health practices, the Act is particularly significant because health information is classified as “sensitive information” and attracts a higher level of protection than ordinary personal information.

The Act is given practical effect through 13 Australian Privacy Principles (APPs), which cover everything from how you must notify patients about data collection, to how you must store and secure that data, to the rights of individuals to access and correct their information.

The Act applies to private sector health service providers of any size, meaning it applies to sole-trader GPs, small group practices, and large clinic networks alike. There is no revenue threshold exemption for health data.

The APPs Most Relevant to AI Documentation Tools

While all 13 APPs are relevant to clinical practice, several are directly implicated when you use an AI tool to record and process consultations:

• APP 1, Open and transparent management: You must have a clear, accessible privacy policy that explains how patient data is collected, used, and shared. If you use a third-party AI tool, your privacy policy should reflect how that tool handles data.
• APP 3, Collection of sensitive information: Health information can only be collected with consent, or in circumstances where consent is not reasonably practicable but the collection is necessary for healthcare delivery. Recording a consultation for the purpose of generating notes should be disclosed to the patient.
• APP 5, Notification of collection: At or before the time of collecting health information, patients must be notified of the fact of collection, the purpose, and how they can access or correct their information.
• APP 8, Cross-border disclosure: If your AI tool processes data through servers located outside Australia, you may be required to take reasonable steps to ensure the overseas recipient does not breach the APPs. This is a significant obligation that many clinicians overlook.
• APP 11, Security of personal information: You must take reasonable steps to protect health information from misuse, interference, loss, and unauthorised access. This includes ensuring your software provider has adequate security measures in place.

Data Residency: The Overlooked Risk

APP 8 is the provision that most frequently catches clinicians off guard. Many popular AI tools, including general-purpose transcription and language model services, process data through infrastructure located in the United States, Europe, or other jurisdictions.

When patient data is disclosed to an overseas entity, APP 8 requires that you take “reasonable steps” to ensure the recipient handles the data in accordance with the APPs. In practice, this means reviewing the data processing agreements, understanding where data is routed, and being able to demonstrate to the OAIC (Office of the Australian Information Commissioner) that you conducted due diligence.

The simplest way to satisfy this obligation is to use a tool that processes and stores all data within Australia, eliminating cross-border disclosure entirely. This is not merely a technical preference. For clinical data, it is the defensible position.

What to Look for in a Compliant AI Tool

• All data processing and storage occurs within Australia
• Audio recordings are destroyed immediately after transcription, not stored
• Patient data is not used to train or improve AI models
• Data is encrypted at rest (AES-256) and in transit (TLS 1.3)
• The vendor provides a Data Processing Agreement (DPA) you can produce in the event of an OAIC inquiry
• Patients can have their data deleted on request, and the vendor can confirm permanent deletion
• The vendor has a written privacy policy aligned with the APPs

How maeda Meets These Requirements

maeda was architected from the ground up to meet Australian privacy obligations. All data (audio streams, transcripts, generated notes, and patient records) is processed and stored exclusively within Australia. Audio is destroyed the moment transcription is complete. Patient data is never used for AI training purposes, and we contractually prohibit any downstream AI providers from doing so.

We provide a Data Processing Agreement upon request, maintain a published privacy policy aligned with all 13 APPs, and support clinicians in updating their own privacy collection notices to reflect the use of AI documentation tools. Every note saved in maeda can be permanently deleted by the clinician at any time.

Privacy compliance in clinical practice is not a one-time checkbox. It is an ongoing obligation. If you are using any software to handle patient data and have not yet reviewed it against the APPs, now is the right time to do so.