Module 7: Privacy and confidentiality: what are our obligations?

As health professionals, we have legal and ethical obligations to protect the privacy and confidentiality of our clients, and their personal information.


In Australia, the Privacy Act (1981) protects privacy regarding personal information, that is, information or an opinion that identifies or could identify a person. Privacy legislation prevents us sharing information for any purpose other than the purpose initially agreed upon by the client (in most cases). 


Common law protects our confidentiality. It is an agreement in common law that would usually require someone (i.e. a clinician) to keep all of a person’s (i.e. client’s) information confidential even if they were thinking of sharing it with someone based on its original purpose (e.g. it is not ok to share information with another clinician without gaining permission from the client, otherwise you would be breaching confidentiality).

In addition, depending on the clients with whom you work, and the context in which you work, you may be subject to additional privacy legislation. All individuals and Commonwealth agencies are subject to the Australian Privacy Principles, and public hospitals and clinics are subject to State and Territory legislation. NDIS providers are subject to the NDIS Act 2013. For more information regarding privacy policies, visit the OAIC website at


What is different about online therapy compared with in-person therapy?

When we conduct online therapy, much (if not all) of our communication is online, whether it be email, file sharing, file storage, or video-conferencing. Most of those media are also used with clients with whom we deal in-person, but the use of videoconferencing in online therapy introduces a new element of potential vulnerability to personal information being available to third parties. There is a need to send, receive, and store videoconferencing data securely, just as is the case with any other data that may compromise privacy or confidentiality. Because any service that hosts data overseas may not be subject to Australia’s privacy laws, one consideration is that many of the platforms that we use for videoconferencing cannot assure privacy and confidentiality in that instance.

Why you might not want to use Skype right now

Data stored offshore may not be subject to the Privacy Act, so it’s important to know where your data and the data of your clients is being sent and stored. Skype doesn’t store data in Australia, and also isn’t necessarily obliged not to share data with third parties, so it cannot guarantee the security of someone’s personal information. Platforms developed for the purposes of online therapy, and which store their data in Australia, are generally better placed to provide a secure service. Services such as Zoom and Coviu provide secure onshore data storage and end-to-end encryption which means that they as third parties cannot access information from your calls.