What should an organisation do with the health information it no longer uses?

	Frequently Asked Questions
		Your Privacy Rights FAQS
		Business FAQs
		Small Business FAQs
		Government FAQs
		Health FAQs
	SPECIFIC PRIVACY INFORMATION FOR:
		Individuals
		Business
		Health
		Government

		Federal Privacy Law
		About the Office
		Frequently Asked Questions
		IT and Internet Issues
		Media and Speeches
		Publications
		Privacy Links
		International
		Contact us

What should an organisation do with the health information it no longer uses?

View printable version of this page

Question: What should an organisation do with the health information it no longer uses?

Answer: If an organisation no longer uses or discloses health information for any of the purposes referred to in National Privacy Principle (NPP 2), the organisation must take reasonable steps to destroy or de-identify the information: see National Privacy Principle 4.2 (NPP 4.2). More detail of "the purposes referred to in NPP 2").

The "reasonable steps" to be taken will depend on the circumstances, such as the ability of the organisation to destroy or de-identify the information or the size and nature of the medium on which the health information is stored.

Health service providers will need to meet these obligations, but they may also have good reasons for needing to retain the health information. These could include the long-term care and treatment of the individual, the usefulness of the information in the development of future health care technologies or due to the requirements of the law or the codes of practice/advice of professional bodies. Where a health service provider must make a decision about keeping or destroying data, the provider should balance the benefits of retaining the information against the risks of privacy breaches. For more information, see Guidelines on Privacy in the Health Care Sector.