Appendix 3
Policy and legal framework
Synthetic health data projects still require a lawful basis. This appendix summarises the Australian privacy “patchwork” and how to use it to guide approvals, governance, and safe sharing decisions.
Australia is a patchwork
Different privacy laws can apply to the same project depending on organisation type, location, and the kind of information handled.
Principles drive decisions
Most regimes include principles covering collection, use, disclosure, security, quality, and access/correction. Disclosure is usually restricted unless an exception applies.
Governance remains required
Even when you believe data is de‑identified, document assumptions, approvals, ethics considerations, and residual risks before using or sharing outputs.
How to use this appendix
Use this as a quick orientation guide, then move to Appendix 9 for lawful pathways and Appendix 8 when a request is complex or uncertain.
Practical workflow
- Identify which privacy law(s) apply to your organisation and dataset.
- Determine whether remaining re‑identification risk is more than “very low”.
- Select a lawful pathway for use/disclosure and document approvals.
- Apply technical, contractual, and operational controls for residual risk.
Important rule of thumb
If re‑identification risk remains more than very low, treat the synthetic data as personal information and use an appropriate lawful pathway before use or sharing.
Privacy laws commonly encountered
This is a governance-oriented summary (not legal advice). Confirm applicability with your organisation’s privacy office or legal team for your specific context and data flows.
Table: laws and where they typically apply
| Jurisdiction | Instrument | Applies to | Notes |
|---|---|---|---|
| Commonwealth | Privacy Act 1988 (Cth) + Australian Privacy Principles (APPs) | Commonwealth agencies and many private/NGO health service providers | Sets baseline principles for collection, use, disclosure, security, access and correction. |
| ACT | Information Privacy Act 2014 (ACT) + Territory Privacy Principles (TPPs) | ACT public sector agencies | Public-sector privacy framework; health information may also be regulated separately. |
| ACT | Health Records (Privacy and Access) Act 1997 (ACT) | Public and private health service providers (health information) | Health-specific privacy obligations and access rights. |
| NSW | Privacy and Personal Information Protection Act 1998 (NSW) + IPPs | NSW public sector agencies | General personal information principles for NSW agencies. |
| NSW | Health Records and Information Privacy Act 2002 (NSW) + HPPs | NSW public + private sector health service providers (health information) | Health information rules can apply even when the federal APPs also apply. |
| NT | Information Act 2002 (NT) + NT IPPs | NT public sector agencies | Includes information privacy principles for government handling of personal information. |
| QLD | Information Privacy Act 2009 (QLD) + QPPs | Queensland government agencies | Queensland privacy principles for public sector handling and disclosure. |
| SA | Premier & Cabinet Circular 12 – Information Privacy Principles Instruction | South Australian public sector agencies (policy-based) | No dedicated privacy statute; mandatory instruction establishes binding principles. |
| TAS | Personal Information Protection Act 2004 (Tas) + PIPPs | Tasmanian public sector agencies | Public-sector privacy obligations for personal information handling. |
| VIC | Privacy and Data Protection Act 2014 (Vic) + IPPs | Victorian public sector organisations | General personal information handling obligations for Victorian public sector. |
| VIC | Health Records Act 2001 (Vic) + HPPs | Public and private health service providers (health information) | Health-specific principles often apply alongside other governance requirements. |
| WA | Privacy and Responsible Information Sharing Act 2024 (WA) | WA public sector organisations (commencement expected 2026) | Introduces comprehensive privacy obligations and a responsible information sharing framework. |
Next steps
When you know which law applies, move to lawful pathways and document the specific approval route, consent/authority, and any ethics requirements for your organisation and dataset.