Health Startup Considerations – Australian Privacy Law

The health industry is one of Australia’s more heavily regulated industries. As well as having to consider the regulatory requirements of the Therapeutic Goods Administration, and possibly AHPRA, health startups need to determine the applicability of Australian privacy laws.

Privacy Law in Australia

The legal framework for privacy in Australia, as it applies to the private sector, is the Privacy Act 1988 (the Privacy Act). The Privacy Act generally only applies to businesses that have an annual revenue exceeding $3,000,000. However, if your business falls into one of several industries, including the provision of health services, the Privacy Act will apply despite your revenue turnover (you can find a full list of specified industries covered by the Privacy Act here).

What is a Health Service?

Just because your business is playing in the health space, doesn’t necessarily mean you will be classed as a health service (although its likely). A service is defined as a health service under the Privacy Act if:

  • It is intended or claimed to:
  • Assess, maintain, improve or manage the recipients health;
  • The diagnose or treat an illness, disability or injury;
  • To record a person’s health for the purposes of assessing, maintaining, improving or managing their health;
  • It involves dispensing prescribed drugs.

The above services apply whether it is in relation to physical or psychological health. If you think your business is offering a service which may be caught by the above definition, but you’re unsure, we strongly recommend speaking with a startup lawyer to confirm your obligations. If your business is captured by the above, then you will need to comply with the Privacy Act. 

Complying with the Privacy Act

Compliance with the Privacy Act, for the most part, requires compliance with the 13 Australian Privacy Principles set out at Schedule 1 of the Privacy Act (APPs). The APPs are designed to ensure individuals have access, transparency and autonomy when it comes to their personal information. Examples of APPs include:

  • Where possible, enabling individuals to anonymise themselves with respect to certain matters;
  • Only collecting personal information that is necessary for one of the business’s activities;
  • Only collecting personal information through fair and lawful means;
  •  Notifying individuals that their information is being collected;
  • Only disclosing the information to third parties in permitted circumstances;
  • Deleting personal information when it is no longer required;
  • Having adequate security measures in place to protect personal information.

A good first step towards compliance is putting together a Privacy Act compliant privacy policy, as is required by APP 1.3. The specific contents of your privacy may differ depending on your industry, the services you are providing, the ways you are collecting information, etc, however APP 1.4 sets out the minimum information that a privacy policy must hold: 

  • How and why the business collects and holds personal information;
  • How an individual may access and correct their personal information;
  • How an individual may complain about a breach of an APP;
  • Whether their personal information is likely to be disclosed to overseas recipients and, if so, where are they likely to be located.

Sensitive Information

More onerous requirements apply when your business is collecting sensitive information, which is information about a person’s: 

  • Race or ethnicity;
  • Health, genetics or biometrics;
  • Political, religious or philosophical beliefs or affiliations;
  • Sexual orientation or practices;
  • Membership to a professional or trade association or trade union. 

As a health startup, it is highly likely that your business will be collecting information related to an individual’s health, genetics, biometrics, race or ethnicity, and possibly also their sexual orientation or practices. You should get in touch with a startup commercial lawyer who is experienced with health startups

The APPs set out how sensitive information must be treated differently to personal information. For example, a business may only collect personal information if it is reasonably necessary for one or more of its functions. However, it may only collect sensitive information if it is necessary for one or more of its functions AND if the individual consents. Similarly, a business may use personal information for direct marketing if the individual would reasonably expect the business to do so, and has a simple way to opt out of direct marketing. Conversely, it may only use sensitive information for direct marketing with the individual’s consent.

Where activities under the Privacy Act require an individual’s consent, such as in the examples given above, a privacy policy can be a great place to procure this consent. For more advice on what to include in a privacy policy, read here.

Get in touch

Here at Allied Legal, our commercial lawyers have assisted countless startups with navigating their privacy obligations under the Privacy Act. If you need a privacy policy drafted, or if you have any queries about your privacy obligations under Australian law, gives us a call on 03 8691 3111 or email us at

Related Articles


How to Pitch Your Startup to Investors

Learn how to craft a compelling startup pitch that captivates investors with our comprehensive guide. From structuring your narrative to showcasing market potential and financial projections, master the art of persuasion and data-driven storytelling to secure funding for your entrepreneurial journey.

What are Director Duties

Are you a director of a company? Understanding directors' duties is critical to your success and the success of your company. Chester James breaks it down in detail, covering everything from strategic oversight to ethical practices and legal obligations. As a director, you are responsible for acting in the best interests of the company and ensuring compliance with the duties imposed on you as a director. Learn what is required of you as a director and how you can fulfill your duties effectively to contribute to the company’s success

What is a Shareholders Agreement?

Understanding what a shareholders' agreement is just got easier, thanks to Chester's latest blog. Tap into simplified insights on roles, rights, and essentials for every investor. You're one read away from clarity.


Subscribe to our newsletter to receive exclusive offers and the latest news on our products and services.

First Name
Last Name
Email Address

Need some help?

If you need assistance, why not book a call with us today? Or fill out the form below to book in for a free confidential consultation.