The Privacy Act 1988 (Cth) regulates how some health service providers, Commonwealth government agencies and other private sector organisations may collect, use, disclose and store personal information, and how individuals may access and correct personal information held about them. It imposes certain obligations on these providers and agencies concerning the management of personal information.

On 12 March 2014 the National Privacy Principles will be replaced by new Australian Privacy Principles (APPs), which are more comprehensive than the old regime, and impose additional requirements which providers and agencies must comply with.

Public hospitals and public health services in Victoria, as listed in Schedules 1 and 5 of the Health Services Act 1988 (Vic), are not subject to the Commonwealth scheme, and accordingly are not affected by these changes.  These organisations remain within the scope of the Information Privacy Act 2000 (Vic), and continue to be bound by the Information Privacy Principles contained within that legislation.

Privacy Victoria, and the Office of the Victorian Privacy Commissioner, remains the relevant regulator for public health providers in Victoria.  These providers also need to comply with the requirements of the Health Records Act 2001 (Vic), which is administered by the Health Services Commissioner.  The Charter of Human Rights and Responsibilities Act 2006 (Vic) also requires that all Victorian government organisations must act in a way that protects human rights, which includes protection of the right to privacy.