In the recent case AXF and AXG (Privacy) [2025] AICmr 121, the Australian Information Commissioner found that a psychiatrist had breached Australian Privacy Principle (APP) 11.1 by failing to take reasonable steps to protect a patient’s historical medical records from loss. The case highlights often overlooked obligations for healthcare providers—and indeed all APP entities—regarding the secure retention and destruction of personal information.
The case is particularly notable as it provides perhaps the only publised guidance on implementation of APP 11 by Health Services.
The Importance of Proper Record Retention
The respondent, a sole practitioner psychiatrist, had received the complainant’s original medical records (spanning over 20 years) from her former psychiatrist. These records were stored in a locked filing cabinet alongside unrelated research and medico-legal documents. During office renovations, the records were allegedly inadvertently destroyed by a third-party shredding service.
APP 11.1 requires entities that are subject to the Privacy Act to take reasonable steps in the circumstances to protect the personal information that it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. The Commissioner held (at paragraph 30):
‘Loss’ of personal information covers the accidental or inadvertent loss of personal information held by an APP entity, which includes the physical loss of personal information contained in hard copy documents. It does not apply to the intentional destruction or de-identification of personal information in accordance with the APPs.
The Commissioner held that in assessing whether there had been compliance with APP 11, it was necessary to consider what steps the respondent took to protect the personal information it held from security risks and whether those steps were reasonable in the circumstances.
Key Failures in Record Management Systems
The Commissioner identified several deficiencies in the respondent’s handling of the records:
1. Poor Storage Practices
The Commissioner found that the respondent had failed to take reasonable steps to protect this sensitive information, noting that (at paragraph 39):
“While the respondent stored the complainant’s historical medical records in a locked cabinet at his premises, the storage of the records with old research and medicolegal documents increased the risk of inadvertent loss and destruction.”
This underscores the necessity of separating client records from general operational files to prevent accidental destruction.
2. Lack of a Record Retention Policy
The respondent had no formal procedure for determining when records should be retained or destroyed. While the respondent psychiatrist argued that no Queensland law mandated a specific retention period for private medical records, the Commissioner referenced industry best practices—such as the Australian Psychological Society’s recommendation to retain records for at least seven years after last contact. Specific mention was made of Institute of Private Practicing Psychologists, General Guidelines, suggesting that client records be kept for a minimum of 10 years after last contact. The Commissioner noted that (at paragraph 39):
“(the respondent could have) had a documented procedure outlining the requirements for retention and destruction of patient records to address the risk of inadvertent destruction and protect the personal information from loss”
This emphasises the need to have a detailed record retention policy to ensure best practice. Again, it must be emphasised there was no independant regulatory compliance requirement on the psychiatrist to maintain these records at the time of destruction. Consequentially, it must be inferred that Australian Privacy Principles may in certain contexts be interpreted as requiring best practice.
Moreover, the Commissioner suggested that the record retention policy ought to have been augmented by a specific register of material destroyed.
“(the respondent could have) maintained a register documenting medical records that had been destroyed and the reasons for the destruction in consideration of any retention obligations and best practice guidance referred to above”
With respect to the reasoning of the Commissioner, it is difficult to see how a post-destruction register would add further, relevant protections to an appropriately drafted record retention policy.
3. Inadequate Review (and/or Notice to the Client) Prior to Destruction
The facts were novel. On referral to the new practice, the complainant’s previous psychiatrist had hand delivered a large number of hard copy notes. Some of this material was significantly aged and dated outside the usual retention period. The respondent made the assessment that the at the historical medical records were not relevant to the ongoing treatment of the client. However, as noted, this material was placed in a mixed filing cabinet, which was ultimately a step that led to the material being destroyed. The complainant was not given an opportunity to retrieve her records before destruction. Relevantly, even the respondent psychiatrist acknowledged on cross-examination that destruction of the historic material was capable of causing hardship to the planet.
The Commissioner held the records were destroyed without a proper assessment of whether they were still needed. The Commissioner noted that (at paragraph 39):
The respondent could have implemented a system of reviewing records in the filing cabinet before destroying them, having regard to his legal obligations in relation to retention, to confirm whether they ought to be destroyed or retained.
The Commissioner was concerned by the destruction of the material and observed that notifying patients before disposing of potentially significant records notwithstanding that they were outside the usual retention window, could mitigate readily apparent risks of hardship.
Non-Compliance with APP 11.
On the basis of the foregoing the Commissioner held at paragraph 42:
I find that the respondent did not take such steps as were reasonable in the circumstances to protect the complainant’s personal information from loss. I therefore find that the respondent breached APP 11.1.
Best Practices for Compliance with APP 11
The decision provides clear guidance on how entities should manage personal information to avoid similar breaches:
- Implement a Documented Retention and Destruction Policy. Entities must establish clear procedures outlining how long records should be kept, when they should be reviewed, and how they should be securely destroyed. Such policy should allow for the identification of material that may be significant. The policy should also contemplate receipt of historic records from previous health service providers.
- Segregate Personal Information from General Files. Sensitive records should not be stored alongside unrelated documents, as this increases the risk of accidental loss. Ideally such material would all be digitized and stored digitally.
- Conduct Pre-Destruction Reviews. Before destroying records, entities should again verify whether retention is still required under legal, regulatory, or operational obligations, or alternatively whether the destruction has potential to cause hardship to the client.
- Consider Digitisation. By the time of the decision, the respondent had moved to digital record-keeping, which the Commissioner acknowledged as a mitigating step. Digitising records (with appropriate security measures) can reduce physical storage risks and provide greater controls prior to destruction.
- Maintain Destruction Logs. Consider keeping a register of destroyed records—including the justification for destruction—helps demonstrate compliance with APP 11.
Compensation and Remedies
The Commissioner awarded the complainant $7,500 for non-economic loss, recognising the significant distress caused by the loss of her medical history. However, claims for economic loss (such as costs to reconstruct records) were denied due to lack of evidence.
It appears in publishing the the determination the Commissioner was mindful that guidance was being created for health services in dealing with historic records. At paragraph 4; the Commissioner stated:
This determination may be of interest to medical and other health practitioners, including those undertaking a process to transform the patient health records they hold from physical to digital files.
Conclusion
This case serves as a helpful reminder of the consequences of poor record-retention practices. APP entities—particularly healthcare providers—must ensure they have robust procedures in place to protect personal information throughout its lifecycle. Failure to do so not only risks regulatory action through breach of the APP but can also cause lasting harm to individuals who rely on the integrity of their personal data.
For entities handling sensitive information, the key takeaway is clear: “reasonable steps” under APP 11 require proactive, documented, and carefully implemented policies—not just ad-hoc destruction processes.
Therapass offers a record retention and client notes policy that sets out a standard for destruction of policy that meets the principles articulated in this decision.
