Why we need to reform our state privacy laws: Data retention and the right to erasure in Australia

In line with patient-first value, we're asking our state and territory governments to urgently reform our State Privacy Laws to further protect our patients’ personal information.
Written by

Following the high-profile breaches of Optus and Medibank, the Australian Government has committed to reforming our national privacy laws to further protect Australians from harm [1]. This will result in the biggest reform to our national privacy laws since their creation in 1988. We welcome this reform at Eucalyptus, as this will offer significantly greater privacy protections to our patients, in line with global standards. Specifically, the government has agreed, in principle, to introduce a “right to erasure” into our national privacy laws [2]. This means Australians will have a legal right to request that their data be deleted permanently from the databases of private businesses. 

As a global digital health company, Eucalyptus is committed to protecting the privacy of our patients. Our practitioners work to some of the highest privacy standards at an international level, specifically the General Data Protection Regulation in the UK and EU, and we always ensure that we protect our patients from harm. 

However, while these reforms to our national privacy laws are a step in the right direction for patient privacy, at Eucalyptus, we see a deeper need to further amend our state and territory privacy laws. In line with our commitment to our patients’ privacy, we are urging our governments, at a national, state and territory level, to reform data deletion and retention requirements for health information. Only then can we ensure the protection of all Australian patients from the risk of data breach and harm. 

The laws governing data deletion in Australia

In Australia, privacy is not governed by a single set of national laws. Rather, privacy is the subject of a patchwork of state, territory and national privacy laws that deal with the collection, use, disclosure and deletion of personal information. 

At the national level, privacy is regulated by the Privacy Act 1988 (Cth) (National Privacy Law). At state and territory levels, governments may introduce their own legislation to govern privacy within their jurisdiction (State Privacy Laws). Indeed, many state and territory governments have legislation regulating healthcare providers and their protection of patient data in their jurisdiction. 

While the National Privacy Law and State Privacy Laws share the overarching goal of minimising harm, their requirements can vary significantly by provider and by jurisdiction. Reform to our National Privacy Law does not necessarily result in reform to our State Privacy Laws. While both laws can apply to an entity concurrently, state laws may take precedence where an inconsistency arises between the StatePrivacy Laws and the National Privacy Law [4]. This means that State Privacy Laws can reduce the protections afforded by the National Privacy Law, to the detriment of Australians. 

Data deletion and retention of health information is an example of where State Privacy Laws negatively impact national protections. Currently, some state and territory privacy laws require private-sector healthcare providers to retain health information for seven years [5]. While this may improve the retention of health history, it creates a significant risk of data breach harm. Moreover, where such state and territory privacy laws override any right to erasure introduced at the national level, both healthcare providers and patients are subject to a data breach risk that neither wants. 

For example, private sector healthcare providers in NSW are subject to both the Privacy Act 1988 (Cth) and the Health Records and Information Privacy Act 2002 (NSW). Both operate concurrently to regulate the use, collection and disclosure of health information by private-sector healthcare providers in Australia. While a new right to erasure in the Privacy Act 1988 (Cth) may seek to give patients the right to request that their personal information be deleted, the Health Records and Information Privacy Act 2002 (NSW) may prevent any NSW-based healthcare provider from deleting the information, despite the patient’s wishes. 

What this means for our patients

In overseas jurisdictions (both the UK and the EU are subject to the General Data Protection Regulation (GDPR)), we are able to protect our patient’s privacy by ensuring that we:

  1. Delete data when it is no longer needed               
  2. Delete data when a patient makes a request 

This significantly reduces the risk that sensitive health information will be exposed and keeps our patients safe. 

However, in Australia, we (along with most other private-sector healthcare providers) are obligated to meet the data retention requirements under State Privacy Laws. This currently prevents us from deleting health information, even upon request. This means that while a new “right to erasure” in our National Privacy Law is a positive step forward, failure to reform our State Privacy Laws will detriment our patients and place their health data at greater risk. 

Eucalyptus has previously heard from our patients how these State Privacy Laws negatively impact their privacy. As a result, we have taken action to drive change in our National Privacy Law and State Privacy Laws. You can read our submission to the Australian Government from March 2023 here, as part of the Privacy Act Review [5]. In the interests of our patients, we will continue to push for harmonisation between our State Privacy Laws and National Privacy Laws and ensure that we can continue to keep our patients safe from harm. 

In line with our value of patients first, we ask our state and territory governments to urgently reform our State Privacy Laws to further protect our patients’ personal information. The Australian government’s commitment to a right to erasure in our National Privacy Law is a significant step forward. However, if it is overridden by a State Privacy Law’s retention requirements, then it will only detriment Australian data subjects.

Instead, we believe our governments should bring our data retention and erasure laws in line with the high standards of the GDPR in the EU and the UK — the standards within which we operate at Euc. This ensures we can effectively protect our patients, respect their right to erasure, and bring our Australian practices in line with higher standards that exist at an international level. 


[1]  <https://www.ag.gov.au/sites/default/files/2023-09/government-response-privacy-act-review-report.PDF>

[2] Government Response - Privacy Act Review, Proposal 18.3, pg 31 <https://www.ag.gov.au/sites/default/files/2023-09/government-response-privacy-act-review-report.PDF>.

[3] Privacy Act 1988 (Cth) s 3. 

[4] See, eg, Health Records and Information Privacy Act 2002 (NSW) s 25. 

[5] <https://consultations.ag.gov.au/integrity/privacy-act-review-report/consultation/view_respondent?show_all_questions=0&sort=submitted&order=ascending&_q__text=eucalyptus&uuId=728163733>.


Jeremy Chan
Trust Lead