Australia

A company shared my health information with a third party without my consent. What can I do?

5 years
Limitation period for complaints
30 days
Response time for OAIC
APP 6
Relevant privacy principle
Health info
Specially protected
The Short Answer

You can complain to the Office of the Australian Information Commissioner (OAIC), seek correction or deletion of your information, and in some cases apply for compensation. The Privacy Act 1988 (Cth) prohibits unauthorised disclosure of health information.

What the Law Says

The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) govern how organisations handle personal information — especially sensitive information like health data.

Health information is classified as 'sensitive information' under the Privacy Act, which means it receives stronger legal protection than other personal information.

Australian Privacy Principle (APP) 6 restricts how organisations may use or disclose personal information. It states that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless an exception applies — and consent is the most common lawful basis.

APP 11 requires organisations to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.

Statutory Text

An APP entity must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the purpose (the primary purpose) for which it was collected…

Privacy Act 1988 (Cth), s. 16A — Australian Privacy Principle 6
Statutory Text

Health information means information or an opinion about the physical or mental health or a disability of an individual…

Privacy Act 1988 (Cth), s. 6(1) — Definition of 'health information'

What to Do

1

Contact the company in writing to ask how and why your health information was shared, and request its correction or deletion.

2

Lodge a formal complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au/complaints.

3

If the OAIC finds a breach, it may require the company to apologise, correct the record, or pay compensation — though compensation requires applying to the Federal Court if unresolved.

4

Keep records of all communications and act within 5 years of the incident (the general limitation period for privacy complaints).

Sources

statutePrivacy Act 1988 (Cth), s. 6(1) — Definition of 'health information'statutePrivacy Act 1988 (Cth), s. 16A — Australian Privacy Principle 6

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.