Information Management

Generating PDFGenerating PDF

Policy framework statement

The Information Management Policy Framework specifies the information management requirements that all Health Service Providers (HSPs) must comply with in order to ensure effective and consistent management of health, personal and business information across the WA health system.


The Director General (DG) of the Department of Health is the System Manager responsible for the overall management, strategic direction and stewardship of the WA health system. The DG will use policy frameworks to ensure a consistent approach to a range of matters undertaken by HSPs.  Policy frameworks must be complied with and implemented as a part of ongoing operations.

The purpose of this policy framework is to ensure:

  • a consistent approach is adopted for collecting and managing information across the WA health system
  • best practices for information management and protects the privacy of individuals
  • health and personal information is appropriately managed throughout its lifecycle
  • proper and secure handling of business related information necessary for its services and functions.


This policy framework is binding on each HSP to which it applies or relates.


The key principles that underpin this policy framework are:


  • for purposes related to treatment and health care
  • for purposes that are directly related to, and necessary for, the activities of the HSP (to manage, plan, evaluate or promote, protect and maintain the health of the community)
  • in a manner that is transparent and accountable to patients, and employees and protects their privacy and confidentiality
  • directly from the patient or employees where reasonable and practical to do so, ensuring it is relevant, accurate, up-to-date and not excessive
  • into health information management systems approved by the DG
  • according to common definitions, interpretations, formats and business rules, unless there is an accepted and documented justification for the deviation.


  • for purposes stipulated under the Health Services Act 2016 and in accordance with the Regulations or delegated approvals
  • for research purposes with approval from the relevant WA Health Human Research Ethics Committee (HREC) that is constituted in accordance with, and acting in compliance with, the National Statement
  • with the consent of the person to whom the information pertains for any other particular purpose.


  • of securely and in accordance with all requirements in the authorised retention and disposal schedule.


  • in accordance with the Health Services Act 2016 and the Regulations or delegated approvals
  • in accordance with the Freedom of Information Act 1992
  • by promptly managing information breaches and security incidences
  • using transparent and accountable data governance and research ethics processes.


  • using methods to ensure it is migrated, preserved, accessible and usable to meet patient care and business requirements
  • using security provisions that protect against unauthorised access, use, modification or disclosure
  • ensuring it is disposed of appropriately and in accordance with any requirement for its retention and disposal.


  • for purposes stipulated under the Health Services Act 2016 and the Regulations or delegated approvals
  • for facilitating good healthcare for patients (staff should only access, view and use the health and personal information that is necessary for them to perform their duties)
  • for research purposes with approval from the relevant HREC that is constituted in accordance with, and acting in compliance with, the National Statement
  • for a directly related purpose which could be reasonably expected by the individual, when the purpose cannot be served by the use of de-identified information and it is impractical to seek the consent of the individual for the use
  • the minimum amount of information is used to accomplish the purpose and everything reasonably practicable is done to prevent its unauthorised use.

Legislative context

The Health Services Act 2016 refers to policy frameworks in ss. 26-27 and s. 34(2)(c). The other relevant part in the Act that relates specifically to this policy framework is Part 17.

The legislation below, may also apply:

  • Children and Community Services Act 2004
  • Commonwealth Privacy Act 1988(Australian Privacy Principles)
  • Coroners Act 1996
  • Corruption,Crime and Misconduct Act 2003
  • Criminal Code Act Compilation Act 1913
  • Electronic Transactions Act 2011
  • Evidence Act 1906, Acts Amendment (Evidence) Act 2000
  • Freedom of Information Act 1992
  • Freedom of Information Regulations 1993
  • Health Act 1911
  • Health and Disability Services (Complaints) Act 1995
  • Human Reproductive Technology Act 1991
  • Mental Health Act 2014
  • National Health and Medical Research Council Act 1992
  • State Records Act 2000

Mandatory requirements

Under this policy framework HSPs must comply with all mandatory requirements* including:

*Any mandatory requirement document that references the Hospitals and Health Act 1927 must be interpreted as a requirement under the Health Services Act 2016.

Policy framework custodian

Assistant Director General
Purchasing and System Performance

Enquiries relating to this policy framework may be directed to:


This policy framework will be reviewed as required to ensure relevance and recency. At a minimum this policy framework will be reviewed within two years after first issue and at least every three years thereafter.

Version Effective from Effective to Amendment(s)
1 1 July 2016 30 June 2017 Original version
2 30 June 2017 1 July 2017 Major Amendment to MP 0036/16, Major Amendment to MP 0015/16.
3 1 July 2017 2 August 2017 New MP 0058/17, superseded OD 0540/14. New MP 0056/17 superseded OD 0620/15. New MP 0059/17 superseded OD 0136/08 and OD 0137/08. Rescinded OD 620/15, OD 0380/12, OD 0136/08, and OD 0137/08 from Mandatory Requirements and OD 0540/14 from Supporting Information.
4 2 August 2017 4 October 2017 New MP 0061/17.
5 4 October 2017 22 February 2018 New MP 0068/17, superseding OD 0621/15 and OD 0622/15. Rescinded OD 0621/15 and OD 0622/15 from Mandatory Requirements.
6 22 February 2018 27 June 2018 Rescinded OD 0272/10, OD 0132/08 and OD 0131/08 from Mandatory Requirements
7 27 June 2018 26 September 2018 New MP 0087/18 superseding MP 0068/17. New MP 0088/18 superseding MP0014/16.
8 26 September 2018 11 October 2018 New MP 0091/18 superseding OD 1435/01, OD 0567/14, OD 0568/14 and MP 0042/16.
9 11 October 2018 18 October 2018 Rescindment of OD 0564/14 from Mandatory Requirements
10 18 October 2018 Current Rescindment of IC 0200/14 from Supporting Information and Major Amendment to MP 0058/17


This policy framework has been approved and issued by the Director General of the Department of Health as the System Manager.

Approval byDr David Russell-Weisz, Director General, Department of Health
Approval date01 July 2016
Date published18 October 2018
File numberF-AA-40150


This policy framework is binding on those to whom it applies or relates. Implementation at a local level will be subject to audit.

Glossary of terms

Term Meaning

Under section 26 of the Health Services Act 2016, policy frameworks may apply to:

  • All Health Service Providers
  • A type of public health service facility
  • A type of public health service
  • A type of staff member of a health service provider.
Business information Includes, but is not limited to, administration, corporate, workforce, human resources, financial or accounting information that may contain personal information.
Confidentiality The obligation of people not to use or disclose information for any purpose other than which was given to them, without consent.
Consent Consent means voluntary agreement to some act, practice or purpose.
Data The term 'data' generally refers to unprocessed information, while the term 'information' refers to data that has been processed in such a way as to be meaningful to the person who receives it. In this policy the terms 'data' and 'information' have been used interchangeably and should be taken to mean both data and information.
Data governance1 Is the system of decision rights and accountabilities surrounding data and the use of data. It can involve legislation, organisational structures, legal contracts, and various agreements, policies, and guidelines.
Data linkage A complex technique connecting data records within and between datasets thought to relate to the same person, place, family or event. Data linkage typically uses demographic data (for example: name, date of birth, address, sex, medical record number) and facilitates analysis of linked information in a way that protects individual privacy.
De-identified information2 Is synonymous with the term 'non-identifiable information' and refers to information or opinion about a person whose identity is not apparent and cannot be reasonably ascertained from the information or opinion.
Directly related purpose3

Refers to the use of health information for a purpose which is closely associated with the original purpose, even if it is not strictly necessary to achieve that purpose. It must be a purpose that people would reasonably expect to be associated with the original purpose.

Examples include, but are not limited to:

  • using health information to manage the provision of the health service and for funding, monitoring, evaluating, auditing or managing a health service
  • administrative activities associated with payment for the health service or product
  • sharing relevant health information with students and other staff for training purposes
  • using information obtained for the purpose of investigating complaints
  • billing or recovering debt in relation to health services received.
Disclosure Refers to the communication or transfer of information outside of the WA health system, which is considered a single entity under the Framework. A disclosure can occur by giving a copy, summary, or communicating the information in any other way to another organisation or individual outside the WA health system.
Duty of confidentiality The legal duty of confidentiality obliges health care practitioners to protect their patients against inappropriate disclosure of personal health information.
Health information Means – (a) information, or an opinion, that is also personal information, about:
  1. the health (at any time) of an individual; or
  2. a disability (at any time) of an individual; or
  3. an individual's expressed wishes about the future provision of health services to the individual; or
  4. a health service provided, or to be provided, to an individual; or

(b) other personal information collected to provide, or in providing, a health service.

(Refer to clause 213 of the Health Services Act 2016).

Health information management4 Is information management applied to health and healthcare. Information management is defined as the means by which an organisation plans, identifies, creates, receives, collects, organises, governs, secures, uses, controls, disseminates, exchanges, maintains, preserves and disposes of its information; as well as any means through which the organisation ensures that the value of that information is identified and exploited to its fullest extent.
Health record Is the documentation (whether in paper or electronic form) of a patient's health information that is created by a Health Service Provider for the purpose of managing the patient's healthcare.
Health Service Provider Means a Health Service Provider established by an order made under section 32(1)(b) of the Health Services Act 2016.
Human Research Ethics Committee (HREC) Means a human research ethics committee constituted in accordance with, and acting in compliance with, the National Statement.
National Statement Means the National Statement on Ethical Conduct in Research Involving Humans, as in force from time to time, issued under the National Health and Medical Research Act 1992 (Cwlth) clause 7(1) (a).
Personal information

Has the meaning given in the Freedom of Information Act 1992 in the Glossary clause 1:

Means information or an opinion, whether true or not, and whether recorded in a material form or not, about an individual, whether living or dead -

(a) whose identity is apparent or can reasonably be ascertained from the information or opinion; or

(b) who can be identified by reference to an identification number or other identifying particular such as a fingerprint, retina print or body sample.

Practical Concerns what is feasible in real circumstances. Because something is inconvenient, costs money or is an annoyance, do not assume it is not reasonable or practicable to do. In deciding if certain matters are practical (or reasonable) consider (i) what the majority of people would expect or find appropriate, (ii) assess the time and cost involved in complying against benefits and risks (iii) consider alternative methods to achieve a similar result and (iv) take into account the entire situation (For example: impact on patients, urgency of an issue).
Primary purpose The main reason for which information is collected. For example, in most cases, health information is collected from a patient to provide health care.
Privacy5 The individual's right or expectation that health information and other identifying information will not be disclosed.
Reasonable Refer to 'Practical'.
Reasonable expectation Means that the purpose is closely related to the healthcare of the patient and/or that the use or disclosure was communicated when the information was collected.
Research6 Original investigation undertaken to gain knowledge, understanding and insight. It is a broad concept and there is no simple, single way to define research for all disciplines.
Use Of information refers to the communication or handling of information within the WA health system. The WA health system is considered a single entity under the Framework. Therefore, sharing information between Health Service Providers, the Department and Contracted Health Entities is considered use.
WA health system Pursuant to section 19(1) of the Health Services Act 2016, means the Department of Health, Health Service Providers and to the extent that Contracted Health Entities provide health services to the State, the Contracted Health Entities.

1Australian Institute of Health and Welfare. Data Governance - In Brief

2Privacy Manual for Health Information. Reproduced by permission, NSW Ministry of Health © 2016

3The State of Queensland (Office of the Information Commissioner) 2012

4Queensland Government Information Management Policy Framework Definitions

5National Health and Medical Research Council - Principles for Accessing and Using Publicly Funded Data for Health Research Canberra

6National Health and Medical Research Council - Australian Code for the Responsible Conduct of Research