Information Management

Generating PDFGenerating PDF

Policy framework statement

The Information Management Policy Framework specifies the information management requirements that all Health Service Providers (HSPs) must comply with in order to ensure effective and consistent management of health, personal and business information across the WA health system.


The Director General (DG) of the Department of Health is the System Manager responsible for the overall management, strategic direction and stewardship of the WA health system. The DG will use policy frameworks to ensure a consistent approach to a range of matters undertaken by HSPs.  Policy frameworks must be complied with and implemented as a part of ongoing operations.

The purpose of this policy framework is to:

  • optimise the value and quality of information to support the realisation of the WA health system's vision to deliver a safe, high quality, sustainable health system for all Western Australians
  • maximise access and use of information to achieve the System Manager and Health Service Provider functions in accordance with the Health Services Act 2016 and other written laws
  • enhance transparent public reporting and real-time access to information to support better services and outcomes, and a more accountable WA health system
  • minimise misuse and inappropriate disclosure of information
  • provide employees with the ability and knowledge to safely secure and protect sensitive, confidential and appropriately classified information
  • promote appropriate fit-for-purpose information management governance models and mechanisms
  • support the effective, efficient and consistent management of information through each stage of the information lifecycle
  • foster the adoption of contemporary best practice for data integrity and information management related processes, procedures and policies across the WA health system


This policy framework is binding on each HSP to which it applies or relates.


The key principles that underpin this policy framework are for information in the WA health system to be:


  • by facilitating better patient treatment, health care and public health
  • by better informing decision making
  • by providing opportunities to identify effectiveness and efficiency improvements
  • by enabling research related discoveries, innovations and enhancements


  • by collecting and storing relevant, timely and high quality information
  • by using methods to ensure stored information is migrated, preserved, and remains accessible and usable
  • by facilitating transparent public reporting and real-time information access
  • for the legal purposes stipulated the Health Services Act 2016, the Health Services (Regulations) Act 2017 and other written laws
  • for functions stipulated in the Health Services Act 2016 and other statutory requirements
  • through streamlined access protocols and mechanisms in accordance with the delegated authorities
  • for research purposes in accordance with the Health Services Act 2016 with approvals from the relevant Human Research Ethics Committee HREC that is constituted and acts in compliance with the National Statement on Ethical Conduct in Human Research


  • for purposes that are directly related to, and necessary for, the activities of the Health Service Providers to manage, plan, evaluate or promote, protect and maintain the health of the community
  • for the legal purposes stipulated in the Health Services Act 2016, the Health Services (Regulations) Act 2017 or other written laws
  • for functions stipulated in the Health Services Act 2016 or other written laws
  • by adopted policies, processes and procedures that support a culture of information sharing in accordance with legal requirements
  • to reduce the need to collect the same information multiple times
  • appropriately in accordance with statutory, regulatory and mandatory policy requirements and delegated authorities


  • through a clearly defined information management governance model(s) and mechanisms
  • at each stage of the information lifecycle
  • within information management systems where required and in accordance with legislative requirements
  • through transparent and accountable data governance and research ethics processes
  • in accordance with statutory, regulatory and mandatory policy requirements
  • to promote access to information for assurance purposes
  • by adopting effective models that are simple, fit for purpose and appropriate to the dataset or information being managed


  • by providing policies, processes and procedures to promote high quality information
  • by adopting common definitions, interpretations, data quality statements, formats and business rules
  • by incorporating best practice data integrity and information management processes
  • by utilising audits, information specialists and subject matter experts

Secure and protected

  • by storing information in systems that are secure, protected and meet governance requirements
  • by adopting best practice for procurement, design, development, testing and implementation of information systems
  • in a manner that is transparent and accountable to protect against misuse, or the unauthorised or inappropriate collection, storage, transit, access, use, disclosure or disposal of information
  • by ensuring staff within the WA health system are informed and empowered to do everything reasonable and practicable to prevent the misuse or unauthorised access to or disclosure of information
  • by adopting security provisions to protect against unauthorised access, use, modification or disclosure
  • by ensuring information is disposed of appropriately and in accordance with any requirement for its retention and disposal
  • by mitigating and managing information breaches and security incidents
  • by ensuring compliance with statutory, regulatory and mandatory policy requirements for each stage of the information lifecycle

Legislative context

The Health Services Act 2016 refers to policy frameworks in ss. 26-27 and s. 34(2)(c). The other relevant part in the Act that relates specifically to this policy framework is Part 17.

The legislation below, may also apply:

  • Children and Community Services Act 2004
  • Commonwealth Privacy Act 1988 (Australian Privacy Principles)
  • Coroners Act 1996
  • Corruption, Crime and Misconduct Act 2003
  • Criminal Code Act Compilation Act 1913
  • Electronic Transactions Act 2011
  • Equal Opportunity Act 1984
  • Evidence Act 1906, Acts Amendment (Evidence) Act 2000
  • Freedom of Information Act 1992
  • Freedom of Information Regulations 1993
  • Health (Miscellaneous Provisions) Act 1911
  • Health and Disability Services (Complaints) Act 1995
  • Health Services (Information) Regulations 2017
  • Human Reproductive Technology Act 1991
  • Industrial Relations Act 1979
  • Mental Health Act 2014
  • National Health and Medical Research Council Act 1992
  • Public Health Act 2016
  • Private Hospitals and Health Services Act 1972
  • State Records Act 2000

Mandatory requirements

Under this policy framework HSPs must comply with all mandatory requirements* including:

*Any mandatory requirement document that references the Hospitals and Health Act 1927 must be interpreted as a requirement under the Health Services Act 2016.

Policy framework custodian

Assistant Director General
Purchasing and System Performance

Enquiries relating to this policy framework may be directed to:


This policy framework will be reviewed as required to ensure relevance and recency. At a minimum this policy framework will be reviewed within two years after first issue and at least every three years thereafter.

Version Effective from Effective to Amendment(s)
1 1 July 2016 30 June 2017 Original version
2 30 June 2017 1 July 2017 Major Amendment to MP 0036/16, Major Amendment to MP 0015/16
3 1 July 2017 2 August 2017 New MP 0058/17, superseded OD 0540/14. New MP 0056/17 superseded OD 0620/15. New MP 0059/17 superseded OD 0136/08 and OD 0137/08. Rescinded OD 620/15, OD 0380/12, OD 0136/08, and OD 0137/08 from Mandatory Requirements and OD 0540/14 from Supporting Information
4 2 August 2017 4 October 2017 New MP 0061/17
5 4 October 2017 22 February 2018 New MP 0068/17, superseding OD 0621/15 and OD 0622/15. Rescinded OD 0621/15 and OD 0622/15 from Mandatory Requirements
6 22 February 2018 27 June 2018 Rescinded OD 0272/10, OD 0132/08 and OD 0131/08 from Mandatory Requirements
7 27 June 2018 26 September 2018 New MP 0087/18 superseding MP 0068/17. New MP 0088/18 superseding MP 0014/16
8 26 September 2018 11 October 2018 New MP 0091/18 superseding OD 1435/01, OD 0567/14, OD 0568/14 and MP 0042/16
9 11 October 2018 18 October 2018 Rescindment of OD 0564/14 from Mandatory Requirements
10 18 October 2018 11 July 2019 Rescindment of IC 0200/14 from Supporting Information and Major Amendment to MP 0058/17.
11 11 July 2019 30 July 2019 Rescindment of OD 0557/14 Information Lifecycle Management Policy and Department of Health Recordkeeping Plan 2013.
12 30 July 2019  6 August 2019 Major Amendment MP 0087/18 Non-Admitted Activity Recording and Reporting Policy.
13 6 August 2019 17 September 2019 Amendment to the Framework resulting from consultation and research include: purpose, principles (including key elements within the principles), realignment of the mandatory policy groupings, definitions, and addition of the General Disposal Authority for State Government Information.
14 17 September 2019 17 October 2019  Aboriginal standardised position information added to Request Form (Related Document) and Information Compendium (Supporting Information).
15 17 October 2019 6 May 2020 Major Amendment MP 0015/16 Information Access, Use and Disclosure Policy. Rescindment of IC 0177/14 from Supporting Information.
16 6 May 2020 7 May 2020 New MP 0135/20.
17 7 May 2020 15 June 2020 Rescindment of IC 0208/14 Guidelines for the Release of Data from Supporting Information.
18 15 June 2020 29 June 2020 Rescindment of OP 1944/05 Mail Management and Postal Remittances Policy from Mandatory requirements.
19 29 June 2020 13 July 2020 Minor Amendment to remove the WA Data Linkage Branch Access and Charging Policy from Mandatory requirements. 
20 13 July 2020  10 August 2020 Major Amendment to MP 0058/17 Admission Policy
21 10 August 2020 21 September 2020 Rescindment of OD 0122/08 Freedom of Information Reporting within the Public Health System and OD 0574/14 Release of Information under the Freedom of Information Act 1992 (the 'FOI Act') - Policy and Guidelines
22 21 September 2020 22 October 2020 New MP 0143/20 Emergency Department Data Collection and Reporting Policy superseded OD 0205/09 Emergency Department and Emergency Services Patient-Level Data Collection and Reporting Policy.

Rescinded OD 0464/13 Metadata Documentation Policy

23 22 October 2020 1 December 2020 Rescinded OD 0558/14 Data Collection Policy. 
 24  1 December 2020  4 December 2020 Publish New MP 0144/20 Information Retention and Disposal Policy to supersede MP 0002/16 Patient Information Retention and Disposal Schedule Policy and OD 0583/15 Digitisation and Disposal of Patient Records Policy
25 4 December 2020 16 February 2021 Publish MP 0145/20 Information Storage Policy to supersede OD 0559/14 Information Storage and Disposal Policy.  Publish MP 0146/20 Information Classification Policy to supersede OD 0537/14 Information Classification Policy.
26 16 February 2021 18 February 2021  New MP 0152/21 Information Management Governance Policy to supersede MP 0011/16 Data Stewardship and Custodianship Policy.
27 18 February 2021 18 March 2021  IC 0179/14 Guidelines for the Transmission of Personal Health Information by Facsimile Machine superseded by MP 0067/17 Information Security Policy.
28 18 March 2021 28 April 2021 Major Amendment to include additional Related document to MP 0144/20 Information Retention and Disposal Policy.
 29 28 April 2021 11 May 2021 Minor amendment to MP 0135/20 Information Breach Policy for Related document Information Breach Notification Form.
30 11 May 2021 Current  New MP 0157/21 Establishment and Workforce Data Policy to supersede MP 0091/18 Workforce Data Policy.


This policy framework has been approved and issued by the Director General of the Department of Health as the System Manager.

Approval byDr David Russell-Weisz, Director General, Department of Health
Approval date01 July 2016
Date published19 July 2019
File numberF-AA-40150


This policy framework is binding on those to whom it applies or relates. Implementation at a local level will be subject to audit.

Glossary of terms

Term Meaning
Access The direct access by authorised users (both internal and external to the WA health system) to information within data collections managed by the Department or Health Service Providers. Typically, direct access is gained via a network and/or system login and password to a front-end information system or to a back-end database.
Business information Includes, but is not limited to, administration, corporate, workforce, human resources, financial or accounting information that may contain personal information.
Confidentiality Obligation imposed on persons by common law, statute and/or equity which requires that information of a certain character (e.g. personal or otherwise sensitive information) be treated in confidence by those to whom it is made known or becomes known.
Data The term 'data' generally refers to unprocessed information, while the term 'information' refers to data that has been processed in such a way as to be meaningful to the person who receives it. In this policy the terms 'data' and 'information' have been used interchangeably and should be taken to mean both data and information.
Data linkage A complex technique connecting data records within and between datasets thought to relate to the same person, place, family or event. Data linkage typically uses demographic data (for example: name, date of birth, address, sex, medical record number) and facilitates analysis of linked information in a way that protects individual privacy.
Disclosure A person discloses information if they: cause the information to appear, allow the information to be seen, make the information known, reveal the information or lay the information open to view.
Disposal Refers to the action or process to destroy.
Duty of confidentiality Obligation imposed on persons by common law, statute and /or equity which requires that information of a certain character (e.g. personal or otherwise sensitive information) be treated in confidence by those to whom it is made known or becomes known.
Health information Has the meaning given in the Health Services Act 2016 in section 213 as:
(a) information, or an opinion, that is also personal information, about:
      (i) the health (at any time) of an individual; or
      (ii) a disability (at any time) of an individual; or
      (iii) an individual's expressed wishes about the future provision of health services to the individual; or
      (iv) a health service provided, or to be provided, to an individual; or
(b) other personal information collected to provide, or in providing, a health service.
Health Service Provider Health Service Provider means a health service provider established under section 32 of the Health Services Act 2016 and may include North Metropolitan Health Service (NMHS), South Metropolitan Health Service (SMHS), Child and Adolescent Health Service (CAHS), WA Country Health Service (WACHS), East Metropolitan Health Service (EMHS), Quadriplegic Centre, PathWest and Health Support Services (HSS).
Human Research Ethics Committee (HREC) A human research ethics committee constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research.
Information Refer to data.
Information Governance Refers to the processes used to manage the availability, usability, integrity and security of information assets.
Information Lifecycle Information lifecycle is the sequence of operational activities for managing information from creation to disposal. The activities within the information lifecycle are collection, storage, access/disclosure, use and disposal.
Information Management Refers the management of information across all stages of the information lifecycle.
National Statement Refers to the National Statement on Ethical Conduct in Human Research which are a series of guidelines that are produced in accordance with the National Health and Medical Research Council Act 1992 (Cwlth) clause 7(1) (a).
Personal information

Has the meaning given in the Freedom of Information Act 1992 in the Glossary clause 1:

Means information or an opinion, whether true or not, and whether recorded in a material form or not, about an individual, whether living or dead -

(a) whose identity is apparent or can reasonably be ascertained from the information or opinion; or

(b) who can be identified by reference to an identification number or other identifying particular such as a fingerprint, retina print or body sample.

Privacy1 An individual's right or expectation that their information will be maintained securely and in confidence.
Secure/Protected Refers to information that is secured and protected from unauthorised access or misuse across all stages of the information lifecycle.
Use A person ‘uses’ information if they: employ the information for some purpose, put the information into service, turn the information to account, avail themselves of the information or apply the information for their own purposes.
WA health system Pursuant to section 19(1) of the Health Services Act 2016, means the Department of Health, Health Service Providers and to the extent that Contracted Health Entities provide health services to the State, the Contracted Health Entities.

1National Health and Medical Research Council - Principles for Accessing and Using Publicly Funded Data for Health Research Canberra