Understanding privacy laws: How to protect your patients’ personal information

While Cliniko does meet or exceed many of the world's privacy laws, protecting your patients' data is a shared responsibility. Learn how Cliniko helps you comply with various laws and where you can get more information on the requirements for your practice.

Doug Pohl·

A folder containing patient information and a book of law on either side of a set of scales.

For a while now, we’ve been noticing some confusion around the privacy requirements of different countries and which regulations your practice needs to follow.

That’s totally understandable. Data privacy can be a tricky topic, and sometimes it’s tough to know what info you can trust. But for the sake of your patients and your business, it’s important to get it right.

That’s why we wanted to take a quick moment to share some of what we know about the various privacy laws, help you find more info, and let you know how Cliniko helps you comply with the different requirements.

What are the privacy laws for each country?

There are too many different laws to include in one article (at least in an article you might actually read). So instead, we’ll focus on the privacy laws that are most likely to affect our customers.

Our team has written thorough articles that take deep dives into each law. They’re all linked below, and in them, you’ll find lots of great info about what’s required of your practice and how Cliniko helps you comply. Just find the country or legislation you’re looking for and dive on in.


The Australian Privacy Principles (APPs) include topics ranging from anonymity to disclosure to security. Cliniko complies with every principle, and in some cases, we exceed the requirements.

To learn more about how Cliniko can help you follow the APPs, head over to our help site where we discuss each privacy principle and how Cliniko helps you stay in compliance.

European Union

The General Data Protection Regulation (GDPR) safeguards the privacy of all citizens within the European Union (EU) and the European Economic Area (EEA). And, as of 1 January 2021, that no longer includes the UK.

It’s a stringent set of laws that require taking some sizable steps in order to comply, like establishing a Data Processing Addendum, designating an in-house Data Protection Officer, and appointing an EU-based privacy representative.

If you have no idea what these things are, don’t worry. It’s all explained in the GDPR article on our help site.

United Kingdom

Since officially leaving the European Union at the beginning of 2021, the EU’s GDPR no longer has ‘direct effect’ in the UK.

There is now a new domestic privacy law called the ‘UK GDPR’, and it’s very similar to the EU law. It’s essentially a merging of the GDPR principles with the UK’s Data Protection Act 2018 (which was already in effect).

Here’s how the Information Commissioner's Office puts it:
‘The GDPR is retained in domestic law now the transition period has ended, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018.’

In many ways, this updated law is identical to the EU legislation, but not entirely. When they merged the laws, legislators made amendments that might impact some businesses. You can see these changes in the Keeling Schedules on the UK government website.

Please note that most practices will need to make some minor changes to their privacy policy and other legal documentation, and some practices will need to comply with both the UK and EU versions of the law.

We recommend checking with your professional organisation or legal advisor to get more details on how your practice might be affected by this change.


Canadian privacy laws are somewhat unique in that provincial regulations supersede the national privacy law known as PIPEDA. This means clinics are first required to follow the requirements of their home province.

Thankfully, the courts have decided that the provincial laws of Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador are substantially similar to PIPEDA. So when a clinic within one of these provinces complies with the provincial law, it becomes exempt from having to follow the national law.

There is a caveat to keep in mind, though. If you store or process data for clients based across provincial or national boundaries, you’ll need to stick to the requirements laid out in PIPEDA.

Take a look at our PIPEDA help article to get more details and learn how Cliniko can help you comply with these laws. And, for practices located in Alberta, Cliniko has Information Management Agreements available if you need one.

United States

The privacy laws of the United States are known as HIPAA. We’ve done our best to make it easier for you to follow these regulations by creating a ‘HIPAA privacy setting’ within your Cliniko account.

Enabling this support setting will trigger in-app guidance, privacy alerts, activity monitoring, and a lot of other great tools to help you stay compliant while using Cliniko.

Learn more about HIPAA and how we can help your practice meet the requirements.

Cliniko protects patient privacy.

Yes, Cliniko meets or exceeds the legislative privacy requirements for Australia, New Zealand, the European Union, the United Kingdom, Canada, and the United States. We make sure of it.

It’s a bold statement, but true. We have two designated privacy officers within our team who—as crazy as it might sound—love working with privacy laws.

It’s their job to keep up with all things privacy related and advise our team on changes that might need to be made to ensure that Cliniko is always in compliance.

We’ve laid out our privacy policy and data security information in detail on our website. If you can’t find what you’re looking for in either of those documents, just reach out to our friendly support team. They’ll be happy to help.

You also have an important role to play in protecting your patients’ privacy.

When you store your data and your patients’ private information on our secure servers, it’s our job to protect it and keep it confidential. This is a serious responsibility, and we take every precaution.

But we can only help with the info that has been entered into your account. There’s not much we can do beyond the boundaries of our software. How you collect and handle private information outside of Cliniko is totally in your hands.

You’ll want to take extra care with any information that could have been collected on paper or stored locally on a device. If you keep hard copies of your records, it’s your responsibility to make sure those records are stored securely.

It’s also important to sign out of your account when you’re not using it (especially on a shared device) and be aware of what information might be visible to others on the screen you’re working with.

What should you be doing to comply with the laws and protect your patients’ privacy?

It can sometimes be tough to know when certain privacy regulations might apply to your practice. For many practitioners, you should only need to follow the laws of the country or region where your practice is located. However, there are some caveats to this.

For example, if you have patients who reside in a different jurisdiction from your practice, you may need to comply with the laws of that region as well. But not always. It depends on the variables involved.

Even if you feel confident in your knowledge of the laws, it’s worth making an effort to reach out to your professional organisation and ask for guidance. They make it their business to know these things and can often be your best resource.

With that in mind, there are some basic steps you can take that will go a long way toward protecting your patients and your business.

Create a privacy policy. You have good reasons for collecting the information you do. So let people know why you need it and what you’ll do with it. Be utterly honest and transparent. When it comes time to share your policy with patients, our secure digital forms are fully customisable and might be a good option for you.

Get patient consent. After you’ve created your privacy policy, be sure to get every patient’s signature to acknowledge their consent. It’s their personal info you’re working with. They deserve the chance to agree (or disagree) with how you plan to use it.

Train your team. Be sure that all your team members understand the best practices for protecting patients’ private info. They should also be well informed on your privacy policy and be able to answer questions for patients if needed.

Only collect what you need. When building new patient forms, make sure your practice truly needs the info you’re collecting. There should be a specific purpose for every piece of data. And re-examine your older forms while you’re at it. If something isn’t necessary, maybe you shouldn’t ask for it.

Don’t store data forever. The laws vary widely on how long you’re required to hold on to a patient’s data. But generally, the best practice is to not keep people’s private info for any longer than you’re required to. Check with the rules that apply to your jurisdiction as well as your professional association to determine the best plan for your practice.

If you have any questions on these steps or the laws that might affect your practice, it’s best to contact your professional association for guidance. And of course, you can reach out to our support team any time.

Author information

Doug is a writer. When he's not banging on the keyboard, you'll probably find him listening to old Willie Nelson records or chasing chipmunks on a mountain trail.

Never miss an update! Sign up for monthly Cliniko news and tips.

Read Cliniko’s Terms and Privacy policy

Keep reading