Privacy and security

At the start of a consultation, clinicians must inform the consumer that:

• their confidentiality will be respected
• all communication is secure
• the session will not be recorded, but will be documented by taking clinical notes that will be entered into the consumer’s medical record (as per in-person consultations).

Consultations should always take place in a suitable and private environment, with minimal outside noise. This may include:

• using signage to alert other staff that a virtual care consultation is in progress
• educating consumers to join the virtual care consultation from a suitable environment where they will not be disturbed.

All hardware (devices) and software (computer programs and online platforms) must include privacy and security features that align with the NSW Health policies and guidelines listed below.

Consult your virtual care manager or lead, or the chief information officer (CIO) on the most suitable technology and software to ensure your consultations meet privacy and security requirements.

Key considerations for virtual care include the following:

• Equipment, such as phones, laptops, data storage devices and remote desktops, must be secure. Devices, firewalls and virtual private networks (VPNs) must be updated with the latest security patches.
• Only use devices and platforms approved and supported by your organisation and/or eHealth NSW. This ensures you can provide a secure and private environment for delivering care.
• Seek approval from your virtual care manager or lead to use personal devices when providing virtual care.
• Consider how you store and share consumer information, such as images, to maintain privacy, security and confidentiality. Maintain appropriate secure storage of all reports provided for, or generated from, the consultation. Ensure compliance with the NSW Government General Retention and Disposal Authority Policy (GDA17; 2020). Refer to Transfer of clinical information below for more information.
• The following videoconferencing platforms are some examples of those NOT approved for clinical use within the NSW Health Privacy and Security Framework (PSAF) (NSW Health network or VPN required): Skype, FaceTime, Zoom, WhatsApp, Snapchat and Facebook Messenger.

When upgrading or identifying new digital platforms or equipment, always speak with your virtual care manager or lead first. They will engage your CIO and the ICT Manager to ensure you are following the most up-to-date policies and guidelines for privacy and security.

If you are looking to introduce new technology, such as remote monitoring solutions, clinical interfaces or mobile clinical apps, this requires a comprehensive privacy and security assessment. Your virtual care manager or lead and CIO can help you to start the PSAF compliance process.

Related resources:

• NSW Health Electronic Information Security Policy (PD2013_33)
• Photo and Video Imaging in Cases of Suspected Child Sexual Abuse, Physical Abuse and Neglect (PD2015_047)
• NSW Health Privacy Manual for Health Information

For more information, go to Technology and equipment.

While many devices have the functionality to record consultations, it is not standard practice to record virtual care sessions.

The primary purpose of a virtual care service is to provide consumer care. However, in exceptional cases, recording a virtual care session may be justified for a secondary purpose, such as education and training, research or evaluation of the service.

If you wish to record a session, you must first discuss this with the consumer and explain how this material will be recorded, used and stored, in line with local policies. Allow the consumer enough time to ask questions and consider the reasons for recording the session.

Formalise and document consent to record

Consent to record must be formalised, as per your local organisation's protocols. If the consumer has an authorised representative, this is usually either their spouse, parent, carer, a legal guardian or an enduring guardian appointed by the consumer. More information about this can be found in the NSW Health Privacy Manual for Health Information.

Document the consent in the consumer’s medical record and, where required, store written consent along with the recording. Invite the consumer to view the content of a recorded session before sharing it further.

Consumers have the right to decline or withdraw their consent at any time. Where possible, remove any identifying information as part of the editing process. For example, use an alias or ensure the consumer’s full name is not visible on tags, screens or documents appearing in the recording. Also ensure that personal information, such as date of birth, address and marital status, is not disclosed.

If you have a question regarding local protocols, including who is the ‘authorised representative’ of a consumer, contact the privacy officer in your health service.

A note about research projects

Recording sessions for research purposes should be included in the research project’s ethics approval application. Formal documentation is required for research projects. The consumer should be provided with information about the research project and a consent form. This should include the purpose of recording the session, how it will be recorded, stored and managed.

Recording a consultation by the consumer

A consumer, their carer or a family member may request to record a consultation or access a recording initiated by the provider. These requests should be assessed according to the consumer's circumstances, the purpose and how the recording will be used, including if the intent is to share with third parties. Recording a consultation and sharing without the permission of all participants is illegal.

Your virtual care manager or lead or privacy officer are your main contacts for support and information.

Transferring clinical information must be done securely to maintain consumer privacy and protect confidential information.

For a virtual consultation, it is important that the clinician has all the consumer information required. Please contact your local health district (LHD)/speciality health network (SHN) privacy contact officer or a local health information manager for advice on local policies and protocols regarding the transfer of clinical information.

For clinicians external to the LHD or SHN, clinical information will need to be sent via a secure messenger or file transfer service. Accellion Secure File Transfer enables NSW Health staff to send and receive documents and files over the internet or network in a secure manner.

For further information, please contact the privacy contact officer in your health service.

• Documentation requirements for virtual care are the same as for in-person care, in line with the NSW Ministry of Health PD2012_069 Health Care Records – Documentation and Management Policy.
• Documentation in the medical record is completed by all clinicians in accordance with medico-legal requirements.
• Where virtual care is provided, it is recommended that notes in the medical record include the modality used, the names of all participants and their mode(s) of access, and if the medical record was shared over a technology platform with other participants.
• Clinicians are required to use secure platforms and devices when documenting and transferring clinical information when in the field.
• If care is being provided across health services, it is best practice to have consumer information documented in one record. Where cross-boundary services are provided, clinical documentation access and processes should be outlined in the Service Level Agreement. This may require dual registration of a consumer while NSW Health moves to a single digital consumer record.