Australian Government - Department of Health - Office of Hearing Services
Hearing Services Program

Management of Client Records Frequently asked Questions

The Department of Health (the Department) is responsible for managing and administering the Australian Government Hearing Services Program (the program).

As specified in the Service Provider Contract (the Contract), program client records are owned by the Commonwealth. Contracted Service Providers (providers) must manage, store, transfer and dispose of program client records in accordance with the Contract, program legislation, the Archives Act 1983 (the Archives Act), the Privacy Act 1988 (the Privacy Act) and the Freedom of Information Act 1982 (the FOI Act).

Client personal and health information is deemed sensitive information under the Australian Privacy Principle (APP) and extra precautions are required in the management of this information.

These pages contain answers to frequently asked questions about the management of client records created and/or held by providers. The FAQs should be read in conjunction with the Management of Client Records factsheet.

What must I keep in the client record?

The client record must contain any documents created or received in the delivery of services to program clients. It must also show records and evidence of all services provided to program clients sufficient to justify any claims for payment for those services. A client record is not ‘complete’ unless it contains all relevant information. Please refer to the Rules of Conduct 2012 (the Rules), the definition of ‘Records’ in the Contract, the Schedule of Service Items, the Hearing Rehabilitation Outcomes document, the Eligibility Criteria for Refitting and Provider Factsheets for details of the record requirements for specific services.

When a client record is requested by another provider, or by the department, it must include copies of any results and reports from electronic systems in a format that is accessible. If the client record is in paper format this would mean a printout of the documents, if in electronic format a copy in PDF or other accessible format must be included. You may wish to add these to the client record immediately as they are produced, or add them when the client record is requested. You may be required to show evidence of a process to ensure that complete client records are transferred.

The client record must also contain evidence of the client’s consent for you to collect, use and disclose the information where required.

What do ‘access’, ‘custody’ and ‘ownership’ mean?

Access is the right to view the information held in a client record. Access to a client record does not imply ‘custody’ or ‘ownership’ of that record.

Custody is the right to physical possession of a client record. The right to custody of a client record will usually assume the right of access, but does not assume ownership. The entity with custody of a client record is responsible for maintaining the record and ensuring it remains complete and accessible.

Ownership is the legal right to own a client record, and assign custody and access. Client records are Commonwealth records and are owned by the Australian Government.

How long must I keep client records?

Clause 4.2 of the Contract requires client records to be retained for a minimum of seven years from the date the record was created or from the date of the last amendment. The date of last amendment would be date of the last service provided to the client, the date of the last contact with the client or the date you are notified that the client is deceased. This is the ‘minimum retention period’.

What do I do with client records that are older than the minimum retention period?

Where all documents on a client record are older than the minimum retention period, client records may be destroyed.

  • You must not destroy a client record where any of the documents are within the minimum retention period. You also cannot destroy part of a client record, the record must remain complete for the entire minimum retention period.
  • For information on destruction, see ‘How can Commonwealth records be destroyed?’ below.

What does ‘accessible’ mean in reference to client records?

An accessible client record is one that can be viewed at any time by any person with the right to access the record. A client record that requires the use of specialised software to view it (in the case of electronic records) or contains pages that are faded, damaged, missing or otherwise illegible (in the case of paper records) is not accessible or complete.

Client records must be accessible for at least the minimum retention period.

What do I do if a client requests their record?

If a client requests their record, you may give them a copy or allow them to view the record.

  • Under APP 12, a client may submit, to either you or the department, a request for access to the personal information held about them. Your Privacy Policy should inform the client how to request this.
  • Access to the information does not give the client ownership or custody of the record.

What do I do with client records when my business is closing?

If you are closing your business, or your Contract is expiring or has been terminated, all client records that are not to be transferred to a new provider must be returned to the department.

  • Where a business has been sold to another provider, client records can only be transferred to the new provider if clients have been notified of the transfer and have been given the option to change to a different provider. This occurs as part of the closure process.

How can I store paper records?

Paper client records must be kept in a cabinet that cannot be accessed by anyone who does not need or require access. The storage system should be protected by a physical security system such as locks, alarms etc. Where a client record is required to be off-site (i.e. in transit to a visiting site or for a home visit), the record should be out of sight and preferably locked in the boot or other lockable container in the car.

  • APP 11 requires you to take such steps as ‘are reasonable in the circumstances to protect the information’.

What are the requirements for digitising paper records?

When digitising client records, the entire record must be digitised. The new electronic document must restrict future changes, or must be capable of recording any changes made, for example by using metadata. When digitising paper client records rigorous quality checking must be performed to ensure that client records remain complete and accurate.

  • You must ensure that the digitised documents are created in a format that will optimise the chances of being accessible for at least the minimum retention period, preferred formats are
    • open source (non-proprietary) formats
    • those which are widely used within the public sector
    • supported by several software applications or operating systems.
  • Formats used should be readable by a readily available viewing ‘plug-in’ if the specific production software is not available to all users.
  • The electronic client record must include a certification that a quality check has occurred, and that the electronic client record is an exact copy of the complete paper client record. This certification should include
    • the date the original paper client record was created 
    • the date the client record was digitised
    • the name of the person who digitised the client record
    • the date the quality check was performed
    • any issues found during the quality check and how these were rectified
  • the name of the person who performed the quality check.
  • Individual documents relating to a client must be packaged in one complete client record.
  • The new electronic record becomes the original client record.
  • The Digital Continuity 2020 Policy promotes a consistent approach to information governance across the Australian Government. It applies to government information, data and records, including those created by providers.
  • The National Archives of Australia (NAA) guide to ‘Digitising accumulated physical records’ provides useful information and tips on the digitisation of paper documents.

What do I do with paper client records when I have digitised them?

Where a paper client record has been digitised and confirmed as true and correct, the source record (paper client record) should be destroyed.

  • For information on destruction, see ‘How can Commonwealth records be destroyed?’

How can I store electronic records?

Electronic client records must be stored in a password-protected system that cannot be accessed by anyone who does not need or require access. The storage system should be protected with security software, and a disaster recovery and/or business continuity plan in place.

  • A dedicated Electronic Document & Records Management System (EDRMS) is preferred, rather than a standard computer folder system. An EDRMS is an automated software application designed to assist with the creation, management, use, storage and disposal of information and records. This could include some Office Management Systems (OMS).
  • It is preferred that any EDRMS incorporates the use of metadata. This is information embedded within an electronic document that is used by the EDRMS to identify and capture information on the usage of that document. This helps to ensure the client record remains accurate and complete, and any changes, amendments or people accessing the record can be identified.
  • APP 11 requires you to take such steps as ‘are reasonable in the circumstances to protect the information’.

Why do I need a disaster recovery or business continuity plan?

To ensure the integrity and availability of client records in electronic storage systems, you should have disaster recovery and business continuity plans. These plans should include the backup of electronic client records. This could be an internal or external backup. Either system must have protections at least equivalent to the production storage system, and must restrict access to only those who require it.

  • The use of an internal (on-site) backup must take into consideration the risk of a disaster occurring at the site and destroying both the original and backup copies of the client records.
  • The use of an external (off-site) backup service must take into consideration the location of the backup server and the backup service disaster recovery and business continuity plans.

Can I use cloud storage for client records?

The concern with cloud storage is the protection of the private health information of clients. You must not use systems such as Google Drive, Google Docs, Dropbox (except for the Department’s secure EDW Drop Box for audit purposes), iDrive, iDocs or any other unsecured cloud service.

Some cloud services have been assessed by the Australian Signals Directorate (the ASD) as meeting a base level of security (Unclassified with a Dissemination Limiting Marker (DLM)). A Certified Cloud Services List (CCSL) can be found on the Australian Cyber Security Centre (ACSC) website, noting that not all cloud service products listed are available to private businesses.

  • If you choose to use a service that has not been certified by the ASD, it is your responsibility to have the security of the service assessed. Only an independent Information Security Registered Assessors Program (IRAP) assessor can perform this assessment.
  • You must ensure that the service agreement with a cloud services provider states that the records will be hosted on an Australian server and will not be disclosed outside Australia. The agreement must also state that the records will be encrypted to at least the equivalent of Unclassified with a DLM of Sensitive Personal.
  • You should request a copy of the cloud services ASD Certification.

Top of Page

How can Commonwealth records be destroyed?

To destroy a Commonwealth record, it must be made unreadable and irretrievable. Paper documents must be cross-shredded (Class B shredder with maximum particle size 2.3mm x 25mm) or they can be destroyed using a destruction provider.

To ensure the complete destruction of an electronic client record, all copies should be found and destroyed. This includes removing and destroying copies contained in system backups and cloud storage.

If you destroy a client record, you must notify the department as soon as practicable after destruction and provide the following information

  • the client’s details
  • the type of record (paper or electronic)
  • the reason for destruction (older than the minimum retention period or digitised source record)
  • certification that a quality check of the client record occurred, and that the digitised record is an exact copy of the complete paper client record (for digitised source records)
  • the method of destruction.

This notification must be via email to

  • An electronic client record must not be destroyed if it has been converted to paper.

How can I transfer client records?

Client records can only be transferred between providers where the client has given their authorisation. See the ‘Managing client relocations’ provider factsheet for further information.

You must only transfer paper client records using registered mail or courier. Electronic client records can be transferred using registered mail or courier on a USB drive secured with a password, or using secure and/or encrypted email.

  • The client record may include a copy of any data from electronic systems such as NOAH or an OMS, but you must also include copies of any results and reports from the system in a format that is accessible. If the client record is in paper format this would mean a printout of the documents, if in electronic format a copy in PDF or other accessible format must be included. This is because if the new provider does not use the same software, the record is not accessible and is therefore incomplete.
  • Where a client record is in electronic format it must be transferred in electronic format. Every time a client record is printed and then scanned in to create a new electronic record, the quality of the record can be degraded. This does not meet departmental requirements for integrity and may result in the client record, or parts of the client record, not being accessible for the minimum retention period.
  • The Privacy Act acknowledges that ‘health information about an individual’ is sensitive information. Client records must not be transferred by unsecured email, as email systems are not secure enough for the transfer of sensitive information. If you wish to use a secure and/or encrypted email system for the transfer of electronic client records, you must consider the location of any storage, the security and compliance with the Privacy Act, the Archives Act and program requirements as part of your decision.
  • Where electronic client records are transferred and receipt has been confirmed, the client records should be destroyed, ensuring you keep any documents required under program legislation or the Contract.

Can I keep a copy of a transferred client record?

You must not keep a copy of any client record, or part of any client record, except where required under program legislation or the Contract.

Clause 11.12 of the Contract requires you to retain all original Claim Forms submitted to the Commonwealth or DHS for a period of at least seven years. Rule 28(4) of the Rules requires you to retain copies of all receipts issued to clients for a period of at least seven years. As these are no longer part of the transferred records, this would be seven years from the date of signing by the client or the date of the receipt.

What is a ‘Data Breach’?

Data breaches can occur in a number of ways. Some examples include

  • lost or stolen laptops, storage devices, or paper client records
  • hard disk drives and other digital storage media being disposed of or returned to equipment lessors without information being correctly destroyed
  • databases being ‘hacked’ or otherwise illegally accessed
  • paper records stolen from unsecured recycling or garbage bins or from cars
  • mistakenly providing personal information to the wrong person
  • an individual deceiving an agency or organisation into improperly releasing information.

The Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act) came into effect from 22 February 2018. As a health service provider and holder of personal health information (client records), you are subject to the NDB scheme.

  • The NDB scheme introduces an obligation to notify individuals whose personal information is involved in an eligible data breach that is likely to result in serious harm. This must include recommendations about the steps individuals should take in response to the breach.
  • Under the NDB scheme, an eligible data breach occurs if
  1. there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
  2. the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

What do I do if a data breach occurs?

If you suspect a data breach has occurred, the NDB scheme allows a period of 30 days in which you can conduct an assessment to determine if an eligible data breach has occurred.

If you identify an eligible data breach, you must notify the Office of the Australian Information Commissioner (OAIC) and follow the requirements under the NDB scheme. You must also notify the department as specified in clause 20.3(g) and clause 43.4 of the Contract.

  • Further information regarding identifying eligible data breaches and determining serious harm is available on the OAIC website.

Is the management of client records monitored by the department?

We check compliance with record keeping requirements as part of our compliance monitoring activities as outlined in the Compliance Monitoring and Support Framework.

Where required, we will notify the OAIC of any identified breaches of the Privacy Act and will follow the instructions of the OAIC in relation to any notified breaches.

Persistent or significant non-compliance with any of the legislative or contractual requirements in relation to program records management may result in referral for compliance actions up to and including actions under Section 6 of the Contract (Breach and Termination) and/or referral to the OAIC for actions under Part V of the Privacy Act (Investigations etc.).

Where can I get more information?

A provider factsheet on the Management of Client Records is available on the program website. Further advice and guidance on records management is available on the NAA website.

Top of Page



Management of client records FAQ (PDF 122 KB)

Provider Factsheet 6 - Management of Client Records

Provider Factsheet 1 - Documentation and Record Keeping

Complementary Content