AI Scribe Privacy Act Compliance for Australian Clinicians — APP 8 Explained [2026]
The Australian Privacy Principles apply to every AU clinician using AI in patient care. Here is how APP 8 changes the game between AU-resident AI scribes (Heidi, Lyrebird) and US-resident tools (ChatGPT, Claude.ai).
Quick answer
Australian Privacy Principle 8 governs offshore disclosure of personal information. For AI scribes, it works like this:
- AU-resident AI scribes (Heidi, Lyrebird) — data stays in Australia. APP 8 doesn't apply. Privacy Act-compliant by default.
- US-resident AI tools (ChatGPT, Claude.ai, Gemini) — data is disclosed offshore. APP 8 applies. Requires explicit patient consent for the offshore disclosure, plus reasonable steps to ensure the overseas recipient handles it consistently with the Privacy Act.
- Enterprise AU-residency LLMs (Microsoft Copilot for Healthcare, AWS HealthScribe with AU region) — middle tier. AU residency is configurable; check your specific subscription before assuming compliance.
What APP 8 actually says
Australian Privacy Principle 8 is short: before disclosing personal information to a person or entity outside Australia, the disclosing entity must take reasonable steps to ensure that the overseas recipient does not breach the Privacy Principles in relation to the information.
The exceptions are narrow:
- The individual has consented to the disclosure
- The recipient is bound by a law or scheme substantially similar to the APPs
- A permitted general situation or permitted health situation applies (e.g. life-threatening emergency)
- The disclosure is required by an Australian law
For routine clinical AI use, only the first exception (explicit patient consent) is practically available — and it must be informed consent, not buried in a consent-to-treatment form.
Why AU-resident AI scribes avoid the entire problem
Heidi Health and Lyrebird Health are Australian-built AI scribes that store and process patient data on Australian infrastructure. Because no offshore disclosure occurs, APP 8 does not apply.
This is the cleanest path to Privacy Act compliance:
- No need to document offshore-disclosure consent
- No need to assess the overseas recipient's Privacy Act compliance
- The audit trail is simpler — Australian-resident data, Australian-jurisdiction recourse
Both vendors build the broader consent-to-AI-use process into the workflow as well, so the AHPRA AI guidelines obligations and the Privacy Act obligations are satisfied together.
If you must use ChatGPT, Claude, or Gemini for clinical work
There are legitimate reasons to use general-purpose LLMs in clinical work — translation, patient information sheets, exercise programs in plain language. The trick is to do it without breaching APP 8.
Two workable approaches:
- Strip all personal information from the input. De-identified data falls outside the Privacy Act's reach. Generic clinical scenarios for prompt-writing, anonymised case examples for education, exercise programs that reference a hypothetical patient — all fine.
- Obtain explicit patient consent for the offshore disclosure. Document the consent clearly, including what data will be sent and which tool will be used. This is rarely practical at scale but workable for specific use cases (e.g. complex translation for a non-English-speaking patient where ChatGPT outperforms domestic options).
What is not workable: pasting identifiable clinical material into ChatGPT for note-writing as a routine workflow. This is the most common practice we see and the highest-risk one.
Compliance frameworks made practical
AHPRA AI guidelines + Privacy Act + indemnity insurer positions are interlocked. The AI in Clinical Practice short course walks through all three with worked examples. Get the free 1-page AI Safety Checklist first.
Get the AI Safety Checklist (free)