A Psychologist’s Guide to Breaches of Confidentiality

26/02/2026 — Nicholas Conroy
A Psychologist’s Guide to Breaches of Confidentiality

It’s a scenario that keeps practitioners awake at night. That sinking feeling when you realise an email with client details went to the wrong address. The momentary panic when you can’t find the notebook you used for session notes. It’s the quiet dread of an audit, wondering if your ad-hoc system of spreadsheets and Word documents is truly compliant.

An organized office desk with a laptop, notebook, phone, and chair, at dusk.

These aren’t abstract risks; they are tangible anxieties rooted in the daily realities of running a practice. Every psychologist knows that confidentiality is the bedrock of the therapeutic relationship. Without it, trust is impossible.

And yet, the pressure to manage caseloads, meet supervision requirements, and stay on top of CPD often leads to administrative shortcuts that create real vulnerabilities.

What is a Breach of Confidentiality in Practice?

A breach of confidentiality is, at its heart, the unauthorised disclosure of sensitive client information. It’s a fundamental violation of the professional trust that underpins everything we do. These breaches aren’t always dramatic data thefts; they can be as simple as an accidental email to the wrong person or a conversation overheard in the waiting room.

The landscape of psychological practice has expanded far beyond the traditional consulting room. Telehealth sessions, digital note-taking on personal devices, and communicating through third-party apps all introduce new layers of complexity. While these tools offer incredible convenience, they also widen the potential for breaches of confidentiality.

An unsecure home Wi-Fi network, a family member using a shared laptop, or a software platform that doesn’t meet Australian privacy standards can all lead to unintentional and damaging disclosures.

The AHPRA Standard for Confidentiality

The Australian Psychological Society (APS) Code of Ethics, which is adopted by the Psychology Board of Australia (PsyBA), is unequivocal on this. Standard A.5, Confidentiality, forms the very foundation of our professional conduct, mandating that we safeguard the confidentiality of information obtained during our provision of psychological services.

"Psychologists safeguard the confidentiality of information obtained during their provision of psychological services. They disclose confidential information to others only with the consent of the client or a person with legal authority to act on behalf of the client..." - APS Code of Ethics

This principle isn't just a rule to follow; it’s a living commitment to our clients' safety and autonomy. Every decision we make, from how we store our files to how we discuss cases in supervision, must be viewed through this lens.

The Risk is Real, Not Theoretical

In the first half of 2023 alone, Australia's healthcare sector reported 102 data breaches to the Office of the Australian Information Commissioner (OAIC)—the highest of any industry. For psychologists, this isn't just a statistic; it represents real risks to client session notes, supervision logs, and CPD records.

With 67% of these breaches linked to malicious attacks, the need for robust, compliant systems is more critical than ever. You can explore more about healthcare cybersecurity statistics in Australia to understand the broader context.

This guide is designed to move beyond simply reciting the regulations. Instead, it offers practical, actionable advice to help you validate your concerns and fortify your practice against the real-world risks of a confidentiality breach.

Recognising a Breach in Your Practice

When you think of a data breach, it’s easy to picture a dramatic, Hollywood-style cyberattack. The reality in a psychology practice is usually far less exciting. More often than not, a breach of confidentiality is a quiet, unintentional slip-up that happens between sessions or while rushing through admin.

The biggest risk isn't some shadowy hacker. It’s the small, everyday habits that can accidentally leave sensitive client information exposed.

Laptop displaying content in a modern office, with a 'Spot the breach' sign and a woman walking.

To really understand what a breach looks like day-to-day, you have to translate the dense legal language of the Privacy Act 1988 and its Australian Privacy Principles (APPs) into real-world scenarios. It’s about learning to see your daily workflow through a compliance lens.

Put simply, a breach isn't just about losing data. It’s any unauthorised access, disclosure, or loss of personal information that your practice holds. That definition is deliberately broad, covering everything from your digital files right down to handwritten notes.

From Legal Text to Daily Practice

The Australian Privacy Principles, especially APP 6 (Use or disclosure of personal information) and APP 11 (Security of personal information), are the foundation of your legal duties. APP 11 is the big one here—it requires you to take "reasonable steps" to protect client information. But what on earth does "reasonable" mean when you’re juggling a packed caseload?

It means spotting the hidden weak points in things you do every single day. These are the moments where good intentions don't quite meet legal standards, creating genuine risks for your clients and, ultimately, for your practice.

The core issue is rarely malice. It’s almost always a gap in process. A practitioner can have the deepest respect for client privacy and still cause a breach because of an insecure workflow or a momentary lapse in concentration.

So, let's get practical and look at what these breaches actually look like on the ground.

Common Scenarios and Hidden Risks

Many breaches happen in situations that feel completely routine. The danger is that their familiarity can make the risk invisible. Do any of these sound familiar?

  • Corridor Consultations: You grab a trusted colleague in the hallway to quickly discuss a complex case. Even if you don’t use the client's name, you might share just enough detail about their unique situation, job, or family for them to be identified. That’s a verbal disclosure without consent.

  • The Unattended Screen: You step away from your computer to make a coffee, leaving a client's file open on the screen in a shared office space. This is a classic example of unauthorised access—anyone walking past can see that sensitive information.

  • Insecure Digital Chats: You send a quick update to a client via a standard messaging app or share a file with your supervisor using your personal email. Unless those channels are end-to-end encrypted and specifically verified for health information, that data is vulnerable.

These examples show just how easily the line can be crossed. The Privacy Act doesn't care whether a breach was intentional or accidental; the impact on the client is exactly the same. The responsibility is squarely on you to create a practice environment where these accidents are far less likely to happen.

A quick self-audit is a powerful place to start. Ask yourself:

  • Where are my client notes stored right now? Are they properly encrypted and password-protected?
  • When I discuss a case in supervision, what specific steps am I taking to de-identify the client?
  • Is the software I use for bookings, billing, and notes actually compliant with Australian privacy laws?

Turning these abstract legal duties into concrete, everyday actions isn't just about avoiding trouble. It’s about upholding the fundamental promise of safety and trust that makes therapy work in the first place.

How AHPRA and PsyBA View Confidentiality

When a potential breach of confidentiality happens, the first worry is usually for the client. The second, close behind, is about your professional standing. What do the Australian Health Practitioner Regulation Agency (AHPRA) and the Psychology Board of Australia (PsyBA) actually expect from you? It's a question that can feel pretty intimidating, but their perspective is grounded in clear, documented standards.

Getting your head around these standards isn’t about fearing an audit. It’s about building a practice so solid that the thought of an audit no longer keeps you up at night. Your obligations aren't just vague suggestions; they are concrete principles designed to protect the public and, just as importantly, uphold the integrity of our profession.

The PsyBA Code of Ethics as Your Compass

Your primary guide here is the PsyBA’s adopted Code of Ethics. The language is direct and doesn't leave much room for interpretation. The code makes it crystal clear that your responsibility for protecting client information is absolute, covering everything from your session notes to their billing details.

Think of it like this: three core pillars of the code directly govern how you handle confidential information.

  • Safeguarding Confidentiality (A.5): You have to protect all information gathered during your professional services. The only time you can disclose it is with the client's consent or when you have a specific legal or ethical duty to do so.
  • Secure Record-Keeping: You are required to store client records securely to prevent them from being lost or accessed by anyone who shouldn't see them. This applies just as much to an encrypted, password-protected digital system as it does to a locked filing cabinet.
  • Informed Consent for Disclosures (A.3): If you need to share information—say, with a GP or a school—you must get and document explicit, informed consent from the client. This isn't a quick chat; the consent must detail exactly what will be shared, with whom, and for what reason.

These aren't just lofty ethical ideals. They are the benchmarks against which your professional conduct is measured. If you're ever reviewed or audited, AHPRA and the Board will be looking for documented proof that your day-to-day practices line up perfectly with these principles.

The Notifiable Data Breaches Scheme

Beyond the ethical code, your legal obligations under the Privacy Act 1988 are a massive piece of the puzzle. For most private practices, the Notifiable Data Breaches (NDB) scheme is critical to understand. It's a mandatory reporting requirement that forces a very specific question: "Is this breach likely to result in serious harm?"

If a breach happens and you determine it's likely to cause serious harm to someone—think identity theft, financial loss, or significant psychological distress—you are legally required to notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC).

This isn't optional. The key here isn't whether harm has occurred, but whether it is likely to occur. It’s a forward-looking assessment that demands careful, documented reasoning.

For a sole practitioner, this can feel like a heavy weight to carry. The process involves a clear sequence of actions:

  1. Containing the breach immediately.
  2. Assessing the potential for serious harm.
  3. Notifying the OAIC and affected individuals if that threshold is met.
  4. Reviewing your processes to stop it from happening again.

This legal framework turns confidentiality from a passive duty into an active responsibility. It’s not enough to simply not share information; you must have provable systems in place to actively protect it. This is exactly what a supervisor needs to be able to verify, and what an auditor will hunt for evidence of in your practice governance.

By aligning your practice with these clear expectations from PsyBA and federal law, you shift from a place of anxiety to one of professional confidence. Your documentation becomes your shield, proving that your commitment to client confidentiality is baked into every single action you take.

Your Step-By-Step Incident Response Plan

It’s a stomach-dropping moment—that split second you realise a breach of confidentiality might have just happened. In the face of that anxiety, having a clear, pre-defined plan isn’t a luxury; it’s your most valuable professional asset. When you're under pressure, the last thing you want is to be guessing what AHPRA expects.

Following a structured process isn't about punishment. It's about accountability, managing risk, and demonstrating professional responsibility. A clear plan shows you’re taking the incident seriously and acting in line with your ethical and legal duties.

Step 1: Contain the Breach Immediately

Your first priority is to stop the bleeding. You need to prevent any further unauthorised access or disclosure, fast. Think of it as triaging the immediate damage. The right action depends entirely on what happened, but the principle is always the same: get control of the information as quickly as possible.

Immediate containment might look like:

  • Recalling an email sent to the wrong person.
  • Remotely wiping a lost or stolen device that holds client information.
  • Instantly changing the passwords for a compromised software account.
  • Securing a physical file that was left in an unsecure location.

This first step is critical. Make sure you document the exact time you became aware of the breach and every specific action you took to contain it. This note is the first entry in your incident log and will be vital for any reporting that follows.

Step 2: Assess the Risk of Serious Harm

Once the situation is contained, it's time to assess the potential fallout. This is where the Notifiable Data Breaches (NDB) scheme clicks into gear. Your legal obligation to report hinges on whether the breach is likely to result in serious harm to any of the individuals whose information was involved.

"Serious harm" isn't just about financial loss; it can be psychological, emotional, or reputational damage.

To figure this out, you need to consider the type of information involved (sensitive session notes versus basic contact details), the specific circumstances of the breach, and how likely it is that the information could be used maliciously. This assessment has a deadline—the Privacy Act expects you to do it within 30 days.

Meticulously document your reasoning. If you conclude that serious harm is unlikely, you must be able to justify why. That documented assessment is your proof of compliance, even if you decide not to notify anyone.

This flowchart shows how the different layers of oversight connect—linking PsyBA standards, AHPRA's enforcement role, and your direct professional responsibility.

Flowchart illustrating the regulatory oversight process involving PsyBA, AHPRA, and psychologists.

Essentially, your actions are guided by PsyBA's standards, overseen by AHPRA, and ultimately carried out by you—the practitioner responsible for protecting your client’s data.

To make this process more concrete, here's a checklist you can adapt for your own practice's incident response plan.

Incident Response Checklist for Psychologists

Step Action Key Consideration
1. Contain Stop the unauthorised access immediately. Did I recall the email? Change the password? Secure the file?
2. Log Start an incident log with date, time, and initial actions. Every action from this point forward needs to be documented.
3. Assess Evaluate the type of data and potential for serious harm. Is this a "notifiable data breach" under the NDB scheme?
4. Document Write down the assessment and justification for your conclusion. This is my evidence of a timely and considered assessment.
5. Notify If serious harm is likely, notify the OAIC and affected clients. Is my communication clear, direct, and helpful?
6. Review Investigate the root cause of the breach. Was this a system failure, a process gap, or a human error?
7. Prevent Implement changes to prevent a recurrence. What new policy, training, or technology do I need?

This checklist provides a clear sequence of actions to ensure you meet your obligations without missing a critical step in the heat of the moment.

Step 3: Notify the Right People

If your assessment lands on "serious harm is likely," you have to act. The NDB scheme requires you to prepare a statement for the Office of the Australian Information Commissioner (OAIC). You also have to take reasonable steps to notify the individuals who are at risk.

Your notification to clients needs to be clear and direct. It should include:

  • A description of what happened.
  • The type of information that was involved.
  • Recommendations for steps they can take to protect themselves.

This is often the hardest part of the process, but being transparent is the only way to begin rebuilding trust. For those navigating complex funding schemes, it’s also good to understand how different reporting systems overlap. You can read more about the NDIS Commission's approach in our guide to the Serious Incident Response Scheme.

Step 4: Review and Prevent It from Happening Again

The final, and arguably most important, step is to learn from what happened. A breach of confidentiality is a painful experience, but it’s also a powerful learning opportunity. You need to conduct a thorough review to figure out what went wrong and identify the weak spots in your systems or processes that allowed it to happen.

Was it a technology failure? A gap in your workflow? A blind spot in your training?

Once you pinpoint the root cause, you must implement concrete changes to prevent it from happening again. This might involve adopting more secure software, updating your practice policies, or doing more training on data security. Document these changes as the final entry in your incident report. This shows auditors—and reassures you—that you have closed the loop and made your practice stronger.

Proactive Strategies to Prevent Breaches

The single most effective way to handle a breach of confidentiality is to stop it from ever happening. Shifting from a reactive to a proactive mindset is the most powerful change you can make to protect your clients, your reputation, and your practice. It’s about building defences into your daily workflow, not just crossing your fingers and hoping for the best.

Prevention isn’t about becoming a cybersecurity expert overnight or buying expensive, complicated software. It’s about being deliberate and methodical in three key areas of your practice: your digital tools, your physical workspace, and your admin processes. By shoring up each of these domains, you create layers of protection that make accidental disclosures far less likely.

Fortifying Your Digital Security

In a modern practice, your laptop and phone essentially hold the keys to the kingdom. Securing your digital world is non-negotiable. This is your core responsibility under Australian Privacy Principle (APP) 11, which requires you to take reasonable steps to protect the personal information you hold.

A few simple, high-impact actions can make all the difference:

  • Switch on Two-Factor Authentication (2FA): Turn on 2FA for every critical service you use—your email, your practice management software, and any cloud storage. A password by itself is no longer enough. 2FA adds that crucial second check, making it dramatically harder for someone to gain unauthorised access.
  • Use Encrypted Communication: Standard SMS and consumer-grade messaging apps are not secure enough for clinical communication. You need to choose platforms that offer end-to-end encryption for all messages and file transfers. This ensures only you and the intended recipient can ever read what’s inside.
  • Vet Your Software Providers: Before you sign up for any new tool for bookings, notes, or billing, ask the provider one direct question: "Can you provide a statement of compliance with the Australian Privacy Principles?" If they can't answer confidently or show you the documentation, they are not a suitable partner for your practice.

These aren't just technical boxes to tick. They are tangible proof that you are meeting your professional obligations under the PsyBA’s Code of Ethics to safeguard client information.

Securing Your Physical Environment

Confidentiality doesn't stop at your screen. The physical security of your office and documents is just as critical, especially if you work from home or in a shared space. Breaches can happen with something as simple as a document left on a printer or a notebook left on a desk.

Think about putting these essential protocols in place:

  • Have a Clean Desk Policy: At the end of every day, make sure no client files, notes, or identifying information are left visible. All physical documents should be stored away in a locked filing cabinet.
  • Secure Your Document Disposal: Never just throw client-related paperwork in the regular recycling bin. Use a cross-cut shredder for your sensitive documents, or engage a professional document destruction service.
  • Manage Your Screen View: A privacy screen filter for your monitor is a small investment with a big payoff, especially in co-working spaces. It’s a simple measure that stops wandering eyes from seeing sensitive client data on your screen.

A common mistake is to underestimate the risk of low-tech breaches. A stolen laptop is the classic example, but a casual conversation overheard by someone in the waiting room is another. Your physical environment needs to be managed with the same level of care as your digital one.

Refining Your Administrative Workflows

Your administrative processes are the connective tissue of your practice, and they are often where the most subtle and damaging breaches happen. Good, strong workflows are built on clear, repeatable protocols that leave no room for error or ambiguity.

The goal here is to design processes that make it easy to do the right thing and hard to make a mistake.

  • Standardise How You Share Information: Create a clear, written protocol for sharing client information with third parties like GPs, schools, or other specialists. This process must require a signed consent form that explicitly details what information will be shared, with whom, and for what purpose, which directly aligns with standard A.3 of the Code of Ethics.
  • Master the Art of De-Identification: When you're discussing cases in supervision or peer consultation, robust de-identification is absolutely critical. This goes way beyond just changing a client’s name. It means removing or altering any combination of details—age, profession, location, family structure—that could inadvertently identify them.
  • Review Access Permissions Regularly: If you work in a group practice, make it a habit to audit who has access to client records. Check that administrative staff only have access to the bare minimum of information they need to do their jobs. And crucially, revoke access immediately when someone leaves the practice.

Building these proactive strategies into the DNA of your practice transforms compliance from a source of anxiety into a genuine professional strength.

Building an Audit-Ready and Secure Practice

Compliance shouldn't be a mad scramble before an audit. It should be the natural outcome of how you work every day. That feeling of dread when you think about a potential AHPRA review? It usually comes from a nagging uncertainty about whether your records actually meet the Board's expectations. Building an audit-ready practice means creating a system where security and compliance are just part of the furniture, not a separate, stressful task.

The Psychology Board of Australia (PsyBA) is crystal clear about what it expects. Records must be detailed, accurate, and kept securely. This isn't just client session notes; it includes your supervision logs and all your CPD activities. For client files, you need to hold onto them for a minimum of seven years after the last contact. And if the client was a child, you must keep them until they would have turned 25.

The Problem with Disconnected Systems

So many of us start out juggling different tools. Spreadsheets for tracking hours, Word documents for notes, and a separate calendar for appointments. It feels familiar, but this patchwork approach creates some serious weak spots. Each file is an island, which massively increases the risk of data loss, inconsistent formatting, and accidental breaches of confidentiality.

Just imagine trying to prove your supervision ratio or your CPD compliance by piecing together a year's worth of disconnected files. It’s a nightmare. The stress is real, and one misplaced document can throw your entire record into question.

An audit doesn’t just check if you have records; it scrutinises the integrity of your entire record-keeping system. Using fragmented, unsecured tools makes it incredibly difficult to show the robust governance that PsyBA demands.

Embedding Compliance into Your Workflow

The smart alternative is to use a system that was designed for compliance from day one. A purpose-built platform turns best-practice record-keeping into a simple, repeatable habit. Instead of wrestling with different files, you capture client contact, supervision sessions, and CPD activities within one secure, coherent framework.

This approach gives you a few powerful advantages for staying audit-ready:

  • Centralised Security: All your professional records are stored in one encrypted place. This dramatically cuts down the risk of unauthorised access or loss compared to having files scattered across a local hard drive and a personal cloud account.
  • Standardised Entries: Your logs for client contact, supervision, and CPD all follow a consistent, PsyBA-aligned format. This ensures you capture all the crucial details, every single time. For a deeper look at related compliance, check out our guide on the National Safety and Quality Health Service (NSQHS) Standards.
  • Effortless Reporting: When you need to show your evidence to a supervisor or an auditor, you can generate comprehensive, defensible reports with a single click. No more late-night data entry.

An integrated approach makes sure your records are always secure, defensible, and lined up with professional standards. It frees you up to focus on what actually matters: your clients.

Common Questions About Confidentiality Breaches

Knowing the rules of confidentiality is one thing; applying them to the messy reality of clinical practice is another entirely. Here are some of the most common questions we see psychologists grapple with, answered from the perspective of Australian standards.

Do I Need to Report Every Minor Breach to the OAIC?

Not always, but you do need to be incredibly deliberate in your response. The Notifiable Data Breaches (NDB) scheme is triggered by an 'eligible data breach' – one that's likely to cause serious harm.

So, if you accidentally send an email to the wrong person but recall it immediately, and you can confidently assess that serious harm is unlikely, you may not need to formally notify the OAIC. The key word there is assess. You must document this assessment process meticulously. Show your work. If you have any doubt at all, your first call should be to your professional indemnity insurer. They're there to help you navigate exactly these kinds of grey areas.

What Are My Obligations for Client Record Requests?

Under Australian Privacy Principle 12, clients have a right to access their personal information. When you receive a request, the clock starts ticking – you have 30 days to respond.

However, this right isn't absolute. The Privacy Act outlines specific situations where you can deny access, such as if providing the information would pose a serious threat to anyone's life or health. Whatever you decide, your file should clearly document the request, your final decision, and the clinical and legal reasoning behind it.

How Does Confidentiality Work in Supervision Sessions?

The duty of confidentiality extends 100% to supervision. While discussing cases is a cornerstone of good practice, you must always de-identify the client. This means using pseudonyms and stripping out any details that aren't clinically essential to the conversation.

Your supervisor is bound by the exact same ethical and legal obligations as you are.

A good supervision agreement will spell out these confidentiality duties explicitly. Remember, too, that your supervision logs are clinical records. They need to be stored just as securely as your client files to meet PsyBA requirements.

These issues often connect with other legal duties. To get a clearer picture of one of the most critical legal obligations, check out our guide to mandatory reporting training.

PracticeReady is built to embed AHPRA standards directly into your daily admin, making compliance second nature.

Share this post.
Twitter page LinkedIn community
Stay up-to-date

Subscribe to our newsletter

Subscribe
Don't miss this

You might also like

Navigating AHPRA's CPD Requirements: A Guide for Time-Poor Psychologists
Navigating AHPRA's CPD Requirements: A Guide for Time-Poor Psychologists
25/02/2026 — Nicholas Conroy
Read more >
Is Your Reflection Compliant? A Guide to AHPRA-Ready CPD
Is Your Reflection Compliant? A Guide to AHPRA-Ready CPD
24/02/2026 — Nicholas Conroy
Read more >
National Safety and Quality Health Service (NSQHS) Standards: A Psychologist's Guide
National Safety and Quality Health Service (NSQHS) Standards: A Psychologist's Guide
23/02/2026 — Nicholas Conroy
Read more >
More posts