Bell & Senior Logo

What privacy rights apply when my doctor uses AI note-taking in a consultation?

Privacy

AI-powered note-taking software is rapidly being adopted by medical practitioners across Australia. These tools listen to a consultation and automatically generate clinical notes — producing more accurate records and reducing post-visit dictation. But for patients, a natural question arises: where does my health information go, and who can access it?

Your Health Information Is Sensitive Information

Under the Privacy Act 1988 (Cth),1 health information is classified as sensitive information — the category attracting the highest level of legal protection. The Australian Privacy Principles (APPs) impose specific obligations on health service providers and the technology vendors they use.

APP 3 — Collection

Health information may only be collected if it is reasonably necessary for the primary purpose of the service. Consent must be obtained before collecting sensitive information. Asking your permission before turning on AI note-taking — as Anna’s specialist did — is a legally required step, not merely a courtesy.2

APP 6 — Use and Disclosure

Information collected for one purpose (clinical notes) cannot be used for a different purpose (training the AI model) without your separate consent, unless a specific legal exception applies.3

APP 8 — Cross-Border Disclosure

If the AI software stores your health data on servers outside Australia, the health service provider must take reasonable steps to ensure the overseas recipient handles the data in accordance with the APPs.4

APP 11 — Security

The organisation must take reasonable steps to protect your health information from misuse, interference, loss, and unauthorised access.5

APP 12 — Access

You have the right to request access to any records generated about you — including AI-generated clinical notes.6

The Two Questions You Should Always Ask

  1. Is the data stored in Australia, or does it go overseas? If stored onshore, Australian law applies in full. If sent overseas, your practical ability to enforce your rights if something goes wrong is significantly reduced.

  2. Is the data used to train the AI model? LLMs are built by ingesting large volumes of data. Some providers allow consultation recordings to improve their models. If your health information feeds an AI training dataset, it could influence outputs provided to thousands of other users. Reputable medical AI providers contractually restrict this — but you should ask.

What If the Data Stays in Australia and Isn’t Used for Training?

If both conditions are satisfied, the practical privacy risk is very low. The AI functions like a secure digital dictation device — producing accurate, complete notes that improve your medical care. Andrew Bell noted dentists use similar technology to record running commentary during procedures.

Can You Refuse?

Yes. You can:

  • Decline consent at the outset — the practitioner must use another method.
  • Withdraw consent at any point during the consultation.
  • Ask for conditions — for example, that audio is deleted once notes are generated.

A practitioner cannot refuse to see you simply because you declined AI note-taking.

Lodging a Privacy Complaint

If you believe a health provider has misused your health information:

  1. Raise it directly with the practitioner or their practice manager.
  2. Complain to the OAIC at oaic.gov.au — most medical practices with turnover over $3 million are covered by the Privacy Act 1988 (Cth).
  3. Complain to AHPRA if you believe the practitioner’s conduct also raises professional standards issues.

Key Questions to Ask Before Consenting to AI in a Medical Consultation

  1. Where is my data stored — is it in Australia?
  2. Will my consultation data be used to train the AI model?
  3. Who else has access to the notes generated?
  4. What is your privacy policy for this software?

You can always request a copy of your AI-generated consultation notes under APP 12.

Professional Guidance

Bell & Senior Lawyers advises businesses — including medical and professional practices — on Privacy Act compliance, AI governance policies, and data handling obligations.

📞 (07) 5532 8777 | 🌐 bellsenior.com.au | Contact us



  1. Privacy Act 1988 (Cth) s 6 (definition of sensitive information and health information) https://www.legislation.gov.au/Series/C1988A00119↩︎

  2. Privacy Act 1988 (Cth) Sch 1 APP 3.3 — an organisation must obtain consent before collecting sensitive information. ↩︎

  3. Privacy Act 1988 (Cth) Sch 1 APP 6 — use or disclosure of personal information. ↩︎

  4. Privacy Act 1988 (Cth) Sch 1 APP 8 — cross-border disclosure of personal information. ↩︎

  5. Privacy Act 1988 (Cth) Sch 1 APP 11 — security of personal information. ↩︎

  6. Privacy Act 1988 (Cth) Sch 1 APP 12 — access to personal information. See also OAIC, Guide to Health Privacy (May 2025) https://www.oaic.gov.au/__data/assets/pdf_file/0020/251183/Guide-to-Health-Privacy-Collated-May-2025.pdf↩︎

Call Us Book Time