Information Security Policy

Applicable to: This Policy is binding upon all Health Service Providers, the Department of Health and their staff.

Description: The WA health system depends on effective information security management to protect the confidentiality, integrity and availability of health information and systems. Protecting confidentiality is essential for maintaining the privacy of patients; protecting the integrity of health information is critical for ensuring patient safety; and ensuring the availability of information systems is critical for healthcare delivery.

Appropriate technical, physical and administrative security controls are required to safeguard the WA health system from inappropriate, illegal or accidental misuse, exposure or corruption of data and technology.

This Information Security Policy (Policy) outlines the security controls required to be implemented, monitored and reviewed across the WA health system. It aligns to the principles of the Australian Standards for information security management which supports a risk-based approach to information security that is appropriate to sensitivity, risk profile and business need.

The purpose of this Policy is to ensure:

  • appropriate information security controls are in place to protect health information and systems from theft, fraud, malicious or accidental damage, and privacy or confidentiality breaches; and
  • alignment with Australian Standards for Information Security
    • AS/ISO 27002: 2015, Information Technology – Security techniques – Code of practice for information security management
    • AS/ISO 27799: 2011, Information security management in health using ISO/IEC 27002.

This Policy is a mandatory requirement under the Information and Communications Technology Policy Framework pursuant to section 26(2)(k) of the Health Services Act 2016.

This Policy supersedes the OD 0506/14 ICT Physical and Environmental Security Policy, OD 0505/14 Network Access Policy and IC 0179/14 Guidelines for the Transmission of Personal Health Information by Facsimile Machine.

Date of effect: 18 February 2021

Policy Framework

Supporting information