A range of laws apply to the storage of health information. Health agencies should have in place:
- procedures to give access to the information only to those people who are authorised to have access in order to use or disclose the information for the purpose for which it was collected
- security measures to prevent unauthorised access to the records
- where practicable, procedures for storing the information in a way that the identity of the person is not readily apparent from the face of the record, for example, by the use of identification codes
- where the record is not to be retained, procedures for destroying the records that protect the privacy of the information.