All Resources
Education
5 min read

AI Scribes and Patient Data Privacy in Australia

Published on
January 1, 2026
Contributors
Adrian Lee
Subscribe to our newsletter
Read about our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

AI Scribes and Patient Data Privacy in Australia

Patient data handling is a primary evaluation criterion for any AI scribe deployed in Australian practice. The regulatory framework around it is more explicitly articulated than the framework for many other digital health tools.

This article covers what the Australian Privacy Principles require, what the TGA's August 2025 guidance on digital scribes adds, what medical defence organisations have said, and how Lyrebird is structured in relation to each.

The Regulatory Framework

Three sources of requirements apply, and they operate largely in parallel rather than overlapping.

The Australian Privacy Principles govern the collection, use, and disclosure of personal and sensitive health information. APP 3 covers collection, APP 6 covers use and disclosure, APP 8 covers cross-border disclosure, and APP 11 covers security of stored information. All four apply to AI scribe use.

The TGA's August 2025 guidance on digital scribes identifies informed consent, consumer rights in relation to personal information, review of software updates, and reporting of safety concerns as specific responsibilities for safe and appropriate use.

Medical defence organisation positions, including those from Avant, MDA National, and MIPS, recommend documented patient consent before AI scribe use and treat this as comparable to any material change in how consults are conducted and recorded.

What This Means for Data Handling in Practice

Five operational considerations follow from the framework.

Consent. Patient consent is required before the scribe is used, and it must be meaningfully informed. This means covering what the tool is, what it does with the audio, where the data is processed, who has access to the note, and the patient's right to decline.

Data residency. Where patient data is processed and stored determines whether APP 8 offshore-transfer disclosure obligations apply. Data processed and stored within Australia falls outside APP 8. Data processed or stored overseas requires specific disclosure to the patient at the point of collection, with some narrow exemptions.

Audio handling. The retention policy on audio recordings is material. Lyrebird deletes audio at the end of the consult and does not retain recordings. Some products retain audio for a period for accuracy improvement or audit purposes, which has implications for both privacy and storage risk.

Training data. Some scribes use patient conversations to train or improve their models. This is a meaningful additional handling pathway beyond the primary clinical purpose, and the consent basis for it is narrower. Lyrebird does not use customer data for model training, and this is stated in the contract.

Security. APP 11 requires reasonable security measures. The specifics for an AI scribe include encryption in transit and at rest, access controls, audit logging, and incident response capability.

How Lyrebird Is Structured

Lyrebird's data handling is designed to keep all processing and storage within the Australian regulatory perimeter.

Audio is captured through the browser or desktop app, transmitted to Australian servers for processing, and deleted once the draft is generated. No audio recording is retained after the consult.

Transcripts and generated notes are stored on Australian servers with AES-256 bit encryption in transit and at rest. Access controls and audit logs are in place, and customers can export both note content and consent logs on request. See the Lyrebird compliance page for the full position.

Lyrebird does not use customer data for model training. Specialty-specific models are trained on aggregated non-identifying data and on explicitly licensed datasets, not on customer conversations.

Consent is logged per consult with timestamps, producing a retrievable and exportable audit trail for MDO query, internal review, or audit purposes.

The APP 8 Position

APP 8 applies when personal information is disclosed to an overseas recipient. It requires either (a) reasonable steps to ensure the overseas recipient complies with APPs, or (b) specific patient consent to the disclosure. For AI scribes, this is most commonly engaged when audio or transcripts are processed on servers outside Australia.

The practical consequence is that an Australian practice using a scribe with offshore processing is required to disclose that to patients at the point of consent, and the consent conversation is correspondingly more complex. Practices using Australian-processed scribes avoid this requirement entirely.

Lyrebird's processing and storage is wholly within Australia, so APP 8 does not apply to its normal operation.

What to Ask a Vendor About Data Handling

Six questions cover the material points.

  1. Where is patient data processed, and where is it stored? Look for specific answers with location details, not general statements about "secure cloud infrastructure".
  2. What happens to audio recordings after the consult? Look for immediate deletion, not retention.
  3. Is customer data used to train the vendor's models? Look for an explicit no, documented in the contract.
  4. What encryption and access controls apply to stored data? Look for industry-standard encryption and documented access control architecture.
  5. How is consent recorded, and is the record exportable? Look for per-consult, timestamped consent logging with export capability.
  6. What is the data-breach notification process, and what response time applies? Look for a clear channel and response time, consistent with the Notifiable Data Breaches scheme.

For the broader set of vendor evaluation questions covering quality governance, see the Evaluating Ambient Documentation Vendors checklist.

Patient-Facing Communication About Data Handling

Patients increasingly ask about data handling during consent conversations, and the answers should be concrete rather than general. Concrete answers typically cover: where data is processed and stored (Australian servers, with specifics), what happens to the audio (deleted after the consult), who has access to the note (the clinician and the clinical team, not external parties), and the patient's right to decline without it affecting their care.

For practices wanting to give patients a take-home reference, a short written summary is more useful than verbal explanation alone.

Next Steps

To trial Lyrebird directly, book a demo. Lyrebird Free is available for free to Best Practice clinics.

More Resources
Continue reading
All Resources
Posts
The dangers of Copy Paste Scribes
Read More
Posts
How to use an AI medical scribe
Read More
Posts
December Product Updates
Read More
Education
TGA Regulation and AI Scribes
Read More
Announcement
Four South West London NHS Trusts Deploy Lyrebird to 20,000 Clinicians
Read More
Partnership
Lyrebird Announces Partnership with Ochre Health
Read More
All posts
Post
5 min read

AI Scribes and Patient Data Privacy in Australia

Published on
January 1, 2026
Contributors
Adrian Lee
Subscribe to our newsletter
Read about our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

AI Scribes and Patient Data Privacy in Australia

Patient data handling is a primary evaluation criterion for any AI scribe deployed in Australian practice. The regulatory framework around it is more explicitly articulated than the framework for many other digital health tools.

This article covers what the Australian Privacy Principles require, what the TGA's August 2025 guidance on digital scribes adds, what medical defence organisations have said, and how Lyrebird is structured in relation to each.

The Regulatory Framework

Three sources of requirements apply, and they operate largely in parallel rather than overlapping.

The Australian Privacy Principles govern the collection, use, and disclosure of personal and sensitive health information. APP 3 covers collection, APP 6 covers use and disclosure, APP 8 covers cross-border disclosure, and APP 11 covers security of stored information. All four apply to AI scribe use.

The TGA's August 2025 guidance on digital scribes identifies informed consent, consumer rights in relation to personal information, review of software updates, and reporting of safety concerns as specific responsibilities for safe and appropriate use.

Medical defence organisation positions, including those from Avant, MDA National, and MIPS, recommend documented patient consent before AI scribe use and treat this as comparable to any material change in how consults are conducted and recorded.

What This Means for Data Handling in Practice

Five operational considerations follow from the framework.

Consent. Patient consent is required before the scribe is used, and it must be meaningfully informed. This means covering what the tool is, what it does with the audio, where the data is processed, who has access to the note, and the patient's right to decline.

Data residency. Where patient data is processed and stored determines whether APP 8 offshore-transfer disclosure obligations apply. Data processed and stored within Australia falls outside APP 8. Data processed or stored overseas requires specific disclosure to the patient at the point of collection, with some narrow exemptions.

Audio handling. The retention policy on audio recordings is material. Lyrebird deletes audio at the end of the consult and does not retain recordings. Some products retain audio for a period for accuracy improvement or audit purposes, which has implications for both privacy and storage risk.

Training data. Some scribes use patient conversations to train or improve their models. This is a meaningful additional handling pathway beyond the primary clinical purpose, and the consent basis for it is narrower. Lyrebird does not use customer data for model training, and this is stated in the contract.

Security. APP 11 requires reasonable security measures. The specifics for an AI scribe include encryption in transit and at rest, access controls, audit logging, and incident response capability.

How Lyrebird Is Structured

Lyrebird's data handling is designed to keep all processing and storage within the Australian regulatory perimeter.

Audio is captured through the browser or desktop app, transmitted to Australian servers for processing, and deleted once the draft is generated. No audio recording is retained after the consult.

Transcripts and generated notes are stored on Australian servers with AES-256 bit encryption in transit and at rest. Access controls and audit logs are in place, and customers can export both note content and consent logs on request. See the Lyrebird compliance page for the full position.

Lyrebird does not use customer data for model training. Specialty-specific models are trained on aggregated non-identifying data and on explicitly licensed datasets, not on customer conversations.

Consent is logged per consult with timestamps, producing a retrievable and exportable audit trail for MDO query, internal review, or audit purposes.

The APP 8 Position

APP 8 applies when personal information is disclosed to an overseas recipient. It requires either (a) reasonable steps to ensure the overseas recipient complies with APPs, or (b) specific patient consent to the disclosure. For AI scribes, this is most commonly engaged when audio or transcripts are processed on servers outside Australia.

The practical consequence is that an Australian practice using a scribe with offshore processing is required to disclose that to patients at the point of consent, and the consent conversation is correspondingly more complex. Practices using Australian-processed scribes avoid this requirement entirely.

Lyrebird's processing and storage is wholly within Australia, so APP 8 does not apply to its normal operation.

What to Ask a Vendor About Data Handling

Six questions cover the material points.

  1. Where is patient data processed, and where is it stored? Look for specific answers with location details, not general statements about "secure cloud infrastructure".
  2. What happens to audio recordings after the consult? Look for immediate deletion, not retention.
  3. Is customer data used to train the vendor's models? Look for an explicit no, documented in the contract.
  4. What encryption and access controls apply to stored data? Look for industry-standard encryption and documented access control architecture.
  5. How is consent recorded, and is the record exportable? Look for per-consult, timestamped consent logging with export capability.
  6. What is the data-breach notification process, and what response time applies? Look for a clear channel and response time, consistent with the Notifiable Data Breaches scheme.

For the broader set of vendor evaluation questions covering quality governance, see the Evaluating Ambient Documentation Vendors checklist.

Patient-Facing Communication About Data Handling

Patients increasingly ask about data handling during consent conversations, and the answers should be concrete rather than general. Concrete answers typically cover: where data is processed and stored (Australian servers, with specifics), what happens to the audio (deleted after the consult), who has access to the note (the clinician and the clinical team, not external parties), and the patient's right to decline without it affecting their care.

For practices wanting to give patients a take-home reference, a short written summary is more useful than verbal explanation alone.

Next Steps

To trial Lyrebird directly, book a demo. Lyrebird Free is available for free to Best Practice clinics.

Keep reading

All posts
Questions about compliance?
Contact us
Built for the future of care.
Product
Notes & CaptureDocuments & LettersPractice & Team ManagementIntegrationsPricingFAQsContact Sales
Solutions
For GPsFor SpecialistsFor Enterprise
Resources
ResourcesDocument templatesHelp centre
Company
Partner with usCareers
Compliance
Clinician privacy
Usage Policy
Terms of Service
Privacy Policy
Trust centre
© 2026 Lyrebird. All rights reserved.