fbpx

OAIC 2025: The Gym Privacy Playbook

OAIC 2025: The Gym Privacy Playbook

Gyms and fitness studios now sit squarely in health privacy territory. The OAIC’s updated Guide to Health Privacy (May 2025) confirms that if you collect member health information—think PAR-Qs, injury notes, or medical clearances—you must comply with the Privacy Act 1988 and the Australian Privacy Principles (and, in NSW, the HRIP Act). Here’s the story of how a two-location studio turned this from a compliance headache into a competitive advantage in one week.

1) Introduction: The Day Health Privacy Landed in the Squat Rack

“Wait—does this mean the PAR-Q makes us a health service?” Mia, a studio owner, asked her manager after reading the OAIC’s May 2025 update. The answer: yes. And with third-party apps, wearables, and an offshore CRM in play, Mia suddenly faced overseas disclosure obligations, explicit consent requirements, and readiness under the Notifiable Data Breaches scheme.

“Document your business or get out.” Mia’s mentor didn’t mince words. “If it’s not written, trained, and enforced, it isn’t real.”

This post follows Mia’s week—from chaos to clarity—so you can do the same.

2) The Realisation: Yes, You’re a Health Service (and the Laws Apply)

What this means in practice

  • The Privacy Act 1988 and the APPs apply when you handle health information (e.g., PAR-Qs, injury and medical notes, clearances).
  • NSW operators must also comply with the Health Records and Information Privacy Act 2002 (HRIP Act).
  • Small business? Health service providers are generally covered regardless of turnover. Many clubs over $3m are covered in any case.
  • Transparency, legitimacy, and security are non-negotiable: collect only what’s reasonably necessary, keep it secure, and be clear about why and how you use it.

Mia’s lesson: treat privacy like safety—make it systematic, not ad hoc.

3) Data Mapping: Finding Every Place Health Data Enters (and Escapes)

Where health data hides

  • Intake forms: PAR-Qs on paper and online.
  • Coaching notes: injuries, modifications, medical clearances.
  • Third-party apps: booking platforms, messaging tools, surveys.
  • Wearables and integrations: heart-rate, body composition, performance metrics.
  • Support channels: email attachments and DMs.
  • CRM and file storage: who hosts it, where it lives, and who can access it.
90-minute mapping sprint
  1. Whiteboard every collection point and data element (what, why, where stored, retention).
  2. Mark if an overseas disclosure occurs (offshore CRM, app sub-processors, cloud regions).
  3. Assign a system owner for each data store and a lawful basis (consent/necessity).
  4. Create a single source of truth: a simple privacy register in your ops wiki.
  5. Flag “no reason” data for deletion; plan secure disposal of legacy paper and PDFs.

Mia’s team found seven “shadow” data flows they didn’t know existed, including a wearable integration syncing to a US data centre.

4) Minimisation and Consent: Fix the Forms, Say Why, Get Yes

Collect only what’s reasonably necessary

  • Strip non-essential questions from PAR-Qs; align each field to a specific purpose.
  • Set retention rules: e.g., archive after X months of inactivity, then securely destroy.
  • Turn off default data fields in apps if you don’t need them.

Make consent explicit and understandable

  • Use plain language: purpose, who sees it, where it’s stored, and if it goes overseas.
  • Separate, unbundled consent tick for health data and wearables integrations.
  • Explain withdrawal and alternatives (e.g., “You can train without wearables”).
  • Link to your Privacy Policy and HRIP-compliant collection notice (for NSW).

After rewriting the PAR-Q and collection notices, Mia added a clear consent line: “I consent to the studio collecting and using my health information to provide training services, and I understand how and where it is stored, including any overseas disclosures.”

5) Vendor Reality Check: Apps, Wearables and Offshore CRMs

Overseas disclosure obligations in action

APP 8 means you’re responsible for overseas disclosures. If your CRM is hosted offshore or your wearable vendor processes data overseas, you must ensure comparable protections through contracts and due diligence.

What Mia did

  • Requested a Data Processing Agreement (DPA) with privacy and security clauses (sub-processor transparency, hosting regions, deletion on exit, audit rights).
  • Required prompt breach notifications to enable a 30-day assessment under the Notifiable Data Breaches scheme.
  • Checked where data actually resides (regions and backups), not just where the company is registered.
  • Turned off unnecessary integrations and moved high-risk data to an AU-hosted store.

Vendor rep: “We’re SOC 2 compliant.” Mia: “Great. I also need to know your data locations, sub-processors, and breach timelines in the contract.”

6) Security That Sticks: MFA, RBAC and Remote-Ready SOPs

Minimum viable controls for studios

  • MFA everywhere (CRM, email, storage, wearable dashboards); enforce for staff and contractors.
  • Role-based access control (least privilege); quarterly access reviews and rapid offboarding.
  • Device standards for remote coaches: updates on, disk encryption, screen lock, and a password manager.
  • Audit logs for admin actions; alerts on unusual access or exports.
  • Secure data sharing: no health info via DMs; use approved channels only.
Document once, train often

Mia built a privacy “single source of truth” in the ops wiki: data map, consent wording, vendor list, access matrix, incident playbook, and a 15-minute onboarding module. Remote workers follow the same instructions—no exceptions.

7) Breach Readiness: Run the NDB Drill

Build a 5-step incident playbook

  1. Contain: revoke access, isolate compromised accounts, and secure backups.
  2. Assess within 30 days: is it an eligible data breach (likely to cause serious harm)?
  3. Notify if required: OAIC and affected individuals, with clear guidance and support.
  4. Fix: patch the cause, rotate credentials, update SOPs and training.
  5. Log and learn: record evidence for accountability and regulator inquiries.

After a tabletop exercise, Mia’s team shaved response time from hours to minutes, and staff could explain their roles without looking at the manual.

8) The One-Week Turnaround: A Practical Action Plan

7-day checklist

  1. Map: list all health-data entry points; start the privacy register.
  2. Minimise: cut non-essential fields; set retention and deletion rules.
  3. Consent: update notices and explicit consent wording (NSW: align with HRIP).
  4. Vendors: confirm data locations; sign DPAs; disable risky integrations.
  5. Security: enforce MFA, RBAC, and device standards for staff/contractors.
  6. Train: onboard the team; remote coaches included; verify with a quick quiz.
  7. Drill: run the NDB playbook; fix gaps; brief leadership.

Takeaway: privacy isn’t paperwork—it’s a system. Build the single source of truth, document the steps, and make compliance part of how you coach, sell, and serve. The weight feels heavy until you lift it once.

Related Links:

Recent Posts:

30 Days to OAIC-Ready: The Small Business Playbook30 Days to OAIC-Ready: The Small Business Playbook
3.2.2A Crackdown: Pass Your Next Food Safety Inspection3.2.2A Crackdown: Pass Your Next Food Safety Inspection
OAIC 2025: The Gym Privacy PlaybookOAIC 2025: The Gym Privacy Playbook