Privacy in the garden shed: lessons from a Melbourne medical centre 

The privacy of almost 1000 patients was compromised recently when medical records were discovered in a backyard garden shed in Melbourne. A Narre Warren medical centre had stored the files in the off-site shed, which was subsequently broken in to.

The medical centre was lucky enough to avoid any serious fines, however if this same breach occurred today the business would have been fined $1.7 million under the revised privacy laws.

While this news seems shocking, the medical centre was only focussing on what every other company does on a daily basis – their core business.

In their shoes – you’re operating 12 hours a day, 7 days a week, with a waiting room full of people and bulk billing doctors on the decline. The medical centre is in high demand.

So what could they have done differently to prevent this privacy breach? This case highlights the importance of having practical measures in place to address the fundamentals of information management.

The key question for them to ask was, “what would your family think if they knew their medical records were being stored in a garden shed?”

There are a few simple do’s and don’ts you can follow to ensure your business is safe:


  • Understand the information you have
  • Be aware of any legal obligations associated with your information
  • Implement practical business processes that support your obligations
  • Ensure staff are aware of their obligations
  • Seek advice and help when needed


  • Ignore your legal obligations and hope there will be no consequences
  • Allow your obligations to result in complex and time consuming business processes
  • Collect information that is not related to your business function
  • Keep information longer than you need to
  • Store sensitive information in a garden shed – no matter the circumstances!

It can be difficult for businesses to focus time and money on something that does not directly affect core business, like information management. But it’s easy to see the consequences when information management is ignored. One small decision could have caused the undoing of this business.

If you are unsure of your information privacy obligations contact the Office of the Information Commissioner for free advice and assistance.

Amanda Day

Senior Consultant