Privacy and Health Data: What Gym Owners Need to Know About the Privacy Act

Every time a new member joins your gym, you collect information about them. Name, address, date of birth, contact details — fairly standard. But many gyms also collect health questionnaires, injury history, emergency contacts, medical clearances, and physiological assessments. Some ask about medications, medical conditions, or GP details.

Under the Privacy Act 1988, health information is sensitive information — a category that attracts significantly stronger privacy protections than ordinary personal data. For gym owners, this means your obligations go well beyond having a privacy policy on your website.

This article explains exactly how the Privacy Act applies to fitness businesses, what you must do with the health data you collect, and what happens if it is breached or mishandled.

---

Does the Privacy Act Apply to Your Gym?

The Privacy Act applies to:

• APP entities — which includes all Australian Government agencies and private sector organisations with an annual turnover of more than $3 million
• Organisations with turnover below $3 million that opt in to the Act
• Organisations below the $3 million threshold that handle health information for a fee

This last category is important for gyms. If your gym provides personal training, health coaching, fitness assessments, or any other health-related service — and members pay a fee for those services — you may be covered by the Privacy Act even if your annual turnover is under $3 million.

The Privacy Act amendments that came into force in 2024-2025 (following the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 and subsequent reform) have significantly increased penalties for serious privacy breaches. The Office of the Australian Information Commissioner (OAIC) has also become more active in enforcement.

Additionally, if your gym operates as part of a franchise or national chain, or if you have corporate clients, you are almost certainly subject to the Privacy Act.

If you are unsure whether the Privacy Act applies to your gym, seek legal advice. The consequences of non-compliance are significant.

---

What Is Health Information?

Under the Privacy Act, health information is a type of sensitive information. It includes:

• Information about a person's physical or mental health or disability
• Information about a person's health services or treatment
• A person's expressed wishes about their future health treatment
• Information about the donation of body parts, organs or substances
• Genetic information about a person that relates to their health

For a gym, this includes:

• Pre-exercise health questionnaires (PAR-Q forms)
• Medical clearance forms
• Injury history questionnaires
• Any information about a member's disability, chronic condition, or medication that affects their exercise capacity
• Physiological assessments (body composition, VO2 max tests, blood pressure readings)
• Notes made by PTs about a member's physical condition or limitations

Health information can also arise indirectly — a PT's session notes that reference a member's back injury or their mention of a recent surgery are health information, even if not collected on a formal form.

---

The Australian Privacy Principles (APPs)

If the Privacy Act applies to your gym, you must comply with the 13 Australian Privacy Principles (APPs). These are not suggestions — they are legal obligations.

APP 1: Open and Transparent Management of Personal Information

You must have a current, compliant privacy policy that is available to members. The policy must explain:

• What personal information (including health information) you collect
• Why you collect it and how you use it
• Who you disclose it to (staff, third-party service providers, etc.)
• How members can access and correct their information
• How to make a complaint

A privacy policy buried in small print in a membership contract — or one that hasn't been updated since 2018 — is unlikely to satisfy this obligation.

APP 3: Collection of Solicited Personal Information

You must only collect personal and sensitive information that is necessary for your functions or activities. For health information, there is an additional requirement: you must generally obtain the person's explicit consent to collect it.

This means:

• Your PAR-Q or health questionnaire should include a clearly worded consent statement
• The consent should explain why you are collecting the health information and how it will be used
• The consent should not be buried in general terms and conditions — it needs to be clearly drawn to the member's attention

Collecting more health information than you actually need is a privacy risk. If you don't need to know whether a member is on blood thinners for the purpose of delivering standard group fitness classes, you probably shouldn't be collecting it.

APP 5: Notification of Collection

When you collect personal information directly from an individual, you must notify them of certain matters — including your identity, the purpose of collection, whether collection is required or voluntary, and how they can access or correct their information.

For health information specifically, the notification requirements are stricter.

In practice, this is usually handled through a collection notice at the point of collecting the information — for example, text on your membership application form or health questionnaire that explains how the information will be used.

APP 6: Use or Disclosure of Personal Information

You can only use or disclose personal information for the primary purpose for which it was collected — or for secondary purposes in limited circumstances (for example, with consent, or if required by law).

For a gym, the primary purpose of collecting a member's health questionnaire is to ensure the exercise program is appropriate and safe for them. Using that information for direct marketing, sharing it with a third-party supplement provider, or disclosing it to a member's family without their consent would be a breach.

This also means that personal trainers who leave your gym should not be taking client health information with them. Their knowledge of a client's health history came to them through their role at your gym — and that information belongs to your members, not to the PT.

APP 11: Security of Personal Information

You must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. When you no longer need the information, you must take reasonable steps to destroy or de-identify it.

For gyms, this means:

• Physical security for paper-based health forms (locked cabinets)
• Password protection and access controls for digital records (CRM systems, booking platforms, PT session notes)
• Restricted access — only staff who need to access health information to do their job should be able to access it
• Secure disposal of forms when they are no longer needed
• A clear data retention policy

Cloud-based gym management software, CRM systems, and personal training apps are convenient — but they all store member data and must be assessed for security. Check the privacy and data security practices of any software provider that handles your members' personal information.

---

Notifiable Data Breaches

The Notifiable Data Breaches (NDB) scheme under the Privacy Act requires APP entities to notify the OAIC and affected individuals when an eligible data breach occurs.

An eligible data breach is an unauthorised access to or disclosure of personal information that is likely to result in serious harm to any of the affected individuals.

For health information — which is inherently more sensitive — the likelihood of serious harm from a breach is generally higher. This means a breach involving member health records at a gym is more likely to trigger the notification requirement than a breach of, say, general contact details.

Examples of eligible data breaches at a gym:

• Hacking of your gym management software that exposes member health questionnaires
• A rogue employee accessing and leaking member health information
• Accidentally emailing a spreadsheet containing member health data to the wrong person
• Loss of a device (laptop, tablet) containing unsecured member health records
• Your PT app provider suffering a data breach that exposes client session notes

If an eligible data breach occurs, you have 30 days to complete a reasonable assessment and determine whether the NDB scheme applies. If it does, you must notify the OAIC and affected individuals as soon as practicable.

Failure to notify when required can result in significant civil penalties. Following the 2022 amendments to the Privacy Act, maximum penalties for serious or repeated privacy breaches by companies are the greater of:

• $50 million
• Three times the benefit obtained from the breach
• 30% of the company's adjusted turnover in the relevant period

Even for small gyms, failing to notify a breach involving health information is a serious compliance risk.

---

Health Data in Booking and Fitness Apps

Many gyms use third-party software for bookings, member management, and personal training. When that software stores member health information, you are sharing personal data with a third party — and you remain responsible for how it is handled.

Before using any software that stores health information:

• Review the provider's privacy policy and data handling practices
• Ensure the provider is based in Australia or has adequate data protection in place for offshore storage
• Confirm data is encrypted in transit and at rest
• Understand where data is physically stored (Australian data centres preferred for health data)
• Check what happens to member data if you cancel the service

Your membership agreement and privacy policy should disclose that member data is stored with third-party platforms, and those platforms should be identified (or at least categorised) in your policy.

---

Minimum Steps Every Gym Should Take

1. Audit your data collection. List every form, app, and system through which you collect health information from members. Is all of it necessary? Is it all consented to?

2. Update your privacy policy. Make sure your policy covers health information specifically, is available to members before they join, and reflects how you actually use data.

3. Add a collection notice to your health questionnaire. Every time you collect health information, members should be told why and how it will be used.

4. Restrict access. Only staff who genuinely need access to health information for their role should have it. PTs should only see the records of their own clients.

5. Secure your data. Digital systems should be password-protected, access-controlled, and backed up. Paper forms should be locked away.

6. Have a data breach response plan. Know what to do if a breach occurs: who is responsible, how you will assess it, and how you will notify if required.

7. Set a data retention period. How long do you need to keep member health records? Once a member leaves and the retention period has passed, records should be securely destroyed.

---

Privacy Act Reform: What's Coming

The Australian Government has been progressively reforming the Privacy Act since the Attorney-General's Department review in 2022. Key reforms that have been enacted include expanded penalties, enhanced enforcement powers for the OAIC, and a new right for individuals to take direct action for serious privacy breaches.

Further reforms are expected, including a potential requirement for organisations to conduct Privacy Impact Assessments (PIAs) for high-risk activities and a strengthened right to erasure (the "right to be forgotten").

Gym owners should stay alert to these changes — particularly if handling health data from a significant member base.

---

How Reguladar Helps

Privacy compliance is one of the most under-managed risks in the fitness industry. Reguladar's compliance dashboard tracks your privacy obligations — including notification deadlines under the NDB scheme, Privacy Act reform updates, and your next policy review date.

Get your free compliance health check at Reguladar — see exactly which privacy obligations apply to your gym and when action is required.

---

This article is general information only and does not constitute legal or privacy advice. Privacy obligations vary depending on the specific nature of your business. Consult a qualified privacy lawyer or the OAIC's guidance resources for advice specific to your situation.