Most health clinics don’t give much thought to their website enquiry form — and that’s completely understandable.
It feels administrative.
It sits outside your clinical systems.
And it’s usually set up once, then forgotten.
But behind the scenes, website enquiry forms often handle personal and health information in ways that quietly fall outside what many practice owners assume is happening. This isn’t about negligence or bad intent. In fact, it’s extremely common — particularly on platforms like WordPress, Wix and Squarespace.
The risk isn’t obvious, and that’s exactly the problem.
Under the Australian Privacy Act, personal information is defined broadly. It doesn’t need to be part of a formal patient record, and it doesn’t need to come from a confirmed patient.
Health information — including information about symptoms, diagnoses, mental health, injuries, medications, or treatment history — is considered particularly sensitive.
This means that a website enquiry can already trigger privacy obligations, even before someone books an appointment or completes intake paperwork.
That often surprises people.
Most clinics don’t ask for sensitive details in enquiry forms — but free-text fields invite people to explain their situation in their own words. Many do.
Common examples we see include:
- “I’ve been struggling with anxiety and panic attacks for years and I’m not coping at work.”
- “My GP thinks I may have ADHD and suggested I contact a psychologist.”
- “I’ve been dealing with post-natal depression and need support.”
- “I have chronic pain and want to know if this treatment might help.”
- “My child is having behavioural issues at school and we’re concerned.”
From the client’s point of view, it’s natural to assume this information is being handled with the same care as the rest of the clinic’s systems.
Behind the scenes, that’s not always the case.
What actually happens after someone clicks “Submit”
For most websites, enquiry forms are built for convenience, not clinical privacy.
A typical submission may:
- Be sent in plain text via email
- Be stored in plain text in the website’s database
- Be logged inside a plugin or platform dashboard
- Be included in automated backups
- Be forwarded to multiple inboxes
- Be retained indefinitely unless manually deleted
Over time, this creates multiple copies of the same sensitive information — often without a clear owner, retention period, or access review process.
None of this is unusual. In fact, it’s the default behaviour for many popular website platforms and form tools.
The “accidental data hoarder” problem
One of the less obvious risks with enquiry forms is not what happens immediately, but what happens over time.
Enquiry data tends to accumulate quietly:
- Old submissions from people who never became patients
- Test submissions made by staff or agencies
- Historic enquiries sitting in inboxes
- Archived emails
- Website backups kept “just in case”
- Copies in staging or migrated sites
Access also tends to expand unintentionally:
- Current and former staff
- Shared practice inboxes
- Web or marketing agencies
- Hosting providers
- Anyone with legacy admin access
- Anyone who can access forwarded emails
Very few clinics intentionally decide to store enquiry data long-term — it just happens by default.
This is why many practices are surprised by how much sensitive information they’re actually holding, and how many people or systems can potentially access it.
How the Australian Privacy Act comes into play
The Australian Privacy Act doesn’t prescribe specific software or tools. Instead, it focuses on principles — particularly how personal and health information is handled.
Some of the most relevant ideas include:
- Taking reasonable steps to protect personal information
- Limiting access to those who genuinely need it
- Avoiding unnecessary retention of sensitive data
- Protecting information from loss, misuse or unauthorised disclosure
Enquiry forms often fall into a grey area because they sit between marketing systems and clinical systems — yet they can contain just as much sensitive information as formal intake data.
That’s where many clinics unintentionally fall short, simply because the risk isn’t obvious.
A note on encryption and Australian data storage
There’s often confusion about whether data must be stored in Australia. The reality is more nuanced.
The Privacy Act doesn’t outright ban overseas storage, but it does place responsibility on the organisation to ensure information is handled appropriately, securely, and in line with Australian expectations — regardless of where it’s stored.
From a practical compliance perspective, storing enquiry data in Australia significantly reduces risk.
Where clinics can run into trouble is when they:
- Don’t know where enquiry data is stored
- Can’t explain who has access to it
- Can’t confirm whether it’s encrypted at rest
- Can’t control how long it’s kept
- Can’t revoke access once it’s emailed or copied
Encryption matters here, not as a technical buzzword, but because it directly affects who can read the data.
If enquiry submissions are stored or transmitted in plain text, anyone with access to that system — email, hosting, backups, or admin dashboards — can read them.
Why is this so common?
Website platforms and form builders are designed for speed, simplicity and lead capture — not healthcare privacy.
They work well for general businesses, but they weren’t built with:
- Health-specific data minimisation in mind
- Granular access controls
- Defined clinical retention principles
- Encrypted storage by default
- Australian data storage by default
As a result, many clinics assume their enquiry forms are “handled securely” simply because the website appears professional and uses HTTPS.
In reality, HTTPS only protects data in transit — not what happens after.
Awareness is the first step
None of this is a criticism of clinics, practice owners, or staff.
These setups are extremely common across Australia, especially for small and medium practices relying on mainstream website platforms. The risk is structural, not personal.
What matters is awareness:
- Understanding that enquiry data often contains sensitive health information
- Knowing how that data is stored, accessed and retained
- Recognising that privacy obligations often begin earlier than expected
Once clinics understand what’s happening behind the scenes, they’re in a much better position to make informed decisions about how enquiry data should be handled — in a way that aligns with patient expectations and Australian privacy principles.
Get in touch if you’d like a healthcare-specific review of your current enquiry form setup.
