A persistent myth in healthcare IT is that data must stay onshore to stay safe. Many providers – especially in mental health, disability, and aged care – are told that hosting data overseas is non-compliant or even illegal. It sounds simple. But it’s wrong. And believing it could be costing your service time, flexibility, and functionality.
Here’s the truth: for most health data in Australia, data residency is not about geography. It’s about governance.
The one true exception: My Health Record
Let’s be clear upfront. There is one genuine, absolute prohibition – and it’s easy to spot.
Under section 77 of the My Health Records Act 2012, any My Health Record (MHR) data must remain in Australia. Not just the original record, but all copies and backups. No offshoring, no exceptions – unless it’s non-identifiable, operational data held by the System Operator.
If your service uses My Health Record data, that data must be hosted locally. But that’s it. This rule doesn’t apply to other health records. Yet many providers mistakenly apply this standard to all their systems, often under advice from vendors keen to push more expensive “onshore-only” hosting contracts.
What the Privacy Act actually requires
Outside of the MHR system, most health data falls under the Privacy Act 1988 and the Australian Privacy Principles (APPs), specifically APP 8 – which governs cross-border disclosure.
Here’s what APP 8 says in plain terms: yes, you can transfer personal information overseas. But you must take reasonable steps to ensure the overseas recipient doesn’t breach the APPs. This usually means:
- Having strong contractual terms in place
- Auditing the recipient’s practices
- Ensuring technical and organisational safeguards
- Maintaining accountability for how the data is handled
In other words, you don’t need consent to transfer data overseas – as long as you stay responsible for it.
Dispelling the consent confusion
There’s a widely misunderstood clause in APP 8.2(b) that allows entities to shift accountability if a patient gives expressly informed consent to offshore their data. But here’s the kicker – it’s not required. It’s a niche exemption that reputable providers rarely use.
If you ask for consent and it’s refused? It doesn’t matter. You just default to the standard approach: strong safeguards and continued responsibility under APP 8.1 and section 16C.
In fact, asking for this type of consent can raise red flags. It requires warning people that their privacy protections won’t apply and they’ll have no recourse if the overseas recipient mishandles their data. That’s not something most services want to say – or patients want to hear.
State-based data rules: NSW and Victoria
While federal law allows offshore transfers with safeguards, some states add another layer.
In NSW, Health Privacy Principle 14 (HPP 14) restricts disclosure of health records outside the state unless at least one of the following applies:
- the recipient is bound by privacy protections that are substantially similar, or
- the individual consents, or
- the disclosure is necessary to perform a contract or is required/authorised by law.
Victoria has a similar rule under HPP 9. These are not outright bans – they require due diligence, not localisation.
What Microsoft Azure offers for data residency
Microsoft Azure supports all major Australian privacy requirements. You can select Australian regions for data storage (e.g. Sydney or Melbourne), and Microsoft commits not to move customer data outside the selected geography without consent.
It also meets IRAP standards for PROTECTED-level data and provides built-in security controls like:
- Data encryption by default
- Compliance-ready templates for APP 8
- Role-based access and audit logs
And for organisations that do need to manage MHR data? Azure lets you store that subset onshore while still using global Microsoft services for everything else – provided data is classified and configured correctly.
So, can health data be hosted overseas?
In almost every case, yes. Here’s a quick test:
Are you dealing with My Health Record data?
If yes – keep it in Australia.
If no – proceed to Q2.
Have you taken reasonable steps to ensure your offshore provider complies with the APPs (e.g. contracts, audits)?
If yes – you’re compliant under APP 8.1.
Are you subject to additional state rules (e.g. NSW or VIC)?
If yes – confirm your arrangements meet those conditions too. That typically means ensuring the provider is under similar legal obligations or that you’ve taken all reasonable steps to safeguard the data.
That’s it. No blanket ban. No default requirement to ask for patient consent. Just good privacy governance, plain and simple.
Why the misconception persists
The confusion largely stems from a misreading of the My Health Records Act. Vendors often amplify it, claiming all health data must stay onshore to boost their sales. But that’s not what the law says – and it’s not how the sector operates.
Government guidance, legal commentary, and real-world practice all confirm that offshore hosting is allowed with the right safeguards.
A better way forward: Governance over geography
Instead of worrying about where the server sits, focus on:
- Data classification: What kind of data are you handling?
- Access control: Who can see and change it?
- Contractual protections: What happens if something goes wrong?
- Technical safeguards: Is data encrypted, monitored, and auditable?
Because a server in Australia with poor oversight is far riskier than a server overseas with robust protections and clear accountability.
Want confidence in your compliance? Talk to Sognos
At Sognos, we help healthcare and community providers cut through the noise. Our systems are built on Microsoft, configured for privacy compliance, and shaped for the realities of frontline work.
We know how to separate MHR data when needed. We build in data governance and support your team to use global services safely – without sacrificing compliance or trust.
If you’ve been told your data must stay in Australia, get a second opinion – and the right information. Because compliance doesn’t need to mean compromise.
Book a call to review your data governance setup and see how SognosCare supports compliance from the ground up.
