Information Security Policy

Applicable to: This policy is to be read and understood by all staff accessing lCT resources in the WA health system.


The Acceptable Use of information and Communications Technology Policy and Information Security Policy are two high risk policies that, together, provide a framework underpinning many of the digital security strategies employed in the WA health system. The Information Security Policy outlines the security controls required to be implemented, monitored and reviewed across the WA health system. It aligns to the principles of the Australian Standards for information security management which support a risk-based approach to information security that is appropriate to sensitivity, risk profile and business need. It outlines actions that all staff need to take and additional actions for lCT staff, including those at Health Support Services.


Type of Amendment Date of Effect Description of Amendment
Major Amendment 27 July 2020
  • Policy transitioned to the current Policy template.
  • Section 3.2.2 Cloud Services has been removed. Policy requirements relating to Cloud Services are now available in MP 0140/20 Cloud Policy.
  • References to Mandatory Policy and Operational Directive document numbers, names, Policy Frameworks and corresponding hyperlinks have been updated throughout for currency. 
  • Descriptive and hyperlink text to internal and external websites updated at section 3.2.2, 3.2.10 and 3.2.14.
  • Supporting information documents Advice on Managing the Recordkeeping Risks Associated With Cloud Computing and A Guide to Implementing Cloud Services have been removed.
Major Amendment 18 February 2021
  • Amend to reflect procedural changes for ordering WA Health encrypted USBs, update requirements for privileged accounts, and mandate the use of multifactor authentication (MFA) on all internet-facing WA Health systems and all third-party systems hosting WA Health data, including cloud services.
  • Include Supporting information Guidelines for the Transmission of Personal Health Information by Fax Machine.

Date of effect: 09 August 2018

Policy Framework

Supporting information