Release of Information Consent Form in Australia

byAlex Solo9 January 202610 min read

Contracts Employment Law Regulatory Compliance Data & Privacy

Contents

What Is A Release Of Information Consent Form?
When Do Small Businesses Need One?
What Should A Release Of Information Consent Form Include?
How To Collect, Store And Use Consent Lawfully In Australia
Step-By-Step: Rolling Out Consent Forms In Your Business
Which Legal Documents Work With Your Consent Form?
- Examples By Industry
Practical Tips For A Smooth, Low-Friction Consent Experience
Common Pitfalls To Avoid
Key Takeaways

As a small business, you may need to share a customer’s or employee’s information with a third party - a marketing platform, an outsourced service provider, a health professional, or even a media outlet. When that happens, a clear release of information consent form helps you do it lawfully and transparently.

This guide breaks down what a release of information consent form is, when you need one, what to include, and how to roll it out in your business without slowing things down. We’ll keep it practical, Australian-specific, and focused on helping you protect trust while staying compliant.

A release of information consent form is a document where an individual gives you permission to share their personal information with specified third parties for stated purposes.

In Australia, “personal information” is any information that can identify a person (for example, a name, email address, photo, voice recording, or an opinion about them). Some information - like health information - is considered “sensitive information” and usually requires express consent before you collect, use or disclose it.

The form records that consent in a way that’s voluntary, informed, current and specific to the purpose of the disclosure. It also explains how the person can withdraw consent.

When Do Small Businesses Need One?

You’ll most commonly use a release of information consent form when you plan to disclose personal information to a third party and want clear, written permission. Typical scenarios include:

Sharing customer data with an external marketing or analytics provider.
Sending an employee’s details to a training provider or insurer.
Publishing a customer photo, video or testimonial on your website or social media.
Coordinating with another service provider (for example, in health, allied health, disability support, or education).
Transferring information to a supplier or software vendor that processes data on your behalf.

Even if your business is under the $3 million turnover threshold (and may be exempt from parts of the Privacy Act), many businesses still choose to use consent forms as best practice. You may also be covered by the Act because of what you do (for example, if you provide health services or trade in personal information) or because customers and enterprise clients expect strong privacy practices.

In short: if you’re disclosing identifiable information and there’s any doubt about whether you should, getting written consent is a reliable, low-friction way to manage risk and build trust.

Your form should be short, plain-English and specific. Aim for one page if possible, with clear headings. Consider including:

1) Who You Are And Whose Data Is Involved

Your business name and contact details.
The individual’s full name and contact details, so it’s clear whose consent is recorded.

2) What Information You’re Releasing

Describe the information in plain terms - for example, “full name and business email address,” “profile photo and business title,” or “assessment notes and appointment history.”
If any of the information is sensitive (for example, health information), say so and call it out clearly.

3) Who Will Receive The Information

Name the organisation(s) and, if helpful, the type of recipient (for example, “Acme Analytics Pty Ltd (our analytics provider)”).
If you use multiple vendors, you can list them individually or describe a category (but the more specific, the better).

4) Why You’re Disclosing It (Purpose)

Describe the purpose of disclosure, for example “to deliver our service,” “to analyse user behaviour and improve our website,” or “to publish your testimonial on our website and social media.”
Keep purposes tight. Avoid saying “for any purpose connected to our business” - that’s too broad to be valid consent.

Set a timeframe (for example, “12 months from the date of signing”) or make it ongoing until withdrawn. If ongoing, make that explicit.

6) Overseas Disclosure (If Any)

If information may go overseas (for example, your SaaS provider stores data in the US), identify this and the likely countries involved. People should know where their data could go.

7) Withdrawal And Contact Details

Explain how someone can withdraw consent at any time and what happens next (for example, you’ll stop future disclosures, but can’t undo past ones).
Provide an email address or online form for privacy requests.

8) Signature And Date

Include a signature block (or a tick-to-consent method online) and the date. This timestamps consent and helps later audits.

Helpful Extras

Link to or reference your Privacy Policy so people can read about your broader handling of personal information.
If the form supports a specific campaign (for example, media or marketing), including a brief summary of how content will be used can reduce disputes later.

Good consent is more than just a signature. It needs to meet some basic standards under Australian privacy law and industry expectations.

Voluntary: The person should have a genuine choice. If refusing consent would unfairly deny the core service, consider whether consent is appropriate here.
Informed: Use simple, clear language about what, who, why, where and for how long.
Specific: Avoid catch-all purposes. Separate forms (or separate checkboxes) for different uses are often better than a single blanket consent.
Current: Renew consent if your purposes, recipients, or scope change in a material way.

Health information and other sensitive information generally requires express consent to collect, use or disclose. In practice, that means a signed form or a clear, positive action acknowledging the exact disclosure - not just a pre-ticked box.

Respect Direct Marketing Rules

If the disclosure supports direct marketing (for example, sharing customer details with a marketing platform), make sure your opt-in and opt-out processes align with Australian email marketing laws and the expectations around consent and unsubscribe mechanisms.

Be Upfront About Overseas Transfers

If your vendors are outside Australia (common for cloud tools), be transparent about overseas disclosure. Take reasonable steps to ensure those recipients will handle personal information in line with Australian standards, and reflect this in your form and vendor contracts, such as your Data Processing Agreement.

Keep A Paper Trail

Store copies or digital records of the consent you collect, including how, when and for what purpose. This supports accountability, audits and complaint resolution. Have a policy for how long you’ll retain those records aligned with your broader approach to data retention.

Make Withdrawal Easy

Include a simple pathway to withdraw consent (for example, by email or a portal setting) and act on it promptly. You don’t need to erase information collected before withdrawal, but you should stop using or disclosing it for the consented purpose going forward.

Here’s a practical approach to introduce release of information consent forms without creating friction for your team or customers.

1) Map Your Disclosures

List each situation where your business shares personal information with a third party. Note the type of information, the recipient, whether it includes sensitive information, and the purpose. This “data map” keeps you focused and helps you design specific, readable forms.

Consider risk, expectations and legal requirements. If you’re sharing sensitive information, publishing images, or sending data offshore, a form is a strong default. Where disclosures are obvious and necessary to deliver the service (and covered by your terms and notices), you may not need a stand-alone form, but you should still be transparent.

3) Draft Your Forms (Keep Them Short)

Create one or more short templates for the scenarios you identified. For specific use cases, targeted forms work best - for example, a media release form for marketing content, or a clinical information release form for health information.

For media content or testimonials, many businesses pair their release with a simple Photography/Video Consent Form or a tailored media release approach to set clear expectations about where content will appear and for how long.

4) Align Your Privacy Notices And Terms

Consent forms should sit alongside your core privacy documents so everything tells a consistent story. Review your Privacy Collection Notice and Privacy Policy to make sure they cover the types of disclosures you’re making and the third parties you use to deliver your services.

5) Set Up Processes And Training

Decide where and how you’ll present the form (paper, email, e-sign, or embedded in a digital workflow). Train staff on when consent is required, how to answer common questions, and how to store records. If you use e-signing, ensure your process meets the legal requirements for signing documents in Australia.

6) Lock In Vendor Obligations

If a third party will receive or process the information, make sure the contract sets clear privacy and security obligations. A Data Processing Agreement with your key vendors helps you define instructions, security controls, sub-processing, and data return or deletion.

7) Handle Requests, Withdrawals And Complaints

Nominate a contact point for privacy requests and withdrawals and set expected turnaround times. Consider how you’ll respond if something goes wrong - many businesses prepare a simple procedure or a Data Breach Response Plan so the team knows what to do under pressure.

A release of information consent form is just one piece of your privacy toolkit. For a robust, end-to-end approach, consider pairing it with the following documents and policies:

Privacy Policy: Explains how you collect, use, disclose and store personal information across your business. Link it from your website and include it at key touchpoints with customers and staff.
Privacy Collection Notice: A short notice at the point of collection that tells people who you are, what you’re collecting, why, and who you’ll share it with. This sits alongside your form to ensure transparency.
Photography/Video Consent: If you capture and publish images or recordings, a tailored media consent or release form avoids disputes about usage, attribution and timeframes.
Participant Or Medical Consent (If Applicable): In health, disability or education settings, you may need a purpose-built consent form that deals with sensitive information and inter-agency coordination.
Data Processing Agreement (DPA): Contracts with vendors who process personal information on your behalf should capture privacy and security obligations, audit rights and data handling rules.
Internal Policies And Training: Short procedures for handling privacy requests, consent withdrawals, and security incidents help your team respond consistently and on time.

For communications and brand use cases, a targeted content release can be helpful. If you’re running a campaign featuring customer stories, pairing your form with a clear process for content approval and archiving can save headaches later.

Examples By Industry

Professional Services: You may share client information with specialist contractors or software providers. Use a consent form for optional disclosures and lock in your vendor obligations with a Data Processing Agreement.
Health And Allied Health: Express consent is typically required for sensitive health information. In these settings, a tailored Medical Release Consent Form or Participant Consent Form is best practice, alongside a sector-appropriate privacy policy such as an NDIS Privacy Policy if you operate in that framework.
Marketing And Media: When publishing images, audio or testimonials, use a media-friendly form and consider a short content usage summary. For broader PR activity, a dedicated approach to creating a media release form can be helpful.
eCommerce And SaaS: If you share customer data with analytics, email or support tools (often overseas), be transparent about disclosures in your Privacy Policy and obtain consent where needed - especially for marketing or publishing user content.

Go Short And Simple: The longer the form, the fewer people will read it. Plain language reduces questions and speeds up sign-off.
Use Layered Information: Put the key points on the form; link to your Privacy Policy for the full detail. This balances readability and compliance.
Offer Choice: If reasonable, add separate “yes/no” options for different disclosures (for example, “share with our analytics provider” and “use my photo in marketing”). Specific consent is stronger.
Integrate Into Workflows: Present forms naturally in your onboarding, booking or campaign process. The easier the process, the better the completion rate.
Record Keeping: Store consent with the user or client record so your team can quickly check what’s allowed. Align storage with your data retention approach.
Refresh When Things Change: If you add a new purpose or share with a new category of recipients, check whether you need to collect fresh consent.

Common Pitfalls To Avoid

Overbroad Purposes: Vague wording like “any business purpose” risks invalid consent and undermines trust.
Bundled Consent: Don’t force acceptance of unrelated disclosures to access your core service unless they are genuinely necessary.
No Easy Opt-Out: Make withdrawals simple and honour them promptly.
Silence Or Pre-Ticked Boxes: These aren’t good enough for express consent, especially for sensitive information.
Inconsistent Documents: If your forms, Privacy Collection Notice and website wording don’t match, you create confusion and risk.

Key Takeaways

A release of information consent form records a person’s permission for you to share their information with specific recipients for stated purposes.
Use clear, specific, plain-English wording that covers who, what, why, where (including overseas), how long and how to withdraw consent.
Express consent is best practice - and typically required - for sensitive information and many marketing or public-facing uses (like photos and testimonials).
Align your consent forms with your Privacy Collection Notice, Privacy Policy and vendor contracts like a Data Processing Agreement.
Build consent into your normal workflows, keep records, and make it easy for people to withdraw.
If your purposes or recipients change, review whether fresh consent is needed and update your documents accordingly.

If you’d like a consultation on setting up release of information consent forms (and your broader privacy documents) for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Keep reading

Privacy Act 1988 Compliance For Australian Real Estate Businesses

If you run a real estate agency, property management business, buyer’s advocacy service, or proptech platform, you probably handle personal information every day. Think rental applications, copies of IDs, employment details, bank...

20 Apr 2026

Employee Privacy Rights In Australia: What Employers Need To Know

As a small business owner, you’re probably handling a lot of “people data” every day without even realising it. Employee records, rosters, performance notes, medical certificates, CCTV footage, swipe-card logs, emails, Slack...

17 Apr 2026

How To Protect Commercial Confidentiality In Australia

When you’re building a startup or running a small business, a lot of your value lives in information. It might be a pricing model you’ve refined through trial and error, a list...

16 Apr 2026

How to Spot Legal Gaps on Your Own Website

Could your website be hiding legal risks in plain sight? A quick DIY check can reveal gaps in your policies, forms and refund wording before they become bigger problems.

16 Apr 2026

Opt-Out Notices: Complying With Australian Privacy and Spam Laws

If you market your business by email, SMS, phone, or even targeted online ads, you’ve probably seen (or used) an “unsubscribe” link or a “STOP to opt out” message. That small line...

15 Apr 2026

The Hidden Legal Risks Sitting on Most Business Websites

Could your website be creating legal risk without you realising it? Hidden issues in your terms, privacy wording and marketing claims can escalate fast.

13 Apr 2026

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call