Dental AI guide
Dental Privacy Edge Map
A map of the systems around the PMS where patient data may move before AI is switched on.
Most practices focus on the PMS as their only patient-data system — but booking widgets, contact forms, email tools and staff AI all carry patient data too, often without anyone noticing. Mapping these edges before you add AI means you're not discovering a breach after one has happened.
No patient data required. Use these guides for practice workflow education, not patient-specific advice.
Your PMS is not the only patient system.
Two privacy laws apply in NSW. As well as the Commonwealth Privacy Act 1988 and its Australian Privacy Principles (APPs), dental practices in NSW are also bound by the NSW Health Records and Information Privacy Act 2002 (HRIP Act) and its Health Privacy Principles (HPPs). Read the considerations here against both. General information, not legal advice.
The edge problem
Most dental practices have a good PMS. The privacy risk in the AI era often moves to the systems around the PMS: booking widgets, contact forms, email inboxes, AI scribes, cloud drives, call tools, chat widgets, marketing platforms, and AI tools.
This guide maps the common edges so practices can review them before switching on AI tools.
Where patient information may move
| System | What it may hold | Review question |
|---|---|---|
| Online booking widget | Name, contact details, appointment reason, symptoms | Who processes this? Where is it stored — Australia or overseas? |
| Website contact form | Name, contact, health details ("I have swelling...") | Does the privacy notice cover health information? Where does form data route? |
| Email inbox | Referrals, X-rays, patient questions, treatment plans | Who can access this? Are AI inbox tools in use? Where is email processed? |
| Shared drive | Treatment plans, photos, templates, patient letters | Who has access? Is it cloud-synced? Where is data stored? |
| Call recording or missed-call AI | Patient name, symptoms, urgency details | Where is audio stored — Australia or overseas — and who can access it? |
| Marketing platform | Patient lists, email records, review responses | Was patient data approved for this purpose? Where is it processed? |
| AI scribe | Audio, transcript, clinical notes before PMS write-back | Where does audio and transcript go before it reaches the PMS? Is processing overseas? |
| Chat widget | After-hours health enquiries, symptoms | Third-party storage, escalation and retention rules? Where is this hosted? |
| Analytics or ad pixels | Health-page visits, form fields, session behaviour | Are tracking tools loading on health-related pages? Where does data go? |
| Cloud backup | All of the above if uncontrolled | What is backed up? Where? Who has access? Is storage overseas? |
| Overseas processing | Any patient information handled by a system with servers, AI subprocessors, support staff or backups outside Australia | Where is this system processed or stored? If overseas, APP 8 considerations apply — see section below. |
Also in the full guide
- A day in the practice: invisible privacy edges
- APP 8 and overseas processing: what to look for
- Purpose-fit: collected for one purpose, used for another (APP 6)
- Six edge questions for practice owners
- Red flags
- Safer approach
Optional — get a customised version
Request the version adapted for your practice
The guide above is free to read and download. If you would like a version tailored to your practice workflow, leave your details below. Use practice-level details only. Do not include patient names, treatment details, clinical notes, X-rays, invoices or identifiable emails.