Dental AI guide

Dental Privacy Edge Map

A map of the systems around the PMS where patient data may move before AI is switched on.

Most practices focus on the PMS as their only patient-data system — but booking widgets, contact forms, email tools and staff AI all carry patient data too, often without anyone noticing. Mapping these edges before you add AI means you're not discovering a breach after one has happened.

No patient data required. Use these guides for practice workflow education, not patient-specific advice.

Your PMS is not the only patient system.

Two privacy laws apply in NSW. As well as the Commonwealth Privacy Act 1988 and its Australian Privacy Principles (APPs), dental practices in NSW are also bound by the NSW Health Records and Information Privacy Act 2002 (HRIP Act) and its Health Privacy Principles (HPPs). Read the considerations here against both. General information, not legal advice.

The edge problem

Most dental practices have a good PMS. The privacy risk in the AI era often moves to the systems around the PMS: booking widgets, contact forms, email inboxes, AI scribes, cloud drives, call tools, chat widgets, marketing platforms, and AI tools.

This guide maps the common edges so practices can review them before switching on AI tools.

Where patient information may move

System What it may hold Review question
Online booking widget Name, contact details, appointment reason, symptoms Who processes this? Where is it stored — Australia or overseas?
Website contact form Name, contact, health details ("I have swelling...") Does the privacy notice cover health information? Where does form data route?
Email inbox Referrals, X-rays, patient questions, treatment plans Who can access this? Are AI inbox tools in use? Where is email processed?
Shared drive Treatment plans, photos, templates, patient letters Who has access? Is it cloud-synced? Where is data stored?
Call recording or missed-call AI Patient name, symptoms, urgency details Where is audio stored — Australia or overseas — and who can access it?
Marketing platform Patient lists, email records, review responses Was patient data approved for this purpose? Where is it processed?
AI scribe Audio, transcript, clinical notes before PMS write-back Where does audio and transcript go before it reaches the PMS? Is processing overseas?
Chat widget After-hours health enquiries, symptoms Third-party storage, escalation and retention rules? Where is this hosted?
Analytics or ad pixels Health-page visits, form fields, session behaviour Are tracking tools loading on health-related pages? Where does data go?
Cloud backup All of the above if uncontrolled What is backed up? Where? Who has access? Is storage overseas?
Overseas processing Any patient information handled by a system with servers, AI subprocessors, support staff or backups outside Australia Where is this system processed or stored? If overseas, APP 8 considerations apply — see section below.

Also in the full guide

  • A day in the practice: invisible privacy edges
  • APP 8 and overseas processing: what to look for
  • Purpose-fit: collected for one purpose, used for another (APP 6)
  • Six edge questions for practice owners
  • Red flags
  • Safer approach

Optional — get a customised version

Request the version adapted for your practice

The guide above is free to read and download. If you would like a version tailored to your practice workflow, leave your details below. Use practice-level details only. Do not include patient names, treatment details, clinical notes, X-rays, invoices or identifiable emails.