Consent To Release Information Form: When And How To Use It

Whether you’re onboarding a new hire, engaging a contractor, working with a health or allied services provider, or doing due diligence on a potential partner, there’s a common issue that comes up surprisingly early: how do you legally and safely obtain information about someone or something?

In many cases, the answer is a consent to release information form.

For small businesses and start-ups, these forms are often treated as “admin paperwork” - something you download, get signed, and file away. But in practice, a release of information consent form can be the difference between:

• receiving information you’re entitled to receive, and being stonewalled because the other party can’t legally disclose it; and
• handling personal information responsibly, or exposing your business to privacy complaints, workplace disputes, or reputational damage.

Below, we’ll walk you through what a consent to release information form is, when your business might need one, what it should include, and the practical do’s and don’ts so you can use it confidently in Australia.

Note: This article provides general information for Australian businesses and isn’t legal advice. Privacy and confidentiality obligations can differ depending on your industry, location and whether exemptions apply.

What Is A Consent To Release Information Form?

A consent to release information form is a written document where an individual (or sometimes an authorised representative) gives permission for one organisation or person to share information about them with another organisation or person.

In plain terms, it’s a way to document: “I authorise you to provide X information to Y, for Z purpose.”

Depending on the situation, you might also hear these referred to as:

• consent to release information (the concept); or
• release of information consent form (a common alternate name).

Why Your Business Might Need One

In Australia, privacy and confidentiality obligations can apply in a range of contexts - not just “health records” or “government departments”. Businesses often hold information that is sensitive, commercially valuable, or personal.

So, if you’re asking another party to disclose information, they may need evidence they’re allowed to do so. A properly drafted consent form can give them that comfort - and give you a paper trail that you took privacy seriously.

What This Form Is Not

It’s also important to know what a consent to release information form isn’t:

• It isn’t a blanket waiver of all privacy rights forever.
• It isn’t the same as your Privacy Policy (which explains how your business collects and uses personal information generally).
• It isn’t a substitute for having a clear employment or contractor arrangement in place.

Think of it as a specific permission for a specific release of information, for a defined reason.

When Should A Small Business Use A Consent To Release Information Form?

There’s no single “one size fits all” scenario. Here are some common situations where Australian small businesses and start-ups use a consent to release information form in a practical way.

Hiring And Pre-Employment Checks

If you’re recruiting, you might want to verify information such as:

• references (e.g. speaking to a previous employer)
• qualifications or training
• professional registrations (where relevant)
• work history claims

Often, a candidate will give you referee contact details anyway - but some organisations won’t provide details without written consent.

This is also where your broader employment documentation matters. If you’re hiring, having an Employment Contract (and onboarding documents) helps set expectations around confidentiality, workplace policies, and handling of information from the beginning.

Managing Employees (Medical Or Capacity Information)

If a staff member is absent for an extended period, or you’re assessing capacity to work safely, you may need information from a treating practitioner or another professional.

This is a sensitive area. Even when you have a legitimate reason to ask, the information shared should be limited to what’s needed (for example, functional capacity rather than full medical history), and you should obtain informed consent before any disclosure occurs.

Using a consent to release information form here can help you show that the employee understood what would be shared, by whom, and why.

Working With Clients In Regulated Or High-Trust Industries

If your business operates in an industry where you coordinate with third parties (for example, health services, education, community services, or certain professional services), you may need to share and receive personal information as part of delivering the service.

A consent to release information form can help document client instructions and reduce uncertainty when multiple providers are involved.

Due Diligence And Third-Party Verification

Sometimes you’ll need information to verify claims made by a third party - for example, checking whether someone is authorised to act for a company, or verifying certain commercial details. Consent can be relevant here, but the right document might actually be more about authority than privacy.

For example, if your situation is about someone acting on behalf of another person or entity, an Authority To Act Form may be more appropriate (or may be used alongside a release of information consent form).

Sharing Information With Contractors Or External Providers

If you outsource payroll, HR, IT support, or client administration, you may share personal information with your providers. Consent may not always be required (depending on the circumstances), but you still need to handle information responsibly and ensure appropriate contractual protections are in place.

In these scenarios, a consent form may help where the individual’s information is being exchanged between multiple parties and you want a clear record of permission.

What Should Be Included In A Release Of Information Consent Form?

A good release of information consent form is clear, specific, and practical. It should be easy for a person to understand what they are agreeing to - without needing to decode legal jargon.

While the “right” content depends on your industry and the type of information, most businesses should consider including the following.

1. Who Is Giving Consent (And Their Details)

Include enough information to identify the individual providing consent, such as:

• full name
• date of birth (where relevant)
• address and contact details
• client/employee ID number (if you use one)

If someone is signing on behalf of another person (for example, a guardian or authorised representative), the form should record:

• their name
• their relationship/authority
• evidence of authority (if required)

2. Who Can Disclose The Information

Be specific about the “disclosing party”. For example:

• a named clinic, practitioner, or organisation
• a previous employer
• a training provider or regulator

Avoid vague wording like “anyone who holds my records”. That’s rarely appropriate and can create confusion or refusal.

3. Who Can Receive The Information

Clearly state who the information can be released to. This could be:

• your business name and ABN/ACN
• a particular staff member role (e.g. HR Manager)
• a specific email address or postal address

If the information may be forwarded internally (for example, to a manager for rostering or safety decisions), it’s worth stating that too - but keep it limited to what’s necessary.

4. What Information Can Be Released (Scope)

This is one of the most important parts.

Define the scope of information clearly. For example:

• employment dates and position title only
• reference check responses limited to performance, attendance, and conduct
• confirmation of qualification and completion date
• capacity information (e.g. restrictions, accommodations required), not full medical notes

The narrower and more precise the scope, the more likely the disclosing party will be comfortable releasing the information - and the safer it is for your business from a privacy perspective.

5. The Purpose Of The Disclosure

State why the disclosure is needed. Examples include:

• to assess suitability for employment
• to evaluate capacity to safely perform inherent requirements of a role
• to coordinate service delivery
• to verify information provided to your business

Purpose matters because consent should be “informed”. If the purpose is unclear, the consent can be challenged (and the disclosing party may refuse to act on it).

6. How The Information Will Be Shared

Specify the method where possible (for example, email, phone call, written report, secure portal). This helps set expectations and can reduce accidental disclosures (like sending sensitive information to the wrong address).

7. Duration And Expiry

Consent shouldn’t be open-ended unless there’s a strong reason. Consider including:

• a start date and end date, or
• an expiry event (e.g. “until the recruitment process ends”), or
• a fixed timeframe (e.g. 3 months)

This supports good privacy practice and reduces the risk of relying on “stale” consent later.

8. Withdrawal Of Consent

Generally, a person should be able to withdraw consent (though it may not undo a disclosure that has already occurred). Your form can explain:

• how to withdraw consent (email address/contact person)
• what withdrawal will mean operationally (e.g. it may affect ongoing service delivery or your ability to finalise a hiring decision)

9. Signature, Date, And Witnessing (If Needed)

Include signature blocks and dates.

Most consent forms don’t legally require witnessing, but some industries, internal policies, or higher-risk situations may prefer it. If you do include a witness section, make it clear who can act as witness.

If you’re using electronic signing, make sure the process is reliable and your record keeping is solid.

Privacy And Compliance: How Consent Forms Fit Into Your Business Obligations

For many businesses, the big question isn’t just “what should the form say?” - it’s “are we allowed to collect and use this information at all?”

Consent can be a helpful tool, but it’s only one part of privacy compliance.

Consent Is Not Always Required (But It’s Often Helpful)

Depending on your situation, consent may be:

• legally required in some contexts (for example, under certain health records rules, or where another organisation won’t disclose without it),
• best practice (to reduce disputes and build trust), or
• not the main legal basis for handling information (for example, where the information is necessary for a contract or required by law).

It’s also important to remember Australian privacy law isn’t “one size fits all”. For example:

• many small businesses may be covered by the small business exemption under the Privacy Act (although there are important exceptions); and
• employee records handled in the context of an employment relationship may be subject to the employee records exemption (with limits, and it won’t necessarily apply to pre-employment collection); and
• health and allied health information can be subject to additional state and territory health records requirements.

But even where consent isn’t strictly required, having a clear consent to release information form can still be valuable to:

• avoid misunderstandings (“I didn’t agree to that”)
• show you acted transparently
• make it easier for the other party to disclose information without fear of breaching confidentiality

Make Sure Your Privacy Messaging Matches Your Forms

If your business collects personal information (even something as simple as names, email addresses, or IP addresses through a website), it’s often a good idea to have a Privacy Policy that explains what you collect and why - and some businesses are legally required to have one.

If you’re collecting information through a form (including a consent to release information form), it’s also worth considering whether you should provide a collection notice (sometimes called a privacy collection notice) at the point you collect the information - particularly if your business is covered by the Privacy Act or similar state/territory regimes.

Store And Share The Information Securely

Once you receive information via a consent form process, your obligations don’t end. You should only store it for as long as necessary, restrict access internally, and have sensible systems for:

• file management and retention
• access controls (who can see it)
• secure transmission (especially via email)
• responding to data incidents

For start-ups, this doesn’t need to be complex - but it should be deliberate. A privacy breach can be expensive, time-consuming, and damaging to customer or staff trust.

Practical Tips To Use Consent To Release Information Forms Without Creating Risk

A consent to release information form is meant to reduce friction - but if it’s handled poorly, it can create the very risk it’s meant to prevent.

Here are some practical tips we often see help small businesses use consent properly.

Use Plain English (And Avoid Overreaching)

If someone reads your form and feels like they’re signing away control, they’ll hesitate - and the disclosing organisation may hesitate too.

Aim for simple wording and narrow scope. You can always request additional consent later if genuinely needed.

Limit Access Internally

Even if information is validly disclosed, you should still keep it on a “need to know” basis.

For example, if you receive sensitive information about a worker’s capacity, you generally don’t want it circulating through the whole team chat. The person managing the issue should receive it, and only the necessary operational details should be shared more broadly.

Align Your Consent Process With Your Contracts

If you’re collecting information as part of providing a service, your customer-facing documents should match your actual process.

Depending on your business model, this might involve:

• clear service terms (especially if you’re receiving third-party reports)
• confidentiality clauses with contractors
• clear role responsibilities for handling personal information

Be Consistent In How You Collect Signatures

Consent should be clear and provable. If you use a mix of:

• signed PDFs
• email “yes I agree” responses
• verbal consent over the phone

…you’re more likely to run into disputes later.

Pick a process that works and apply it consistently, especially for higher-risk information.

Don’t Forget The “Authority” Problem

Sometimes, the issue isn’t privacy - it’s whether someone actually has authority to request or receive information.

If your staff are dealing with suppliers, banks, landlords, or regulators, you may need documents that show they can act for your business, such as a Letter Of Authority.

This won’t replace a consent to release information form (which focuses on permission), but it can be crucial in operational settings where third parties want to confirm who they’re dealing with.

Key Takeaways

• A consent to release information form documents permission for one party to share defined information with another party for a specific purpose.
• Small businesses commonly use a release of information consent form for hiring checks, employee management situations, client coordination, and third-party verification.
• The best consent forms are specific: they identify who is disclosing, who is receiving, what can be shared, why it’s needed, how it will be shared, and when consent expires.
• Consent is only one part of good privacy practice - you should also align your processes with your Privacy Policy (where applicable), limit internal access, and store information securely.
• Overly broad or unclear consent forms can backfire by creating privacy risk, delays, and disputes, so it’s worth getting the wording right from the start.

If you’d like help preparing a consent to release information form (or reviewing your privacy and onboarding documentation), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.