Policing Privacy – Get Compliant!

Often pharmacy owners can overlook having a Privacy Policy in place for their business. This can have significant consequences and it looks like regulation in this area is only becoming stronger.

What is a Privacy Policy?

A Privacy Policy is a statement that explains how an organisation collects, manages and deals with an individual’s personal information. This personal information is usually collected from consumers, customers or individuals who visit an organisation’s website or interact with the organisation (in person or via virtual means).

Does a pharmacy need a Privacy Policy?

Yes, a pharmacy does need to have a Privacy Policy. This is because:

  • any organisation or agency that is covered by the Privacy Act 1988 (Cth) (“Act”) must have a Privacy Policy;
  • the Act states that the dispensing on prescription of a drug or medicinal preparation by a pharmacist is a health service; and
  • an organisation that provides a health service and holds health information is covered by the Act.

The small business exemption under the Act (businesses with an annual turnover of $3M or less) is not applicable to health service providers.

Where should a pharmacy keep its Privacy Policy?

Under the Act, a pharmacy must take such steps as are reasonable in the circumstances to make its Privacy Policy available free of charge and in an appropriate form. Whilst most organisations make their Privacy Policies available on their website, if an individual or entity requests a copy of the Privacy Policy in a particular form, the organisation must take reasonable steps a to provide a copy of the Privacy Policy in the requested form.

Is your Privacy Policy compliant?

Australian Privacy Principle 1 clearly sets out what a Privacy Policy must include. It also requires a Privacy Policy be clearly expressed and up to date. If your Privacy Policy does not satisfy the prescribed requirements, you will be in breach of the Act.  For further information regarding the prescribed requirements, please contact us.

What if a pharmacy does not have a Privacy Policy or its Privacy Policy is not compliant?

If a pharmacy does not have a Privacy Policy or does not comply with the requirements under the Act with respect to its Privacy Policy, it will be in breach of the Act.

If you breach the Australian Privacy Principles (contained in the Act), it is deemed to be an interference with the privacy of an individual. Where an individual makes a complaint about such an interference, the Privacy Commissioner has the power to seek civil penalties for serious or repeated interferences or accept enforceable undertakings to comply with the Act.  As such, the penalties which are pharmacy owner may face for breach of privacy are serious and may also potentially lead to disciplinary proceedings or breaches of other arrangements such as existing partnership agreements.

Likely requirement to amend your Privacy Policy

In February 2023, the Australian Attorney General published the Privacy Act Review Report (“Report”). The Report contained 116 proposals for reform to the Act and its contents was based on a significant amount of public consultation.

On 28 September 2023, the Government released its response to the Report in which it agreed to 38 of the proposals, agreed in principle to 68 proposals and ‘noted’ a further 10 proposals.

The agreed proposals, of which some will likely be formalised this year, include expanding the Courts’ enforcement powers, new low and mid-level penalty provisions and increasing security and data destruction obligations. These changes will most likely require organisations to update their Privacy Policies to ensure compliance with the Act.

If you would like assistance with any privacy matters, including the development or review of a privacy policy for your business, please do not hesitate to contact Vitality Law Australia on hello@vitalitylawaustralia.com or 07 2140 0522.


George Hanger is a Senior Associate at Vitality Law Australia, an award winning commercial law firm servicing pharmacy businesses and healthcare professionals across Australia.  For further information, email george@vitalitylawaustralia.com or visit www.vitalitylawaustralia.com


This article is intended to be for general information only. It does not constitute legal advice nor does it establish a relationship of client and lawyer. Specific circumstances or changes in law may vary the accuracy or applicability of the information published. We recommend seeking specific legal advice particular to your circumstances before taking any action, or refraining from taking any action, on any issue dealt with in this article.