On 12 March 2014 there was a significant update made to Australian Privacy and Information Laws, marking a significant change in the way Australian businesses deal with customer data.
These include: the Australian Privacy Principles, new investigation and increased enforcement powers of the Commissioner, and penalties up to $1.7 M for non-compliance.
Businesses that are bound by the changes are now required to have open and transparent privacy policies that comply with all the new rules.
Pharmacist’s legal position under the Privacy Act 1988
Most private sector businesses with a turnover of less than $3m are exempted from having to comply with the Privacy act. However, businesses which are considered to be “health services” are not exempted notwithstanding that it may be a private business with a turnover of less than $3m.
Health services under the Privacy Act 1988 includes “the dispensing on prescription of a drug or medicinal preparation by a pharmacist”.
Accordingly, all pharmacy businesses fall under the ambit of the Privacy Act and are required to comply with its provisions.
The new Australian Privacy Principles
| APP1 | Open and transparent management of personal information Companies must manage personal information in an open and transparent way which includes having a clear and up to date privacy policy. Companies must take reasonable steps to comply with the APPs, by implementing policies and procedures, including putting in place appropriate systems to deal with inquiries and complaints. |
| APP2 | Anonymity and pseudonymity Companies must (with limited exceptions) give individuals the option of remaining anonymous, or using a pseudonym, when they interact with the company. |
| APP3 | Collection of solicited information Personal information should only be collected when it is reasonably necessary for the company to perform its functions. Sensitive information should only be collected:
|
| APP4 | Dealing with unsolicited personal information If a company receives unsolicited personal information, the company must determine whether it could have collected that information by requesting it directly. If so, then APP 3 applies. If not, then the company must destroy or de-identify the information if it can. |
| APP5 | Notification of the collection of personal information Companies must take reasonable steps to notify people they are collecting information from, including:
|
| APP6 | Use or disclosure of personal information Companies cannot use or share personal information other than for the reason it was collected. Limited exceptions apply:
|
| APP7 | Direct marketing A company cannot use or share personal information for direct marketing or sales, unless:
Some exceptions apply in particular circumstances. |
| APP8 | Cross-border disclosure of personal information Entities must take reasonable steps to prevent overseas recipients of personal information from breaching the APPs, unless an exception applies, including:
|
| APP9 | Adoption, use or disclosure of government related identifiers Companies are forbidden to:
|
| APP10 | Quality of personal information Companies must take reasonable steps to ensure that the personal information they collect, use or share is accurate, current and complete. |
| APP11 | Security of personal information A company must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. Information that is no longer needed for the collected purpose or for legal requirements must be destroyed or de-identified. |
| APP12 | Access to personal information When an individual requests access to their personal information, a company must comply with the request unless an exception applies. If the company charges the individual for giving access to the information, the charge must not be excessive and must not apply to the making of the request. |
| APP13 | Correction of personal information If the company suspects that personal information is inaccurate, incomplete or out-of-date, the company must take reasonable steps to correct the information. The company must respond to an individual’s request to correct information within a reasonable time. If personal information which has been disclosed to a third party is corrected, the company is required to notify the third party of the correction if requested to by the individual, unless this would be impractical or unlawful. |
Steps to ensure compliance with the Australian Privacy Principles
1. Assess customer data
The first step is to identify what customer data your business collects, assess for what purposes, where it is stored and how you communicate with customers. Defining the scope of your customer data can save time and resources for your business going forward. Once the audit is complete we would recommend seeking legal advice to evaluate how your business complies with the new Privacy Principles.
eHealth Records
It is important to note that Pharmacists are able to access eHealth records. eHealth records are medical records stored in an online database at the request of a consumer to allow Healthcare Provider Organisations easy access to medical records for the purposes of providing healthcare services.
Such records are protected by the Personally Controlled Electronic Health Records Act 2012 which provides for harsh penalties to be imposed upon organisations or individuals who access eHealth records without authorisation.
However, there is enormous consumer control in relation to eHealth as it is the consumer who has the ability to determine what information is contained in these eHealth records as well as which organisations have access to these records.
If you are not an authorised organisation and you access a customer’s eHealth records absent their authorisation, you may be liable to be sanctioned under the Personally Controlled Electronic Health Records Act 2012.
You should consider recommending that your customers create an eHealth account allowing healthcare providers to access their information easily in order to facilitate the provision of healthcare services in the event of an accident or other unexpected health complications.
The eHealth database also records details of who has accessed an eHealth record. The eHealth record Access history will contain information such as:
- the date and time that the eHealth record was accessed or edited;
- the organisation that accessed or edited the eHealth record;
- whether the eHealth record was accessed because of a medical emergency; and
- details of the action that occurred (e.g. a clinical document created or removed or individual contact details were amended).
Accordingly the consumer will have the ability to view their own medical records online, be aware of who accessed their medical records and for what purpose as well as determining what documents form part of their eHealth records and who can access these records.
2. Get your Privacy Policy ready
A major change under the Act is the compulsory requirement for a Privacy Policy about the management of personal information by your business. The policy must be personalised to reflect your business, updated at regular intervals, easy to understand and will usually be available on the business’ website.
3. Manage customer data
Businesses will need to investigate how technology can help keep track of customer data as having a structured system in place will make compliance easier especially if your business is audited. Recommending the use of eHealth Services to your customers may assist in this regard.
4. Train your Staff
The Privacy Policy guidelines recommend regular staff training on the Privacy Principles and their effects on the business. Depending on the size of your business it may be prudent to appoint a Privacy Officer dedicated to supervising the business’ use of customer data, even if it is not a full time role.
5. Permitted Health Situations
Section 16B of the Privacy Act 1988 which provides for permitted health situations in relation to the collection, use or disclosure of health information will apply to pharmacists.
The permitted health situations under the Privacy Act 1998 applying to pharmacists are as follows:
- The collection of information in relation to the provision of a health service is permitted where the information is necessary to provide a health service to the individual and either the collection is required or authorised by law, or the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.
- Use or disclosure of information is permitted where the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety: and
- it is impracticable for the organisation to obtain the individual’s consent to the use or disclosure; and
- the use or disclosure is conducted in accordance with guidelines approved under section 95A for the purposes of this paragraph; and
- in the case of disclosure–the organisation reasonably believes that the recipient of the information will not disclose the information, or personal information derived from that information.
Pointon Partners has significant experience in dealing with the above issues.