Privacy Law and Ethics

Semester 2, 2017


Understanding your legal and professional responsibilities is critical for making good decisions.

You are expected to have a familiarity with key legal and professional resources (see Table in next slide). This means being able to find your way around the key legislative documents.

The objectives of this module are

Key concepts

  1. Australian Privacy Law is principle-based. There are 13 Australian Privacy Principles.
  2. Pharmacists have direct responsibilities under the Privacy Act. Pharmacists working privately are an ‘APP entity’.
  3. Personal information is any information that can identify a person
  4. There are additional obligations when collecting, using or disclosing sensitive information, including health information
  5. Pharmacists can collect health information to provide health services
  6. Pharmacists often need consent from consumers prior to disclosing health information or using information for a secondary purpose (there are some exceptions)

Australian Privacy Principles: Background and Key Terms

Principle-based legislation

The Privacy Act provides 13 high-level principles for guiding what is to be considered ‘personal information’, and how it can be collected and used.

Principle-based legislation focuses on a small number of key principles that need to be considered. It is then the responsibility of businesses and other entities to develop and implement policies and practices that are consistent with these principles.

Compare this approach to the approach used in the HDPR


The Office of the Australian Information Commissioner provide a lot of guidance on the Australian Privacy Principles.

We will focus on the summary provided in Privacy fact sheet 17 and Australian Privacy Principles (APP) Guidelines.

Download these now

The APP Guildelines is a 200+ page document. The pdf is relatively easy to navigate electronically.

The initial chapters outline the key terms (Chapter A–D). Subsequent chapters refer to each APP. Each point made in the guidelines has a unique reference, e.g. A.2 is point two of chapter A; 6.21 is point 21 of chapter 6 regarding APP 6.

The Australian Privacy Principles (APPs)

  1. Open and transparent management of personal information
  2. Anonymity and pseudonymity
  3. Collection of solicited personal information
  4. Dealing with unsolicited personal information
  5. Notification of the collection of personal information
  6. Use or disclosure of personal information
  7. Direct marketing
  8. Cross-border disclosure of personal information
  9. Adoption, use or disclosure of government identifiers
  10. Quality of personal information
  11. Security of personal information
  12. Access to personal information
  13. Correction of personal information

Key terms: Personal information

See the definition in the APP Guideline, B.85.

Personal information is any “information or opinion about an identified individual, or an individual who is reasonably identifiable”.

This covers a lot. It includes:

…an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, … (B.86, APP Guidelines)

Key terms: Sensitive information

“Sensitive information” is personal information, that has additional protections because of the nature of the information.

Sensitive information includes information or an opinion about an individual’s racial or ethnic origin, political opinions, religious beliefs, etc.

Importantly: health information is sensitive information.

This means there are additional considerations regarding the collection, use and disclosure of health information

Read the information provided regarding health information in the APP Guidelines, B.74–B.75

Key terms: APP entity

Pharmacists are an APP entity: they have responsibilities under the Privacy Act

Large Australian Government agencies and businesses have responsibilities under the Privacy Act (including, for instance, UQ).

So too are private health service providers (see link). This includes pharmacists working in community pharmacies, private hospital pharmacies and consultant pharmacists.

The Privacy Act doesn’t cover state or territory government agencies, which can have their own privacy regulations—though some refer back to the APP (see Office of Information Commissioner (QLD)).

Responsibilities under specific APPs

APP 1: Open and transparent management of personal information

What is your privacy policy?

All APP entities, including pharmacists, need to:

  1. Implement practices, procedures and systems that comply with the APPs
  2. Have a clearly expressed policy about how the entity manages personal information, and
  3. Make the policy freely available in an appropriate form

Many pharmacies will have a privacy policy as part of their QCPP accreditation.

APP 3: Collection of solicited personal information

What information can you ask someone to provide?

In general

An APP entity can’t ask you (solicit) personal information and then record it (collection) unless it is “reasonably necessary” and “directly related” to the function of the entity.

It can’t solicit (or record) sensitive information unless you (i) consent and (ii) the information is “reasonably necessary” for the function of the entity.

A university might collect information about your academic record. It can’t solicit and record your political views.

APP 3: Collection of solicited personal information

Health services

Pharmacies can collect health information (which is sensitive information) providing it is necessary to provide the health service and either collection is required under law, or in accordance with professional standards. (APP Guidelines, 3.43)

Provision of a health service is a “permitted health situation” (APP Guidelines D.1–4)

Permitted health situations permit health professionals to collect, use and disclose health information in specific circumstances.

Do the permitted health situations permit pharmacists to disclose health information to a person’s general practitioner? (see APP Guidelines D.2)

APP 6: Use or disclosure of personal information

What can you do with the information you have collected?

Key idea

APP Guidelines define “primary purpose” (B.98, B.101), “secondary purpose” (B.98) and “consent” (B.35)

What are the exemptions?—“permitted general situations” (Chapter C) and “permitted health situations” (Chapter D)

APP 6: Use or disclosure of personal information

Relevance to pharmacy: primary purpose

The “primary purpose” pharmacists collect health information is typically to:

If you want to disclose this information to the third party, such as to another health professional or a family member of the consumer: you need consent from the consumer (or an exemption).

Contexts will differ. If you disclose information for what you consider to be the primary purpose you will need to justify your decision.

“Primary purpose” should be defined narrowly. APP Guidelines, B.101.

APP 6: Use or disclosure of personal information

Relevance to pharmacy: exemptions

Where the use or disclosure is required by law (APP Guideline 6.29)

Recording S3 psuedoephedrine sales in Project Stop

Where a “permitted general situation” applies (APP Guidelines 6.32–6.46). The most relevant is: “Lessening or preventing a serious threat to life, health or safety”.

Disclosing a consumer’s medication history to a paramedic attending the consumer who has passed out in your pharmacy

“Permitted health situations” are most relevant for the collection of health information by pharmacists and permit disclosure when conducting appropriate research (APP Guidelines, Chapter D)

Professional Guidance

Professional guidance is consistent with the APP. However the details of what is required is in the APP documents.

Applying the APP to practice scenarios

What to do

Think through the following practice scenarios.

References to the APP Guidelines are provided to assist.

Different opinions are possible for some of these scenarios. The onus is on you to justify you decisions in accordance with the APPs.

Collecting information

You worry that a consumer is purchasing too much Panadeine Extra ® tablets (paracetamol/codeine 500mg/15mg, 24)

Can you request and record this consumer’s driver’s license details?

This scenario relates to APP 3. Things to consider:

Disclosing information

A consumer would like a detailed receipt for all his wife’s medication purchases for the tax year.

Can you comply?

This scenario relates to APP 6. Things to consider:

Disclosing information

You are concerned for a consumer who is purchasing large quantities of ibuprofen/codeine. You would like to contact the consumer’s GP.

Do you need the consumer’s consent?

This scenario relates to APP 6. Things to consider:

Can you contact the consumer’s GP if they refuse to provide consent?

In what kind of situations would an exemption apply?

Next step

Do the quiz!