New enforcement powers under the Privacy Act

Under the Act, any organisation that provides a health service and handles health information is legally required to comply with its provisions. The dispensing on prescription of a drug or medicinal preparation by a pharmacist is expressly recognised under the Act as being a ‘health service’.

As a result, all community pharmacies, regardless of size or annual turnover, must comply with the Act and the Australian Privacy Principles (APPs) that are incorporated into the Act.

The APPs are a set of 13 rules

The APPs are a set of 13 rules that govern how personal information must be handled throughout its lifecycle. Central to the obligations set out in the APPs is the requirement for all community pharmacies to have an up-to-date, transparent, and easily accessible Privacy Policy and to provide individuals with a Privacy Collection Notice at the point of collecting their personal information.

Following the introduction of the APPs in March 2014, the Privacy Commissioner of the Office of the Australian Information Commissioner (OAIC) had limited ability to enforce the APPs.

The OAIC’s enforcement powers were limited to litigation, resulting in action often only being initiated where privacy breaches were serious or repeated, and where civil penalties were sought.

That landscape significntly changed in December 2024, with the introduction of new legislation granting the OAIC broader enforcement powers and increasing the penalties for privacy breaches.

Of particular note for community pharmacists is the OAIC ability to now issue compliance and infringement notices for breaches of specific APPs. This power, set out in section 13K of the Act, enables the Privacy Commissioner to issue civil financial penalties for specific, minor breaches of the Act that are not serious enough to be classified as a ‘serious interference’ with privacy.

These amendments aim to give the Privacy Commissioner an enforcement mechanism to hold entities accountable for technical and administrative privacy failures that are considered less serious violations of the Act.

The OAIC now has the ability to issue compliance or infringement notices – for example, if a community pharmacy does not have a Privacy Policy, or if its Privacy Policy does not contain all information required under APP 1.4.

Infringement notices under section 13K currently have a financial penalty of:

• AUD3,960 per contravention for individuals (12 Penalty Units)
• AUD19,800 per contravention for body corporates (60 Penalty Units), and
• AUD66,000 for contravention by listed corporations (200 Penalty Units).

As a result, even small oversights, like an outdated or incomplete Privacy Policy, can now trigger regulatory scrutiny and financial consequences. While there are not yet any published examples of the OAIC applying these new powers, the risk of penalties can be avoided with good privacy and compliance practices.

Spotlight on APP1 – Privacy Policies

APP 1 of the Act sets out the requirements for organisations to manage personal information transparently.

Under APP 1.3, your pharmacy business must have a clearly expressed and current Privacy Policy that explains how it manages personal information.

APP 1.4 sets out what a Privacy Policy must include. Some simple but essential steps to ensure your Privacy Policy meets these requirements include:

1. regularly review your Privacy Policy
   make sure it is accurate, covers all elements of APP 1.4 and is written in plain, accessible language. We encourage you to obtain legal advice to confirm that your policy meets all legal obligations. Your Privacy Policy should also be tailored to your pharmacy business.
2. make it accessible
   publish it online and make it available in-store for patients to view or access.
3. train your staff
   ensure every team member understands their obligations throughout the lifecycle of the personal information that they may come into contact with, as well as how to respond to privacy enquiries or complaints.

Spotlight on APP5 - Privacy Collection Notice

APP 5 relates to Privacy Collection Notices. A Privacy Collection Notice is equally as important as a Privacy Policy, but they serve different purposes. A Privacy Collection Notice ensures individuals are informed about how their personal information is being collected and used and helps establish valid consent.

APP 5 requires a pharmacy to take reasonable steps to notify individuals of certain information at or before the collection of their personal information. Such a notification is called a Privacy Collection Notice. The Privacy Collection Notice must include:

1. the identity and contact details of the pharmacy
2. the circumstances of collection (e.g. how, when, and from where the personal information was collected)
3. any law that authorises or requires the collection – such as the National Health Act 1953 (Cth)
4. the primary purpose for which the information is being collected
5. the consequences (if any) for the individual if the information is not collected – for example, being unable to provide the requested services
6. the organisations or bodies to which the information will be disclosed
7. a link to the pharmacy’s Privacy Policy where the individual can obtain details about how to seek access to, and correct, their personal information
8. details about how to make a complaint, and
9. confirmation of whether personal information is likely to be disclosed by the pharmacy to overseas recipients – and if so, the countries where those recipients are likely to be located.

Failure to have a Privacy Collection Notice

Failure to have a Privacy Collection Notice risks breaching the new section 13H of the Act, which establishes a civil penalty provision for ‘interference with privacy of an individual’. A breach of this provision currently attracts a maximum penalty of AUD660,000.

Final thoughts

If your pharmacy does not yet have, or has not recently reviewed, a Privacy Policy or does not routinely use Privacy Collection Notices, now is the time to act. A well-drafted Privacy Policy and Privacy Collection Notices are simple yet crucial steps to protect your customers, your reputation, and your business.