Adam La Caze
School of Pharmacy
The University of Queensland
Understanding your legal and professional responsibilities is critical for making good decisions.
You are expected to have a familiarity with key legal and professional resources (see Table in next slide). This means being able to find your way around the key legislative documents.
The objectives of this module are
| Resource | Note |
|---|---|
| MPMR | Drug/medicine regulations for QLD |
| PSA Code of Ethics | Outlines key professional standards |
| PBA Code of Conduct | Professional standards for health professions |
| PBA Guidelines and Policies | Important professional guidance documents. |
| Privacy Act 1988 | Privacy fact sheet 17 provides a summary |
| Notifiable Data Breaches scheme | New regulations for notifying people of data breaches that affects pharmacies |
The Privacy Act provides 13 high-level principles for guiding what is to be considered ‘personal information’, and how it can be collected and used.
Principle-based legislation focuses on a small number of key principles that need to be considered. It is then the responsibility of businesses and other entities to develop and implement policies and practices that are consistent with these principles.
Compare this approach to the approach used in the HDPR
The Office of the Australian Information Commissioner provide a lot of guidance on the Australian Privacy Principles.
We will focus on the summary provided in Privacy fact sheet 17 and Australian Privacy Principles (APP) Guidelines.
Download these now
The APP Guildelines is a 200+ page document. The pdf is
relatively easy to navigate electronically.
The initial chapters outline the key terms (Chapter A–D). Subsequent chapters refer to each APP. Each point made in the guidelines has a unique reference, e.g. A.2 is point two of chapter A; 6.21 is point 21 of chapter 6 regarding APP 6.
See the definition in the APP Guideline, B.85.
Personal information is any “information or opinion about an identified individual, or an individual who is reasonably identifiable”.
This covers a lot. It includes:
…an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, … (B.86, APP Guidelines)
“Sensitive information” is personal information, that has additional protections because of the nature of the information.
Sensitive information includes information or an opinion about an individual’s racial or ethnic origin, political opinions, religious beliefs, etc.
Importantly: health information is sensitive information.
This means there are additional considerations regarding the collection, use and disclosure of health information
Read the information provided regarding health information in the APP Guidelines, B.74–B.75
Pharmacists are an APP entity: they have responsibilities under the Privacy Act
Large Australian Government agencies and businesses have responsibilities under the Privacy Act (including, for instance, UQ).
So too are private health service providers (see link). This includes pharmacists working in community pharmacies, private hospital pharmacies and consultant pharmacists.
The Privacy Act doesn’t cover state or territory government agencies, which can have their own privacy regulations—though some refer back to the APP (see Office of Information Commissioner (QLD)).
What is your privacy policy?
All APP entities, including pharmacists, need to:
Many pharmacies will have a privacy policy as part of their accreditation.
What information can you ask someone to provide?
An APP entity can’t ask you (solicit) personal information and then record it (collection) unless it is “reasonably necessary” and “directly related” to the function of the entity.
It can’t solicit (or record) sensitive information unless you (i) consent and (ii) the information is “reasonably necessary” for the function of the entity.
A university might collect information about your academic record. It can’t solicit and record your political views.
Pharmacies can collect health information (which is sensitive information) providing it is necessary to provide the health service and either collection is required under law, or in accordance with professional standards. (APP Guidelines, 3.43)
Provision of a health service is a “permitted health situation” (APP Guidelines D.1–4)
Permitted health situations permit health professionals to collect, use and disclose health information in specific circumstances.Do the permitted health situations permit pharmacists to disclose health information to a person’s general practitioner? (see APP Guidelines D.2)
What can you do with the information you have collected?
APP Guidelines define “primary purpose” (B.98, B.101), “secondary purpose” (B.98) and “consent” (B.35)
What are the exemptions?—“permitted general situations” (Chapter C) and “permitted health situations” (Chapter D)
The “primary purpose” pharmacists collect health information is typically to:
If you want to disclose this information to the third party, such as to another health professional or a family member of the consumer: you need consent from the consumer (or an exemption).
Contexts will differ. If you disclose information for what you consider to be the primary purpose you will need to justify your decision.
“Primary purpose” should be defined narrowly. APP Guidelines, B.101.
Where the use or disclosure is required by law (APP Guideline 6.29)
Recording S3 psuedoephedrine sales in Project Stop
Where a “permitted general situation” applies (APP Guidelines 6.32–6.46). The most relevant is: “Lessening or preventing a serious threat to life, health or safety”.
Disclosing a consumer’s medication history to a paramedic attending the consumer who has passed out in your pharmacy
“Permitted health situations” are most relevant for the collection of health information by pharmacists and permit disclosure when conducting appropriate research (APP Guidelines, Chapter D)
Professional guidance is consistent with the APP. However the details of what is required is in the APP documents.
PBA Code of Conduct, 3.4 “Confidentiality and privacy”. Some of the items:
seeking consent from patients or clients before disclosing information, where practicable
…
sharing information appropriately about patients or clients for their healthcare while remaining consistent with privacy legislation and professional guidelines about confidentiality
PSA Code of Ethics, Principle 2 Informed Consent. Including:
2.5 Ensure confidentiality of the consumer’s information
Since February 2018 certain APP entities have an obligation to notify affected individuals and the Australian Information Commissioner if there has been a data breach that is likely to result in serious harm.
See website, which is very helpful.
Data breaches occur whenever there is unauthorised access, disclosure or loss of data from an APP entity.
Community pharmacies (and consultant pharmacists) are private health services providers—this means they have responsibilities under the Privacy Act and the notifiable data breaches scheme.
Pharmacies have an obligation to notify individuals and the Australian Information Commissioner regarding any data breach that is likely to result in serious harm to any of the affected individuals.
The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not.
In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
The judgement is made on the basis of a ‘reasonable person’ and depends on the extent of the breach, the nature of the data and who may have unauthorised access to the data.
Given the sensitive nature of health information kept by pharmacies, any significant data breach is likely to meet these definitions.
Think through the following practice scenarios.
References to the APP Guidelines are provided to assist.
Different opinions are possible for some of these scenarios. The onus is on you to justify you decisions in accordance with the APPs.
You worry that a consumer is purchasing too much Panadeine Extra ® tablets (paracetamol/codeine 500mg/15mg, 24)
Can you request and record this consumer’s driver’s license details?
This scenario relates to APP 3. Things to consider:
A consumer would like a detailed receipt for all his wife’s medication purchases for the tax year.
Can you comply?
This scenario relates to APP 6. Things to consider:
You are concerned for a consumer who is purchasing large quantities of ibuprofen/codeine. You would like to contact the consumer’s GP.
Do you need the consumer’s consent?
This scenario relates to APP 6. Things to consider:
Can you contact the consumer’s GP if they refuse to provide consent?
In what kind of situations would an exemption apply?