Privacy
OAIC 2026 privacy compliance sweep
The Office of the Australian Information Commissioner (OAIC) is conducting a national 2026 compliance sweep focused on businesses that collect personal information in person, including community pharmacies. The sweep is intended to confirm pharmacies are meeting obligations under Australian privacy law and flagged particular attention on information collected for paperless (digital) receipts (e.g., via email and/or mobile numbers) and identity verification for medication supply (i.e., collecting only what is necessary to ensure the right medicine is supplied to the right person).
To prepare, members should ensure their pharmacy’s privacy policy is current, accurate, easy to find and understand, and reflects actual on-site pharmacy practices; that staff can clearly explain what information is collected, why it’s collected, and how patients can find out more, including when consent is or isn’t required.
To assist, the Guild has made available the following resources:
If your pharmacy is selected, it is recommended that your team engage professionally and openly, confirm the OAIC representative’s identity and authority, and feel comfortable asking questions or requesting concerns be noted as part of a transparent process; you can also contact the OAIC directly on 1300 363 992 for clarification.
The Guild’s Privacy Policy
The Guild has adopted the Layered Privacy Notice format.
View the Guild's Privacy Policy online.
Privacy in community pharmacy
The Privacy Act 1988 (Privacy Act) provides protection to individuals against the mishandling of personal information and applies to organisations which include individuals, partnerships, corporations and unincorporated associations. It does not apply to individuals in a non-business capacity.
Guild members can access a range of resources to assist in meeting the Australian Privacy Principles on the Privacy in community pharmacy page.
Privacy Dos and Don’ts
Do
- Have a privacy policy in place and ensure all staff understand and comply at all times with your policy (see Privacy form template: Confidentiality undertaking).
- Implement a training program for your staff and ensure that they understand their privacy obligations in your workplace.
- Seek a consumer’s consent before using or disclosing their personal or health information, except where this is not required by law (e.g. PBS-related processes) (see Privacy form templates: Collection and disclosure of information (for the provision of health services) and Collection and disclosure of Information (for direct marketing purposes)).
- Take immediate corrective action if there is a data breach of personal information held by you or your pharmacy. (Refer to the data breach response process on the Office of the Australian Information Commissioner web site.
Do Not
- Discuss a consumer’s personal or health details in open or public areas or in an indiscreet manner (e.g. loud voice).
- Discuss details of medicines or treatment regimens with anyone other than the consumer’s treating practitioner.
- Leave a consumer’s personal or health information (including medicines awaiting collection) in a way where it can be seen (e.g. on a pharmacy counter) or heard (e.g. leaving a telephone message on an impersonal number) by others.
- Automatically provide details of a consumer’s medicines or medication history to family members who might request the information.
- Use a consumer’s personal information for direct marketing activities (e.g. promotions) by your pharmacy without the consumer’s consent.
- Disclose a consumer’s personal details to direct marketing companies, pharmaceutical companies or research organisations without the consumer’s consent.
Page last updated on: 20 February 2026