INSIGHTS: Be Data Smart

September 3, 2019


Pharmacy data is a valuable resource and pharmacy owners are increasingly being asked to permit third parties to access their pharmacy computer systems for a range of purposes.

Pharmacy owners need to be extremely cautious about permitting third parties to access their pharmacy computer systems and before doing so should ensure that they question and fully understand:

  • what data the third party will be able to access through its software and extraction tools
  • for what purpose or purposes is data being accessed and used, and
  • whether the third party actually requires the data to perform the agreed service.

For example:

  • to operate a loyalty scheme, the service provider will require personal information of consumers but should not require health or other sensitive information
  • to provide business intelligence services, such as providing dispensary profitability reports, the service provider need not acquire any personal information about patients at all.

If personal information is not required, then the third party should agree that all data will be de-identified at the point of extraction in a manner that prevents it from being re-identified.

If a consumer’s personal information (including sensitive information) is to be shared with a third party for a purpose that would not be reasonably contemplated by the consumer, then the consumer’s fully informed consent must be obtained which means that the consent should not be hidden in fine print in pages of terms and conditions or a privacy policy.

Service providers, suppliers and others should not claim ownership of your pharmacy data or place restrictions that prevent the pharmacy owner from disclosing data to others.

In our experience, most data acquisition agreements are one sided and unfair from a pharmacy owner’s perspective. They typically seek to limit the service provider’s exposure to claims, with minimal or no protections for the pharmacy owner.

A pharmacy owner should reasonably expect warranties from the service provider that it owns the IP rights in the software and that the pharmacist’s use of the software will not breach any laws (including privacy laws). Pharmacy owners should consider requesting an indemnity from third parties accessing pharmacy data for any loss or damage caused by negligent, unlawful, or wilfully wrong acts or omissions of the service provider or its personnel in connection with its data collection activities.

Don’t assume that your privacy or other legal obligations have been considered just because you are dealing with a well-known data company with standard terms and conditions. We recognise that the provision of data to data firms, suppliers and other third parties is often linked to obtaining favourable supply terms, and that obtaining those terms is important to the ongoing success of your business. Our message to pharmacy owners is simple – you have onerous obligations under privacy laws. Make sure you ask the right questions and get the right answers, before allowing third parties to extract data from your computer systems. What data? Why that data? What data do you really need?

Please contact Mark Fitzgerald if you have any questions or you would like advice.

Disclaimer: This information is current as of September 2019. This article does not constitute legal advice and does not give rise to any solicitor/client relationship between Meridian Lawyers and the reader. Professional legal advice should be sought before acting or relying upon the content of this article.