INSIGHTS: The OAIC is auditing privacy policies – is your community pharmacy compliant?

The Office of the Australian Information Commissioner (OAIC) has announced a targeted privacy policy audit program, examining whether businesses’ privacy policies comply with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles.

Importantly, community pharmacies are firmly within the OAIC’s spotlight.

What is the OAIC reviewing?

The OAIC has indicated its review will focus on selected sectors that collect personal information directly from individuals, in person. Community pharmacies have been identified as one of six target sectors, with the OAIC indicating, that its pharmacy audit, will focus specifically on personal information collected for the purpose of issuing paperless receipts and the dispensing of medication.

The other five sectors being targeted are:

• rental and property – collection of individual’s personal information during property inspections
• licenced venues – collection of identity information to enable individuals to access a venue
• car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement
• car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive
• pawnbrokers/second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.

The OAIC has stated that the target sectors have been selected because of the privacy risks associated with the collection of personal information, particularly personal identification documents, in these sectors. The OAIC’s announcement also indicates that these sectors are a focus given the prevalence of privacy breaches that have occurred in them to date.

Why this matters for community pharmacies

Community pharmacies collect large volumes of personal information, including sensitive health information. As pharmacies expand into providing more and more services (for example, expansion into full scope, vaccinations, provision of online and digital health platforms), privacy compliance risks increase and privacy policies must be continuously updated to reflect the lifecycle of personal information in connection with each of these activities.

The OAIC’s guidance makes clear that a privacy policy must:

• be tailored to an organisation’s information handling practices
• be written in clear and accessible language, and
• cover all required details about the collection, use and management of personal information.

Privacy policies that are generic, difficult to understand, or do not reflect the organisation’s actual privacy practices, risk falling short of the APP 1 requirements and exposing the business to penalties and reputational damage.

Enforcement: infringement notices and financial penalties

Importantly, the OAIC has indicated that it will use infringement notices as its primary enforcement mechanism where it finds, as a result of the audit, that a privacy policy is non-compliant.

Under the recently introduced section 13K of the Privacy Act, infringement notices currently carry the following financial penalties:

• AUD $3,960 per contravention for individuals (12 penalty units)
• AUD $19,800 per contravention for body corporates (60 penalty units)
• AUD $66,000 per contravention for listed corporations (200 penalty units).

These penalties can be issued without court proceedings, making privacy policy failures a real and tangible risk.

Detail on the OAIC’s expanded enforcement powers is further discussed in a recent article by Meridian Lawyers found here.

Time to review your privacy policy

For community pharmacies, a compliant privacy policy is not just a legal requirement, it is core risk mitigation. Furthermore, individuals are at the core of all service offerings provided by community pharmacy. Having good privacy practices ensures an ongoing relationship of trust with your clients.

If your business does not have a compliant privacy policy, or if it has not been reviewed recently, now is the time to rectify this. Here at Meridian Lawyers, we work closely with community pharmacy businesses and are happy to help ensure your privacy documentation is compliant, practical and fit for purpose.

This article was written by Special Counsel Hayley Bowman and Associate John Florio. Please contact Hayley if you have any questions or would like more information.

Disclaimer: This information is current as of March 2026. This article does not constitute legal advice and does not give rise to any solicitor/client relationship between Meridian Lawyers and the reader. Professional legal advice should be sought before acting or relying upon the content of this article.

Special Counsel Hayley Bowman and Consultant Georgina Odell will be attending the APP Conference on the Gold Coast from 12–14 March 2026. If you would like to connect with them during the conference, please message Georgina or Hayley directly.