Know Your Rights When It Comes To Your Health Data

Every time you show your eScript QR code at a pharmacy, something happens that most people don't know about.

Your mobile number comes with it.

It's stored inside the script. When the pharmacy scans your QR code to dispense your medication, they capture your number. That's how the system works – and it makes sense, because that's how you receive your next repeat script. Your next script, when you need it.

What happens to that number after that? That's where it gets interesting.

So what's the problem?

Your mobile number was collected for a specific purpose – to send you your repeat script. Under the Australian Privacy Act 1988, personal information should only be used for the primary purpose it was collected for. This is called purpose limitation, and it's one of the 13 Australian Privacy Principles (APPs) that organisations handling your data are required to follow.

Using that number to send you app invitations, promotional health campaigns, or booking requests you didn't initiate – without your consent – is not the same purpose.

This is different to transaction confirmations, reminders for a service you actually booked, or script ready notifications. Those make sense. Those are why the number was collected in the first place. The line gets crossed when your data is used for something you didn't ask for and weren't told about.

What about marketing messages?

Under Australia's Spam Act 2003, every commercial electronic message – including SMS – must include a way to unsubscribe. No opt-out link or reply option? That's not just poor form. It may be a breach, enforced by the Australian Communications and Media Authority (ACMA).

So if you've received a marketing SMS from a pharmacy you visited and there was no way to opt out – that's worth knowing about.

But I might actually want health reminders?

Absolutely – and that's the point. A flu shot reminder, a medication refill nudge, news about a new service – these can be genuinely useful. The issue isn't the message. It's whether anyone asked you first.

Consent should be a conversation. "Would you like to receive health reminders from us?" Simple.

If nobody asked – you didn't consent.

A word on being reasonable

Before assuming the worst – take a breath. There are a few possibilities here. The pharmacist may have had no idea their system was set up to do this. You may have signed up for something a while ago and forgotten about it. Or it could genuinely be a consent issue.

The point isn't to accuse anyone. It's to ask. You have the right as a health consumer to know how your data is being used – and a simple question at the counter or a quick check of your inbox for a signup confirmation is a good place to start.

Read the privacy policy – yes, really

More and more health platforms are using AI tools to personalise services, automate communications, and analyse patient data. That's not necessarily a bad thing – but it does mean the fine print matters more than ever.

Before you sign up for any pharmacy app, digital health service, or patient platform – take a few minutes to read the privacy policy or terms of use. We know it's not exactly a page-turner. But it tells you a lot.

Look for: how your data is collected, what it's used for, whether it's shared with third parties, and whether AI tools are involved in processing it. Ask yourself – am I comfortable with this? Do I understand what I'm agreeing to?

If the answer is no – that's useful information. You don't have to sign up. And if you're already signed up and want to know more, you have the right to ask.

What can you do?

• Ask your pharmacy how they use your data. You have the right to know.

• Opt out of any marketing messages you didn't sign up for. Under Australian law, they must action your request.

• Read the privacy policy of any health app or platform before you sign up. Understand what you're agreeing to.

• Use Scripty to manage your scripts digitally – so you stay in control of where your information goes and how your scripts are managed.

And if you think your data has been misused, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

This article was inspired by a piece originally published on LinkedIn by co-founder of Scripty republished with permission and also published on Pharmacy Daily.

Scripty is a free eScript wallet app that helps you manage your scripts digitally, in one place. Download it at getscripty.app