Pharmacy Daily | When it comes to trust, consent matters

DIGITAL health advocate Mina Giang highlights the importance of gaining patient consent when collecting data.

Got an opinion or experience to share? Let us know in up to 400 words via email to info@pharmacydaily.com.au.

Pharmacy has spent the last decade borrowing from e-commerce - the loyalty mechanics, the re-engagement flows, the acquisition funnels and the campaign triggers.

Some of it makes sense - connecting patients to services, reducing friction and making healthcare feel more accessible.

But somewhere in all of that borrowing, something got missed.

I understand why customer loyalty and upselling services matters to your retail business, but you cannot treat my clinical data like a retail transaction.

How you handle what comes through when I show you my eScript tells me everything about whether I can trust you with anything more.

Here is something most people don't know.

When you show your eScript QR code to be scanned at a pharmacy, your mobile number comes with it.

It is 'embedded' in the script and the pharmacy captures it.

That makes sense because that number is how you receive your next repeat token (unless you opted for email).

On my first visit to a particular pharmacy for a script, they scanned the QR code in my Scripty app.

My entire interaction with the pharmacist was, "Would you like to wait or come back?"

I got my repeat eScript via SMS, picked up my medicine and left.

A few hours later, I received an SMS from this pharmacy, inviting me to download their app, to make them my preferred pharmacy.

My first thought was not, 'oh, how convenient'.

It was: 'When did I give them my mobile number?'

I was replaying the entire interaction trying to work it out.

The only way they could have my number was from the eScript - it came in with the QR code when they scanned it.

I did not see any consent disclosure - not at the counter, not on the receipt, not anywhere.

On another day, in a different pharmacy that I had been to twice, I showed them my QR code in Scripty for a new script.

"Do you want to wait or come back?"

Months later, an SMS arrived:

"Hi Mina. It's Pharmacist here. Just wanted to let you know 2026 flu shots have arrived and are available now. To book please click here [pharmacy link]."

Wait a minute, when did I give them my mobile number?

Was I suddenly going through a phase of handing out my number to everyone?

I had not opted into anything, and there was no opt-out in the message.

And I definitely did not have a personal conversation with this pharmacist to let me know when flu shots were available.

Was that a commercial message disguised as a personal message?

All of which raises a question I am not going to pretend to answer definitively: is this even permitted?

Under the Australian Privacy Act 1988, Australian Privacy Principle 6 limits how organisations use personal information - it should only be used for the primary purpose it was collected for.

"Collected for repeat script token" and "reused for app acquisition" or "reused for health campaign messages" are not the same purpose.

That is not just bad UX - that is potentially a compliance problem.

Under Australia's Spam Act 2003, every commercial electronic message requires consent (opt-in) and must include a functional unsubscribe option.

The Australian Communications and Media Authority enforces this, with fines reaching into the millions for serious breaches.

If someone had asked me whether I wanted to receive health reminders, I might have said yes.

But nobody asked - and that is the point.

I also have to ask: did the pharmacist even know their system was wired up to do this?

Consent matters - not just legally, but because trust is the foundation of the clinical relationship you are asking patients to extend to you.

Pharmacists are being asked to do more - vaccinations, consultations and expanded scope of practice.

But trust does not begin in the consultation room, it begins at the counter - in whether a patient leaves feeling like a person or a number in a campaign.

Mina Giang is the creator of active script list app Scripty and co-founder of Oexa.