A NSW Government website

Privacy and security

How patient privacy is protected

Information collected in SafeScript NSW is protected by NSW and Commonwealth privacy legislation. These legislations set out privacy principles that health practitioners and NSW Health must comply with when holding, using and disclosing personal health information.

The Poisons and Therapeutic Goods Regulation 2008 limits the health practitioners who may access SafeScript NSW and how they may use the information it holds. Only registered medical practitioners, nurse practitioners, pharmacists and dentists are eligible to access SafeScript NSW.

There are penalties under the Regulation for unlawful access, use or disclosure of information held in SafeScript NSW.

Each time a record is viewed in SafeScript NSW, a log is created and this is monitored by the Ministry of Health. If inappropriate use is detected, a health practitioner may face penalties and/or the matter may be referred to a Health Professional Council for further investigation and disciplinary action.

A Privacy Impact Assessment has been undertaken to ensure the implementation of SafeScript NSW is compliant with privacy laws.

Who has access to patient records held in SafeScript NSW

A prescriber or pharmacist is permitted to view a patient record in SafeScript NSW in the following circumstances:

  • when prescribing or supplying a monitored medicine to the patient
  • when reviewing the patient’s monitored medicine history as part of a patient consultation (e.g. when a prescriber takes a patient history or a pharmacist conducts a medication review)
  • when discussing the patient’s monitored medicine history with other registered health practitioners who are involved in that patient’s care.

While a prescriber or pharmacist does not need patient consent to view their SafeScript NSW records, it is good clinical practice to talk to the patient about what information is being accessed and how the information is being used to inform decisions about their treatment.

Authorised Ministry of Health officers also access SafeScript NSW as part of their regulatory role in ensuring the safe supply of medicines in the community. Information held in SafeScript NSW may be disclosed by the Ministry of Health but only in circumstances that are permitted under law. Examples of where the release of information may be permitted include where:

  • the person to whom the information relates consents to the release
  • it is for the purposes of legal proceedings (e.g. court order or subpoena)
  • it is for health services and authorised parties to help prevent a serious and imminent threat to someone’s life, their health or welfare
  • it is for an investigative agency where it is reasonably necessary to the complaint handling or investigation functions of the agency
  • it is for researchers for public interest research projects where release of de-identified data has been approved by a Human Research Ethics Committee and where there is a lawful basis to do so. Population health research is usually undertaken using de-identified data. The Centre for Health Record Linkage facilitates access to de-identified data using a data linkage approach that complies with all ethical, legal, privacy and confidentiality requirements.

How SafeScript NSW keeps records secure

Data encryption

Data transmitted between medical practice prescribing systems, pharmacy dispensing systems and the SafeScript NSW database is encrypted at all times and occurs through a secure, encrypted internet connection. Data stored in the SafeScript NSW database is also encrypted at all times.

Multi-factor authentication

SafeScript NSW uses contemporary security measures to safeguard data against unauthorised access. Health practitioners will be required to use multi-factor authentication (a username/password and PIN) to access the system.

Security testing

The security of the system is routinely tested and reviewed to ensure data stored in SafeScript NSW remains protected.

How a patient can access information held in SafeScript NSW

A person is entitled to request access to personal health information held about them in SafeScript NSW. An application for access needs to be made in writing. Requests for access to information will be responded to as soon as possible, or in most cases no later than 28 days  . Access may be declined in special circumstances, such as where giving access would put a person (e.g. the patient or another person) at risk of mental or physical harm.

If a person believes that their information in SafeScript NSW is incorrect, a request for amendment can be made.

To make a request to access information or for more information about requesting an amendment to information in SafeScript NSW, email safescript@health.nsw.gov.au.

In many cases an error or omission is likely to be due to an error in the prescriber’s or the pharmacist’s clinical system. A request should be made directly to the prescriber or pharmacist and when a change is made in their clinical system, the change will automatically be updated in SafeScript NSW.

How to make a privacy complaint

If an  individual (health practitioner or patient) is concerned their privacy has been breached, they can make a complaint to the Privacy Officer, Ministry of Health about how their personal and/or health information has been handled in SafeScript NSW. The complaint must be made in writing to:

Privacy Officer
NSW Ministry of Heath
Locked Bag 2030
St Leonards NSW 1590

For more information about making a complaint, contact the Privacy Officer by email: MOH-Privacy@health.nsw.gov.au.